DK Book demo Start free trial
47-day TLS certificates

47-Day TLS Certificates Are Coming — Here's How to Prepare

The CA/Browser Forum has voted unanimously to cut maximum TLS certificate lifetimes to 47 days by March 2029. For most organisations that means roughly an 8× increase in renewals — and the end of manual certificate management. Below: the timeline, what it costs you, and how to automate before it bites.

Start free trial See the platform

14-day free trial  ·  No credit card required  ·  EU hosted  ·  Dedicated instance per customer

The timeline

How TLS certificate lifetimes drop to 47 days

The reduction happens in three phases. Each one tightens the window that manual processes can survive.

March 2026 · 200-day maximum

The transition begins. Automation becomes the practical default.

March 2027 · 100-day maximum

Renewing by hand is already strained at this cadence.

March 2029 · 47-day maximum

Full enforcement. Every certificate renews roughly every six weeks.

Why it matters

Why 47-day certificates break manual certificate management

A shorter lifetime multiplies every renewal task you do today. At 47 days, spreadsheets and calendar reminders stop keeping up.

More renewals than today. 1,000 certificates becomes roughly 8,000 renewals a year.

~1,560 hrs

Manual renewal hours a year for just 100 certificates at 47-day lifetimes — roughly three-quarters of a full-time role.

0

Manual renewals needed once ACME automation is in place. The lifecycle runs itself.

What to do

How to prepare for 47-day certificates

The organisations that handle this well start now — while the cadence is still forgiving.

01

Build a complete inventory

You can't automate what you can't see. Discover every certificate first — internal and external, including the ones nobody is tracking.

02

Automate renewal with ACME

ACME removes the manual renewal step entirely. CertControl works as an ACME client or as an ACME Server (RFC 8555) for your internal server fleet — certbot, acme.sh, win-acme and Posh-ACME connect directly.

03

Shorten your alert lead times

A single alert 14 days out isn't enough at 47-day lifetimes. Layered, escalating alerts catch what one reminder misses.

04

Cover internal certificates too

Many certificate outages start on internal systems nobody was monitoring. An on-premise agent brings them into the same view.

05

Keep compliance documentation current

Shorter lifetimes mean more renewal events to evidence. Automated reports keep your NIS2 Article 21 documentation audit-ready.

One platform for all five

CertControl covers discovery, ACME renewal, layered alerting, internal-network scanning, and audit-ready reporting in a single dedicated instance. See certificate lifecycle management →

Frequently asked questions

47-day certificates — questions answered

What are 47-day certificates?

47-day certificates are TLS/SSL certificates with a maximum validity of 47 days, the limit the CA/Browser Forum has set to take effect by March 2029. Today's certificates can last up to 398 days, so this is a major reduction that sharply increases how often each certificate must be renewed.

When do 47-day certificates take effect?

The change is phased: a 200-day maximum from March 2026, 100 days from March 2027, and the final 47-day maximum from March 2029. The transition has already begun.

Why is the CA/Browser Forum reducing certificate lifetimes?

Shorter lifetimes limit the exposure window if a private key is compromised and reduce reliance on slow certificate revocation. They also push the industry toward automation, which is more reliable than manual renewal.

How do I prepare for 47-day certificates?

Build a complete certificate inventory, automate renewal with ACME, shorten and layer your expiry alerts, include internal certificates, and keep compliance documentation generated automatically. CertControl covers all five.

Do 47-day lifetimes apply to internal private certificates?

The 47-day limit applies to publicly trusted TLS certificates. Internal and private CA certificates aren't bound by the CA/Browser Forum rules, but many organisations align internal lifetimes with public ones to standardise on automation.

Related resources

Guides to 47-day certificates and renewal automation

Guide

How to Prepare for 47-Day Certificate Lifetimes

By 2029, TLS certificates will max out at 47 days.

Read the guide →
Guide

47-Day Certificate Lifetimes: The Real Organisational Cost in 2029

100 manually managed TLS certificates at 47-day lifetimes means roughly 1,560 renewal hours per year.

Read the guide →
Guide

ACME Server and ARI: Zero-Touch Certificate Renewal for Internal Servers

CertControl's built-in ACME Server (RFC 8555) and ARI (RFC 9773) automate TLS certificate renewal for internal server fleets.

Read the guide →
Guide

Manual vs Automated Certificate Management: Why the Difference Matters

Manual certificate management creates operational risk, compliance gaps, and avoidable outages.

Read the guide →
Guide

What Is Certificate Lifecycle Management? A Plain-Language Guide

Certificate lifecycle management (CLM) covers discovery, issuance, renewal, and revocation.

Read the guide →
Related pages
Certificate lifecycle management → TLS and SSL certificate monitoring → See the full CertControl platform →

Get ahead of 47-day certificates

Inventory every certificate and automate renewal before the cadence tightens. Full access for 14 days, no card required.

Start free trial Book demo