Navigating Apple’s proposal to shorten TLS certificate lifespans

It’s not a proposal anymore. The CA/Browser Forum’s recently held a unanimous 25–0 vote approving a policy to reduce the maximum validity period for public TLS certificates to just 47 days, starting March 2029. This new standard isn’t a proposal. It is an approved policy.  

As one security engineer rightly put it, “Trust on the internet is no longer something you set and forget.” 

Before diving into the key details of this policy, let’s understand the purpose of reducing the certificate lifespans.  

Why is a shorter certificate lifespan preferred? 

Shorter-lived certificates shrink the window of opportunity for attackers to exploit a compromised key. If a certificate is stolen today, it will be self-destruct sooner, leaving little room for misuse. If a TLS certificate gets compromised today, its misuse ends in weeks, not months. You no longer need to rely on outdated revocation systems, such as CRLs, to flag it. 

Let’s break it down into the points below: 

1. Reduced Risk Window

   Shorter certificate validity significantly limits the time frame in which a compromised or mis-issued certificate can be exploited. Whether it’s a leaked private key or a rogue certificate, the damage is contained to a much narrower window, minimizing long-term security impact.

2. Security demands agility

   When certificate lifespans are shorter, it becomes easier to shift towards new security improvements, such as upgraded cryptographic algorithms or patched configurations. To put it simply, you can’t defend the future with yesterday’s encryption.

3. Encourages Automation

   Manual certificate renewal doesn’t scale when certs expire every 47 or 90 days. Shorter lifespans push organizations to adopt automated Certificate Lifecycle Management (CLM) solutions, reducing human error and ensuring timely certificate lifecycle operations like issuance, renewal, and revocation.

4. Future-Proofing Security

   With more frequent renewals, organizations can respond swiftly to evolving standards (like post-quantum cryptography) or emerging compliance mandates. Short-lived certs create a natural refresh cycle that supports cryptographic agility.

Key aspect of 47 days validity

Apple’s roadmap does not throw the industry into short-term chaos. Instead, it offers a phased, strategic reduction in TLS certificate validity, allowing organizations time to adapt while encouraging them to adopt automation and modern security practices. 

Here’s how the timeline unfolds: 

• March 2026 → Certificate lifespan capped at 200 days
• March 2027 → Reduced further to 100 days
• March 2029 → Limited to just 47 days

But the transformation doesn’t stop there. 

Domain Control Validation (DCV) is the mechanism used to prove domain ownership is also tightening. By September 2027, the DCV reuse period will be slashed to 10 days. This means that instead of validating a domain once and reusing that validation for weeks, systems will need to reconfirm ownership every 10 days for new certificate issuances. 

For those using Organization Validation (OV) or Extended Validation (EV) certificates, there is another critical update. Subject identity validation data reuse, which refers to the reuse of previously verified organizational details (such as your company’s legal name, registration number, address, and other identity attributes) during the issuance of OV and EV certificates, is also being restricted: 

• Certificates issued on or before March 14, 2026: reuse allowed for 825 days
• Certificates issued on or after March 15, 2026: reuse allowed for only 398 days

This means OV/EV users will be required to redo their organization validation once every 398 days, adding a new layer of ongoing compliance. This means OV/EV users will be required to redo their organization validation once every 398 days, adding a new layer of ongoing compliance. 

In short, this is more than just a change in numbers. It is a fundamental reset of how digital trust is issued, validated, and maintained on the internet. 

How does it impact your organization? 

This evolution puts organizations at a crossroads. On the one hand, it promises better security. On the other hand, it demands speed, automation, and new workflows. 

Here is what’s changing and why it matters. 

• Increased renewal frequency

  TLS certificates will no longer be valid for more than a year. By 2029, they’ll expire every 47 days. This significantly reduces the window for attackers to exploit a stolen or misused certificate. But it also means your renewal process must be tight and fail-proof, there’s no margin for delay.

• OV/EV revalidation every 398 days

  Due to approved changes in validation data reuse, Organizations using OV or EV certificates must redo organizational validation every 398 days starting March 15, 2026. This introduces an administrative overhead that must be tracked and automated, or risk delays and issuance failures.

• Frequent DCV checks

  Domain Control Validation (DCV), which verifies domain ownership, must be performed every 10 days. This ensures certificates are only issued to those who genuinely control the domain, adding a critical layer of security. However, the overhead of doing this manually is exhausting, especially for organizations managing hundreds or thousands of domains.

• Manual processes won’t scale

  Relying on spreadsheets, calendar reminders, or a few team members to track expirations and revalidations isn’t sustainable. In this high-frequency environment, manual certificate management is a liability, not a strategy.

• Risk of outages increases

  Certificates are not just for websites, they secure APIs, microservices, VPNs, mobile apps, and more. A missed renewal or failed DCV can cause business-critical services to go dark. For enterprises, this could mean lost revenue, broken trust, and reputational damage.

As digital trust is now tied to agility. The days of “set it and forget it” are over. Organizations must evolve from static certificate management to automated, dynamic systems that can keep pace with modern threats. 

How can organizations prepare for the Shift to Shorter TLS Certificate Lifespans?  

