SSL Lifecycle

The Shrinking Life of an SSL Certificate

ByUlrik Christensen Reading Time: 2 minutes

Every website secured with HTTPS relies on a TLS/SSL certificate — a digital credential that authenticates the server and encrypts data in transit. For most of the internet’s history, these certificates were issued and largely forgotten, valid for years at a stretch. That era is ending.

Before 2012, certificates could be valid for up to 10 years. The CA/Browser Forum — the industry body governing certificate authorities and browser vendors — has progressively tightened this over time, moving from 5 years to 3 to 2, culminating in the current standard of 398 days in 2020. Now, another significant shift is underway.

In April 2025, the CA/Browser Forum approved Ballot SC-081v3, originally proposed by Apple, with 29 votes in favor and none opposed. Prior to Apple’s proposal, Google had promoted a 90-day maximum lifetime, but voted in favor of it almost immediately after the voting period began. The resulting schedule is phased: 200 days as of March 15, 2026; 100 days as of March 15, 2027; and a final ceiling of 47 days as of March 15, 2029.

Why 47 days specifically?

The number follows a simple cascade: 47 days equals one maximal month (31 days), plus half a 30-day month (15 days), plus one day of wiggle room. The design gives certificates roughly a month of operational life with a built-in renewal buffer — intentional, not arbitrary.

Why shorter at all?

Apple’s ballot argues that the information in certificates steadily becomes less trustworthy over time, a problem that can only be mitigated by frequent revalidation. The ballot also takes aim at the existing revocation infrastructure: the revocation system using CRLs and OCSP is unreliable, and browsers often ignore these features — shorter lifetimes mitigate the effects of potentially revoked certificates remaining in use. There’s a forward-looking dimension, too: the 2029 deadline is deliberately set ahead of the 2030 post-quantum cryptography transition, when algorithms like RSA and ECC will begin to be deprecated in favor of quantum-resistant alternatives.

The operational reality

A 47-day certificate means roughly 8 to 12 renewal cycles per certificate, per year. Manual end-to-end certificate renewal typically requires 3 to 6 hours of human effort, covering key generation, CSR submission, CA validation, installation, verification, and potential service restarts. Multiplied across hundreds or thousands of certificates, the math makes manual management impossible. The domain validation reuse window tightens in parallel: by March 2029, the maximum period during which domain validation information may be reused drops to just 10 days.

Automation is no longer optional

Apple’s statement that automation is essentially mandatory for effective certificate lifecycle management is, as DigiCert puts it, indisputable. DigiCert also notes that once users adopt automation, they often voluntarily move to more rapid certificate replacement cycles — and that even the 2027 changes to 100-day certificates will make manual procedures untenable, suggesting rapid automation adoption well before 2029. Importantly, the cost is based on an annual subscription, so more frequent renewals do not result in higher certificate fees.

For organizations still relying on spreadsheets and calendar reminders, the 47-day world isn’t just inconvenient. It’s a hard deadline.