Trust is the foundation of the digital world. Every time a customer visits a website, processes a financial transaction, or connects to a business application, that trust is validated by TLS certificates. For years, TLS certificate lifespans stretched comfortably to 13 months or longer, giving teams ample time to track and renew them before they expired and caused an application outage. In some situations, even manual renewals were viable for longer lifespan certificates.
That era is ending.
Starting in less than six months, public TLS certificate validity will shrink dramatically:
- March 2026: 200 days maximum
- March 2027: 100 days maximum
- March 2029: 47 days maximum
This mandate, driven by the CA/Browser Forum (certificate authorities and browser vendors), is more than a policy change. It is a defining moment for enterprise security, operations, and infrastructure teams. Shortened certificate lifespans fundamentally alter how organizations must manage digital trust at scale.
Why the 47-day TLS certificate mandate matters
Why is this such a big deal? Because the math doesn’t lie. 2x renewals = 2x the work. Under today’s certificate rules, a typical organization renews certificates perhaps once or twice a year. However, renewal volumes will surge twelvefold, with lifespans cut to 200, 100, and ultimately 47 days. What once felt like a steady operational rhythm will become a relentless cycle of monthly renewals, approvals, and deployments.
Manual processes—ticket-based workflows, spreadsheets, email reminders—simply cannot keep pace. Teams already report that 83% of organizations experienced a certificate-related outage, even with longer lifespans. With 47-day certificates, outages may no longer be just occasional mistakes. They can become inevitable for organizations that fail to adapt.
And certificate-related outages are just the beginning. The risks of shorter certificate lifespans extend to:
- Compliance failures: Missed renewals break audit requirements and SLAs
- Security exposures: Expired certificates create opportunities for attackers
- Business disruption: Every outage erodes customer trust and revenue
- Reputational harm: Headlines about expired certificates damage credibility
The mandate for shorter certificate lifespans is forcing every organization to answer a difficult question: Can you maintain digital trust when certificates expire almost as quickly as they’re issued?
Security benefits of short-lived TLS certificates
There are important reasons behind this change—most of them security-oriented. Short-lived certificates limit the time an attacker can use a stolen private key. If a key is exposed, the certificate tied to it will expire quickly, reducing the risk of long-term misuse.
They also allow organizations to move faster when adopting stronger encryption. As new cryptographic standards emerge, including those designed to resist quantum computing, shorter lifespans will force you to rotate impacted certificates and keys earlier without the temptation to wait months or years for older ones to become vulnerable or expire.
Shorter certificates also strengthen the global trust system. When a certificate authority is distrusted or when industry rules shift, organizations can transition more quickly because fewer long-lived certificates remain in use. This faster transition reduces the chance of certificate-related outages or sudden loss of service.
The mandate is not only about meeting compliance deadlines. It is about creating a safer, more agile, and more reliable foundation for digital trust.
Risks of missing TLS certificate renewals
Ignoring the mandate has clear consequences. Outages may become more frequent as renewal deadlines go unmet. Teams may spend more time on manual work and incident response, driving up costs. Audit performance may decline as regulators and customers demand evidence of control. Confidence in your organization may erode when services fail.
- Outages increase: Even one expired certificate can disrupt revenue or critical applications.
- Costs rise: Manual renewals, incident response, and downtime consume resources.
- Audits fail: Missing proof of lifecycle control creates compliance gaps.
- Reputation decline: Public incidents involving expired certificates damage trust and credibility.
Research shows that 75% of security leaders worry shorter lifespans could make them less secure. The concern is not the certificates themselves, but the higher risk of human error when the volume of certificate renewals grows.
How to prepare for 47-day TLS certificates: 4 steps
Recognizing the scale of this challenge, CyberArk created the 47-Day Certificate Automation Playbook. It provides a structured, practical framework to help teams move from reactive firefighting to proactive, automated readiness.
The 47-Day Certificate Automation Playbook outlines a practical path in four steps:
Step 1: Discover and assess your public TLS certificates
Find every public TLS certificate and build a complete inventory to measure and manage risk.
Step 2: Assign ownership and enforce policy
Make sure each certificate has an owner and apply consistent policies to prevent gaps.
Step 3: Automate renewal at scale
Iteratively replace manual renewals with automation that covers your certificate footprint.
Step 4: Monitor readiness and prove compliance
Use dashboards and reports to track renewals, catch failures, and show proof of compliance.
By following these steps, organizations can move from reactive firefighting to proactive, automated certificate management–setting the stage for long-term readiness and resilience.
Roadmap: From manual renewals to certificate automation
Every organization is at a different stage of certificate management. The 47-day playbook includes a maturity model that helps you see where you stand and what milestones to aim for. The maturity model makes it easier to build executive alignment, set priorities, and measure progress.
The enforcement clock is ticking. But readiness doesn’t happen overnight. It requires:
- Executive alignment: Security, infrastructure, and operations leaders must agree on priorities and outcomes.
- Investment in automation: Tools and platforms that eliminate manual bottlenecks.
- Iterative rollout: Prioritizing high-risk systems first, then expanding coverage.
- Continuous reporting: To prove compliance and resilience.
Organizations that act now will be positioned to meet the 47-day mandate and may unlock hidden benefits like faster adoption of stronger cryptography, reduced blast radius from key compromise, and improved operational discipline. They’ll also be better prepared for CA distrust events, cryptographic shifts, and the rapid expansion of machine identities.
Your TLS certificate action plan: Playbook, readiness scan and expert resources
The mandate is real. The risks are clear. But so is the path forward.
Organizations that begin planning now can adapt more smoothly to short‑lived TLS certificates. Start by inventorying public certificates, assigning ownership and policy. Introduce automation where manual renewals are common, and monitor to prove control over time.
For a deeper dive into the framework, steps, and KPIs, read the CyberArk 47‑day Certificate Automation Playbook. For teams that want an initial snapshot, you can run our no-cost 47‑day readiness scan to discover unmanaged certificates and model renewal volume. And for additional research, practical frameworks, and expert guidance, check out our 47-day resource hub.
The future of digital trust will be defined by how well enterprises adapt to 47-day certificates. Will your organization be ready?
Nick Curcuru is a director in the CyberArk Trust Office.
