The Big Shift from Months to Days: the new TLS Certificate Validity
While the decision was officially made in early 2025, the impact of the CA/Browser Forum’s vote to reduce TLS certificate validity continues to grow in importance as the implementation timeline progresses. With changes set to unfold gradually until 2029, now is the right time to prepare for what will be a major shift in certificate lifecycle management.
What is changing?
In April 2025, the CA/Browser Forum approved Ballot SC-081v3, initiating a scheduled reduction in the maximum lifespan of public TLS certificates—from 398 days down to just 47 days by March 15, 2029.
Source: CA/Browser Forum Ballot SC-081v3
Implementation Timeline:
Effective Date |
Maximum Certificate Validity |
Domain Control Validation Reuse Limit |
|---|---|---|
| Until March 15, 2026 | 398 days | 398 days |
| From March 15, 2026 | 200 days | 200 days |
| From March 15, 2027 | 100 days | 100 days |
| From March 15, 2029 | 47 days | 10 days |
Why is it changing?
Though this isn’t breaking news, it’s a critical change that organizations must act on now to avoid future disruption. The reduction in TLS certificate lifespan is driven by key security and operational goals:
- Stronger security through shorter exposure Windows: shorter-lived certificates limit the time-frame in which a compromised private key could be exploited
- Better crypto-agility: frequent renewals enable faster shifts to updated cryptographic algorithms or standards, a key requirement in preparing for the post-quantum era
- Automation becomes essential: manual certificate issuance and renewal simply won’t scale with 47-day lifespans. Full or partial automation will be necessary for compliance and operational continuity
What should companies expect?
- More frequent renewals: starting in 2029, organizations will need to renew public TLS certificates every 47 days—about eight times per year, compared to once annually today
- Shorter revalidation Windows: the validity of DCV checks and identity validations will be reduced alongside certificate lifespans. This means you’ll need to perform domain and organization validation more frequently
- Increased risk without automation: relying on manual certificate processes at this cadence dramatically increases the risk of service outages and compliance failures
Automate with MAYI CLM
With certificate lifespans shrinking and validation cycles tightening, automation is no longer optional – it’s essential. That’s where MAYI CLM comes in.
MAYI CLM is our end-to-end Certificate Lifecycle Management platform designed to simplify and secure digital identity at scale. It enables organizations to:
-
Automate certificate discovery, issuance, and renewal
-
Ensure compliance with the latest CA/B Forum rules
-
Minimize outages and manual overhead
-
Maintain complete visibility across your certificate inventory
-
Integrate seamlessly with your existing infrastructure
Whether you manage dozens or thousands of certificates, MAYI CLM provides the reliability and agility needed to adapt to a faster-paced, automation-driven security environment.
Get in touch with us to learn how MAYI CLM can help your organization stay secure, compliant, and resilient – today and for the future.