Your Certificate Has Expired!

HTTPS runs on a TLS certificate that proves your site is yours and encrypts the traffic to it. Let that certificate expire and the site stops working. A customer loads your page and hits a full-screen browser warning: “Your connection is not private.” One certificate lapsed and nobody caught it. Today that certificate might run for over a year. By March 2029 it will run for 47 days.

The CA/Browser Forum has voted to cut TLS certificate lifetimes from 398 days to 47 days over three years. If you still track certificates in spreadsheets and calendar reminders, you have a deadline.

The Countdown Has Started

The changes roll out in four phases:

Date	Maximum Certificate Lifetime	Domain Validation Reuse
Now	398 days	398 days
15 March 2026	200 days	398 days
15 March 2027	100 days	100 days
15 March 2029	47 days	10 days

Watch the final row. A 47-day lifetime means you issue certificates eight times a year per domain. A 10-day domain validation reuse window means you cannot stockpile validated domains and issue at leisure. Every renewal needs fresh validation.

A business with a hundred certificates faces 800 renewals a year. A thousand certificates means 8,000. No team sustains that by hand.

Why the Industry Is Forcing This Change

Apple proposed the change and Google backed it. The reasoning holds up.

A certificate is a statement of trust. It asserts that a domain belongs to an organisation, that the organisation is who it claims to be, and that the connection is secure. Trust decays. Domains change hands. Companies get acquired. Providers reassign IP addresses. The longer a certificate sits in place, the more the facts behind it drift.

Revocation was meant to handle this. When a certificate is compromised, the issuing authority revokes it and browsers refuse to trust it. Revocation rarely works. Browsers skip Certificate Revocation Lists and OCSP responses, so a revoked certificate can stay trusted for days or weeks.

Shorter lifetimes fix the problem a different way. A certificate that lives 47 days shrinks the exposure window after a compromise to weeks instead of a year. The certificate expires before most attackers exploit it, so revocation matters less.

The industry already exempts certificates that expire within seven days from revocation requirements. The 47-day target carries that logic into the mainstream.

The Certificate Is the Easy Part

Most businesses fixate on the certificate. Let’s Encrypt issues a free DV certificate in seconds. Everything around it is the work.

• Discovery: You know the certificate on your main website. You may not know the one on the API gateway someone set up three years ago, the internal service that talks to a vendor, or the load balancer in a forgotten AWS account.

• Installation: Issuing a certificate is one step. Installing it on the right server, in the right format, with the right intermediate chain, is another. Outages often happen because someone issued the new certificate and never deployed it.

• Coordination: A single renewal can touch a web server, a CDN, a WAF, and an API gateway. Miss one and traffic fails.

• Validation: OV and EV certificates require organisation identity checks. The new rules cut the reuse period for that validation from 825 days to 398 days. You will revalidate your legal name, address, and authorisation contacts more often.

Manual processes break under this load. You will have an outage; the timing is the only open question.

A Story of Two Organisations

Organisation A runs a mid-sized SaaS platform with certificates across production, staging, and internal services. One DevOps engineer tracks them in a shared spreadsheet. Renewals happen when someone remembers, usually after a 3am monitoring alert.

The 200-day limit arrived in March 2026 and doubled their renewal frequency. The engineer now spends more time on certificates than on infrastructure. In 2027 the limit dropped to 100 days and they missed a renewal on a payment endpoint. The outage ran four hours. Customers left. The postmortem blamed “process failure.”

Organisation B runs a similar platform. They spent months building ACME automation that discovers, tracks, and renews every certificate. The 47-day limit arrived and changed nothing for their operations. Their certificates renew every 30 days by policy. The engineers who used to chase certificates now work on architecture and security posture.

Budget did not separate the two. Timing did. Organisation B started before the problem turned urgent.

The Path to Automation

Automation is not a single tool. You build it across four layers.

1. Discovery

You cannot automate a certificate you do not know exists. Start with a full inventory of every certificate in your environment:

• Scan your public-facing infrastructure for certificates on ports 443, 8443, and any other TLS-enabled services.
• Query your DNS for all subdomains and check each for certificates.
• Audit your cloud accounts for certificates attached to load balancers, API gateways, and CDNs.
• Check your internal network for certificates on internal services, databases, and message queues.

Tools like certspotter, crt.sh, and commercial certificate management platforms help here. Aim for a single source of truth: every certificate, its expiry date, its issuer, and where it is installed.

2. Centralised Management

Once you know what you hold, consolidate control. A certificate management platform should:

• Track every certificate in one dashboard.
• Alert when certificates approach expiry (30 days is a sensible threshold; 47-day certificates leave no room for longer).
• Integrate with your issuing CAs, whether that is Let’s Encrypt, DigiCert, Sectigo, or an internal CA.
• Support ACME for automated issuance and renewal.

If your current process means logging into a CA portal, downloading a certificate, and uploading it to a server by hand, it will not survive the 47-day era.

3. Automated Issuance and Renewal

ACME (Automatic Certificate Management Environment) is the standard. It automates the entire lifecycle: domain validation, certificate issuance, installation, and renewal.

Most modern platforms support ACME natively:

• Web servers: Caddy handles ACME out of the box. Nginx and Apache support it via certbot or similar agents.
• Cloud providers: AWS Certificate Manager, Google Cloud Managed Certificates, and Azure App Service Certificates automate renewal for their respective platforms.
• Kubernetes: cert-manager automates certificate issuance and renewal for workloads running in clusters.

Remove the human steps. A renewal that needs someone to click a button, approve an email, or copy a file will fail at some point.

4. Monitoring and Failover

Automation is not infallible. Build monitoring that catches failures before they cause outages:

• Alert when a certificate is within 14 days of expiry and has not renewed.
• Alert when a certificate renewal fails.
• Test your renewal process in a staging environment each month.
• Document the manual fallback procedure for when automation breaks.

Keep people in the loop for the exceptions, not the routine.

What to Do This Week

1. Run a certificate audit. Use crt.sh or your certificate management platform to list every certificate associated with your domains. Compare that list to what you think you have.

2. Identify manual processes. For each certificate, ask: how is it renewed? If the answer involves a human, mark it for automation.

3. Choose your automation stack. If you are cloud-native, your provider’s managed certificates may be sufficient. If you run your own infrastructure, evaluate certbot, cert-manager, or a commercial platform.

4. Set a target date. The 200-day limit arrives in March 2026. Have automation running six months ahead, by September 2025, so you can test, fail, and fix before the deadline bites.

5. Document everything. Certificate management often lives in one person’s head. Write down the workflow, the escalation path, and the recovery steps. The 47-day era will outlast any single employee.

Start Now

The 47-day era is a confirmed requirement on a fixed schedule. The window between 2027 and 2029 is your last chance to automate. After 2029, manual certificate management stops being a disadvantage and becomes impossible to run.

Act now and the 2029 deadline passes as a non-event. Wait, and you find out that calendar reminders and spreadsheets do not scale. The technology is mature, the standards are clear, and the date is set. Pick which organisation you want to be.

---

References

• CA/Browser Forum Ballot SC081v3: Reducing Certificate Lifetimes and Data Reuse Periods
• DigiCert: “TLS Certificate Lifetimes Will Officially Reduce to 47 Days”
• Let’s Encrypt: ACME Protocol Documentation