The move toward 47-day certificate lifespans isn’t just a policy update, and it’s a fundamental shift in how digital trust is managed. And while 2029 may seem far off, the time to act is now. Organizations that begin adapting today will avoid scrambling tomorrow. 

It’s not about being ready for 2029, and it’s about proving you can do this today, every 47 days, without fail. 

Here’s how to start preparing for the 47-day certificate validity shift: 

Build a Centralized Certificate Inventory

You can’t automate or secure what you can’t see. Many organizations have dozens, if not hundreds, of public TLS certificates spread across websites, APIs, VPNs, load balancers, and internal services. An expired certificate in any of these locations can cause serious outages, affect customers, or break internal operations.

Action plan:

• Use discovery tools (e.g., Qualys SSL Labs, Censys, CLM platforms) to find certificates across your PKI environment.
• Document certificate types (DV, OV, EV), issuing CAs, expiration dates, and responsible owners.
• Create a centralized certificate inventory, a single pane of glass your teams can reference.

Implement Certificate Lifecycle Automation

As certificate lifespans shrink from 200 to 100 to 47 days, manual renewal becomes unsustainable. Teams will be overwhelmed trying to track, renew, validate, and deploy certs every few weeks.

Action plan:

• For DV certificates: Use ACME-based protocols (like Let’s Encrypt or EJBCA) to automatically issue, renew, and deploy.
• For SSL/TLS certificates: Invest in Certificate Lifecycle Management (CLM) platforms (e.g., CertSecure by Encryption Consulting).
• Ensure the automation covers all certificate operations like request generation, CSR creation and signing, certificate deployment, and renewal or revocation cycles.
• Integrate CLM tools with your DevOps or cloud infrastructure (e.g., Ansible, Terraform, Jenkins).

Rework DCV and Validation Workflows

Today, you can reuse DCV (Domain Control Validation) for more than 30 days. By September 2027, that window drops to 10 days, meaning certificates issued after that will require fresh domain revalidation, frequently.

Action plan:

• Use ACME clients to automate DNS-based or HTTP-based DCV (via TXT records or web server tokens).
• Pre-validate domains via your CA to reduce real-time overhead.
• Plan DCV rotation for wildcard and multi-SAN certs.

Test Shorter Renewal Cycles Now

Waiting until the 47-day policy is enforced could leave you scrambling. Pilot testing needs to be simulated for the future environment now, under controlled conditions, and refined to your workflows.

Action plan:

• Set renewal intervals to 60 or 90 days (already required by some CAs).
• Run these test workflows end-to-end, including issuance, validation, deployment, and alert handling.
• Monitor the success rate of renewals, downtime due to failed deployments, and human response delays. This will reveal bottlenecks, misconfigurations, and coverage gaps before you’re on a 47-day clock.

Train Cross-Functional Teams

Certificate lifecycle management touches more than just security teams. If DevOps isn’t aware, IT isn’t aligned, or developers don’t understand automation limits, it could lead to internal friction and outages.

Action plan:

• Conduct workshops with DevOps, security, IT infrastructure, and compliance teams.
• Update internal SOPs and onboarding materials to include new expiry timelines, DCV and OV/EV validation requirements, and emergency renewal protocols.
• Establish certificate ownership or service leads to maintain accountability for key certs.

Review Policies, Contracts, and SLAs

Not all vendors, platforms, or hosting providers are ready for short-cycle certificate management. Some load balancers, cloud providers, or SaaS tools may lack API integration or automation support.

What to do:

• Audit your third-party tools and cloud platforms: Check/audit for their automation of certificate renewal and deployment
• Update vendor SLAs to reflect 47-day certificate requirements.
• Negotiate support for ACME integrations or request automation tooling as part of your security expectations.

The shift to 47-day TLS certificates and 398-day OV/EV validations isn’t just an upgrade, it’s a new way of working. To remain secure and trusted in this environment, your organization must embrace automation, break down silos between teams, and prepare its systems now. 

How can EC help? 

CertSecure Manager is a true vendor-neutral solution that automates the entire SSL/TLS certificate lifecycle from issuance and discovery to deployment and one-click certificate operations like renewal, revocation and CA migration. It can easily handle many SSL/TLS certificates; with CertSecure Manger’s centralized dashboard, you gain real-time visibility into all your certificates, eliminating manual workloads and minimizing the risk of unexpected expirations.   

Prepare for the future of certificate lifecycle management today by experiencing our certificate lifecycle management solution: CertSecure Manager. Request a demo today. 

Conclusion 

The reduction of TLS certificate lifespans to 47 days is no longer a theoretical concept, it’s an approved industry-backed mandate that will reshape how digital trust is maintained on the internet. 

What began in 2020 with Apple’s enforcement of 398-day certificates has now evolved into a broader, irreversible trend, one that emphasizes agility over complacency, automation over manual oversight, and security by design over tradition. 

By March 2029, all public TLS certificates will expire in less than two months, and by March 2026, OV/EV validation reuse will be slashed to 398 days. These aren’t just technical changes, and they are operational imperatives. Organizations that fail to adapt, risk more than just inconvenience; they risk service outages, loss of customer trust, and potential compliance violations. 

In a world where trust resets every 47 days, the winners will be those who prepare every day.