🚨
Industry Alert · April 2025
SSL/TLS Certificate Lifetimes Are Being Cut From 398 Days to Just 47 Days by 2029 — CA/Browser Forum Ballot SC-081v3 Approved
Breaking News · Approved April 11, 2025
SSL Certificate Lifecycles Are Shortening Drastically
The CA/Browser Forum has formally approved Ballot SC-081v3, a landmark proposal by Apple that fundamentally changes how SSL/TLS certificates are managed across the entire internet. Starting March 2026, maximum certificate validity begins a phased reduction — from today's 398 days down to just 47 days by March 2029.
This is the most significant change to SSL certificate management in over a decade. Every website owner, hosting provider, and system administrator will be affected.
Today (2025)
398
days validity
By 2029
47
days validity
Certificate Validity Roadmap
Now · 2025
398
days
Current max
COMING SOON
Mar 2026
200
days
~6 months
Mar 2027
100
days
~3 months
Mar 2029
47
days
ACME mandatory
Domain Control Validation (DCV) Reuse — Also Shortening
Type
Now
2026
2027
2029
Org identity
825d
398d
398d
398d
Domain/IP validation
398d
200d
100d
10d
Full Change Timeline
2015 — Historical
Maximum SSL validity was 5 years
Certificates could be issued for up to 5 years. Browsers began a steady push toward shorter lifetimes.
2020 — Past
Maximum lifetime reduced to 398 days
Apple, Google and Mozilla enforced a hard cap of 398 days. Certificates issued for longer were automatically distrusted by Safari, Chrome and Firefox.
April 11, 2025· Breaking
CA/Browser Forum approves Ballot SC-081v3
Apple's proposal mandates a phased reduction of both certificate validity periods and DCV reuse windows across all publicly trusted Certificate Authorities worldwide.
March 2026 — Phase 1 — NOW
Certificates: ~200 days · DCV reuse: 200 days
Certificate validity halves to ~200 days. Domain validation data reuse capped at 200 days. Begins in under 12 months — start planning automation now.
March 2027 — Phase 2
Certificates: ~100 days · DCV reuse: 100 days
A further halving — ~100 days (3 months). Without automation, organisations face regular outages from missed renewals.
March 2029 — Final State
Certificates: 47 days · DCV reuse: 10 days
The end-state: 47-day validity and 10-day DCV reuse. ACME-based automation is effectively mandatory for any organisation operating HTTPS.
Why Is This Happening?
🔐
Limit Compromise Windows
A stolen certificate can only be exploited for 47 days instead of 398.
🤖
Drive Automation
Short lifetimes make manual management impractical — ACME automation becomes the standard.
🌐
Accurate Domain Ownership
Frequent revalidation ensures only the legitimate owner controls the domain.
⚡
Crypto Agility
Faster rotation speeds adoption of stronger encryption standards.
What You Should Do Now
Step 1 — Audit All Certificates
Use the SSL Checker to verify every domain's expiry date and chain status.
Step 2 — Identify Manual Processes
List every server where certificates are renewed manually — your highest-risk points.
Step 3 — Implement ACME
Deploy Certbot, Caddy, or CA-provided ACME tooling before March 2026.
Step 4 — Monitor & Alert
Set up expiry alerts at 30, 14 and 7 days as a safety net.
Frequently Asked Questions
Will I need to buy a new SSL certificate every 47 days?
No — purchasing frequency does not change. You can still buy a 1-year or multi-year certificate. The shorter validity means you must reissue and reinstall more frequently, but reissuing is always free from your CA.
Does this affect certificates I already have installed?
Certificates issued before March 2026 are not retroactively affected. Any certificate obtained from March 2026 onwards will be subject to the new maximum validity periods.
Does this apply to DV, OV and EV certificates?
Yes — all certificate types are subject to the new maximums. EV holders will need more frequent reissuance, making automation particularly important.
Will Let's Encrypt still work?
Yes. Let's Encrypt already issues 90-day certificates via ACME automation. If you already use Certbot, you are already prepared for the shorter lifecycle phases.
What should I do right now?
Use the SSL Checker and DNS Scanner on this site to audit your certificates and DNS setup. Begin deploying an ACME client on servers that still use manual renewal before March 2026.
Use Our Free SSL & DNS Tools
Check certificates, scan DNS, generate CSRs — all free, no account required.