The days of multi-year TLS certificates are over. The industry is rapidly moving toward shorter validity periods, with 47-day certificates on the horizon. This shift will fundamentally change how organizations manage their certificate estates.
For years, TLS certificates could be valid for three, four, or even five years. Administrators would request a certificate, install it, and largely forget about it until the next renewal cycle came around. That era is ending.
The trajectory is unmistakable: certificate validity periods have been shrinking steadily, and the pace is accelerating. As of 2024, the maximum validity for publicly trusted TLS certificates is 398 days (roughly 13 months). By 2029, that window will shrink to just 47 days. This means organizations that once renewed a certificate once a year will soon need to renew it roughly eight times a year, per certificate.
The shift is not arbitrary. It reflects a growing consensus among browser vendors, security researchers, and standards bodies that shorter lifespans dramatically reduce risk. But for IT teams still relying on manual processes or spreadsheets, the operational implications are enormous.
In the early days of commercial TLS, certificates could be purchased with validity periods of three to five years. Renewal was infrequent, and certificate management was largely a manual, ad hoc process handled by a small number of administrators.
The CA/Browser Forum voted to cap TLS certificate validity at 825 days (approximately two years). This was the first major reduction and signaled the industry's direction. Organizations with large certificate estates began to feel the operational pressure.
Apple unilaterally announced that Safari would reject certificates with validity periods exceeding 398 days. Google and Mozilla followed suit. The CA/Browser Forum had debated this change but couldn't reach consensus; browser vendors forced the issue. This became the standard that holds today.
Google publicly advocated for a 90-day maximum validity period, citing the success of Let's Encrypt (which issues 90-day certificates by default). The proposal gained broad support among browser vendors and security researchers, setting the stage for the next formal reduction.
Start with a complete discovery of all certificates across your infrastructure: servers, load balancers, cloud environments, CDNs, IoT devices, and internal services. You need to know exactly how many certificates you manage and where they live.
For each certificate, determine whether the renewal and deployment process can be automated. Certificates on legacy systems, appliances without ACME support, or manually managed infrastructure will need special attention and possibly custom integrations.
Implement ACME, EST, or SCEP across your environment. Prioritize high-volume systems first (web servers, load balancers, Kubernetes clusters) and work outward toward edge cases. Test renewal workflows thoroughly before the deadlines hit.
Do not wait for the mandates. Begin issuing 90-day certificates now, wherever possible, to stress-test your automation pipelines and operational workflows. Organizations that have already adopted short-lived certificates through Let's Encrypt or internal CAs are well positioned for what's next.
Even with automation, things fail. Implement real-time monitoring of certificate status, renewal success rates, and deployment health. Configure alerts well in advance of expiration so that failures are caught and resolved before they cause outages.
Full-estate discovery — Evertrust CLM scans your entire infrastructure continuously, identifying every certificate regardless of issuer, location, or owner. You get a single source of truth before you begin automating.
Protocol-native automation — Evertrust PKI supports ACME, EST, SCEP, and CMP natively, enabling fully automated enrollment, renewal, and deployment without manual intervention. Whether you need to renew every 90 days or every 47 days, the process is the same.
Proactive alerting — Configurable alert policies notify the right teams at the right time, whether that's 30 days, 14 days, or 7 days before expiration. Escalation paths ensure no renewal falls through the cracks.
Readiness dashboards — See at a glance which certificates are already automated, which still require manual intervention, and where your gaps are. Track your progress toward full 47-day readiness across the entire organization.
