Shorter Digital Certificates Duration: What the 47-Days Rule Means for Businesses
Christophe Gérard, Product & Marketing Director at Nameshield, explains how shorter TLS certificate lifespans will reshape certificate management.
©Funtap | istockphoto.com
Christophe Gérard
A Rapidly Evolving Certificate Market
The market for SSL and TLS certificates has undergone remarkable changes over the past decade.
The number of digital certificates has grown 100 times over the past decade, up to 300 million valid certificates, and now issues up to ten million certificates daily. HTTPS has evolved from a special case to the standard: According to the Google Transparency Report, 99% of the traffic in the Chrome browser is now fully encrypted.
This development has been driven by advancing digitalization, increased security requirements, and a growing number of connected devices in the IoT environment. This trend is also reflected economically: various market research reports anticipate significant growth in the global SSL/TLS market in the coming years – estimates vary considerably depending on the definition of the market segment.
As of March 15, 2026, the maximum validity period of TLS certificates has been reduced to 200 days – a first step toward 47 days by March 2029, marking a paradigm shift away from static trust models toward continuous, automated trust validation. To help companies navigate this transformation, Nameshield – an experienced registrar and specialist in digital security solutions – recently hosted a webinar outlining the concrete implications of shorter certificate lifespans and actionable strategies for automation and Certificate Lifecycle Management (CLM). The following article summarizes the key insights and explains why businesses should act now.
Who Sets the Rules: CA/Browser Forum, CAs, and Browser Vendors
The certificate market is organized and regulated at an international level. A central authority is the CA/Browser Forum, which has been setting binding minimum standards– the so-called Baseline Requirements – for TLS, code-signing, and S/MIME certificates since 2005. Certification Authorities (CAs) implement these requirements in practice, while browser vendors decide which certificates to trust.
A few major players shape the direction of the industry
In 1994, Netscape laid the groundwork with SSL 1.0, followed by TLS 1.0 in 1999. Encryption has been in the public spotlight at least since the Snowden revelations in 2013.
Google made HTTPS a ranking factor in 2014 and, together with Mozilla, drove the widespread encryption of the web.
The market power of these players remains evident today: in 2018, Google revoked its trust in the certificate provider Symantec; in 2020, Apple limited the maximum validity period of certificates to one year. In 2024, providers such as Entrust also lost the trust of major browser manufacturers. With the upcoming reduction to initially 200, then 100, and finally 47 days, Apple and Google are setting the pace for the entire industry.
The timeline: From 398 to 47 days
In April 2025, the CA/Browser Forum adopted a new resolution supported by major browsers and platform vendors, including Apple, Google, Mozilla, and Microsoft. Under this resolution, the maximum certificate validity period will gradually be reduced to 47 days, while the permissible reuse period for Domain Control Validation (DCV) data is set to be shortened to 10 days.
The specific timetable for the coming years contains two key points:
1. Certificate duration reduces:
- Since March 15, 2026: reduction to 200 days
- Starting March 15, 2027: reduction to 100 days
- Starting March 15, 2029: reduction to 47 days
2. The reuse period forDCV will be shortened to 10 days starting in 2029 implying the control of DNS.
Why shorter validity periods?
The logic behind the reduction is clear from a security perspective: more frequent key rotations limit how long compromised or outdated cryptographic methods can remain in use undetected. This also forces companies to verify identities more regularly.
In operational practice though, this means a significant increase in workload. Instead of an annual renewal, up to eight reissues per certificate per year will be required starting in 2029. Domains will eventually need to be revalidated every ten days. Organizational validation itself generally remains annual.
Automation is a must: ACME and CLM
At this frequency, it becomes evident: the complexity of certificate management has outgrown what human oversight alone can handle. In practice, two complementary approaches have become established.
ACME (Automated Certificate Management Environment) is a standardized protocol that primarily automates domain validation and the issuance of public certificates. While well-suited for classic internet applications, it reaches its limits when it comes to internal certificates, devices such as load balancers, or topics like crypto-agility and governance.
Certificate Lifecycle Management (CLM) takes a more holistic approach: through the discovery of existing certificates, a centralized policy definition, a multi-CA management, and the control of different certificate types throughout the entire lifecycle. This also allows for addressing internal PKIs or preparing for post-quantum cryptography.
What companies must address now
What is often underestimated in practice is that the challenge is twofold: technology and accountability go hand in hand. Automation is not just a convenience – it is a necessity to eliminate human error and ensure that no certificate is overlooked, expired, or mismanaged.
At the scale that certificate management is heading toward, manual processes are no longer viable. Companies that fail to anticipate these changes will inevitably face expired certificates, service outages, compliance violations, and security breaches – consequences that are not only costly, but potentially fatal to business continuity and reputation.
The timeline is set. The direction is clear. Automation is the only path forward. The deadlines are approaching. It is time to act now.
Nameshield supports organizations in building a resilient certificate infrastructure – combining registrar services, DNS management, CLM connectors, and multi-CA capabilities on a single platform. For companies looking to navigate this transition, having a trusted and experienced partner by their side can make the difference between a smooth migration and a costly one.
References
- CA/Browser Forum Ballot SC-081v3 (April 2025): ssl.com
- DigiCert Blog – TLS certificate lifetimes: digicert.com
- Qualys SSL Labs SSL Pulse (June 2025): ssllabs.com/ssl-pulse
- Google Transparency Report HTTPS: transparencyreport.google.com
- RFC 8555 – ACME Protocol: rfc-editor.org
📚 Citation:
Gérard, Christophe (June 2026). Shorter Digital Certificates Duration: What the 47-Days Rule Means for Businesses. dotmagazine. https://www.dotmagazine.online/issues/domains-email-user-trust/shorter-digital-certificates-duration
Christophe Gérard has been with Nameshield for 10 years. He leads the Product and Marketing teams, supporting customers in the management, protection, monitoring, and remediation of strategic domain names. His work focuses on digital security solutions that help organizations protect critical online assets.
FAQ
What is changing for TLS certificates?
Christophe Gérard of Nameshield explains in this dotmagazine article, published by eco – Association of the Internet Industry, that TLS certificate validity periods are being reduced in stages. This means businesses will need to renew and validate certificates more often than they do today.
Why are shorter certificate lifespans important for businesses?
In the article published in dotmagazine by eco – Association of the Internet Industry, Christophe Gérard of Nameshield links shorter certificate lifespans to stronger security and more regular validation. For businesses, the practical impact is that certificate management becomes a continuous operational task rather than an occasional administrative process.
Why is automation becoming essential for certificate management?
Christophe Gérard of Nameshield argues in dotmagazine, published by eco – Association of the Internet Industry, that manual certificate management will become increasingly difficult as renewal cycles shorten. Automation helps reduce the risk of missed renewals, expired certificates, service outages, and avoidable security gaps.
How does the 47-day rule affect Domain Control Validation?
In this dotmagazine article, published by eco – Association of the Internet Industry, Christophe Gérard of Nameshield explains that shorter certificate validity will also place more pressure on Domain Control Validation processes. If DCV data can only be reused for a shorter period, organizations will need tighter coordination between certificate management, DNS control, and operational accountability.
Please note: The opinions expressed in articles published by dotmagazine are those of the respective authors and do not necessarily reflect the views of the publisher, eco – Association of the Internet Industry.
