Certificate lifespan will be reduced to 200 days from next year.
Members of the CA/Browser Forum have voted on a proposal to mandate 47-day TLS certificate lifespans by 2029.
This proposal would gradually reduce the lifespan of certificates over the next four years from its current 398-day lifespan to 47 days in March 2029, reports Bleeping Computer. With 25 votes for and none against, the CA/Browser Forum has now ruled to shorten the lifespan as follows:
From March 15, 2026, certificate lifespan and DCV will be reduced to 200 days
From March 15, 2027, certificate lifespan and DCV will be reduced to 100 days
From March 15, 2029, the certificate lifespan will be reduced to 47 days and DCV to 10 days
The goal is to encourage companies and developers to utilise automation to renew and rotate TLS certificates, and remove outdated certificate data and deprecated cryptographic algorithms.
Renewal Cycles
Dean Coclin, senior director of digital trust at DigiCert, said the change is a big deal, as It dramatically shortens certificate renewal cycles and organisations will need to reissue certificates with much greater frequency or face disruptions.
“This change won’t be seamless—it will require organisations to rethink their approach to certificate lifecycle management,” he said. “With the 200-day rule on the near horizon and the 47-day mandate expected by March 2029, now is the time for businesses to begin auditing their environments, implementing automation, and ensuring systems are prepared for more frequent renewals.
“Success will depend on crypto-agility and treating digital trust as a dynamic, continuously evolving strategy—not a set-it-and-forget-it task.”
The announcement follows Apple’s 2024 motion to improve certificate agility and minimise misuse.
Also, 2029 is also the year Gartner predicts all organisations must be quantum-ready—an overlap that raises urgent questions about how enterprises are managing cryptographic agility and digital trust at scale.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
