Public TLS certificate lifetimes have started the transition from 398 days to 200 days, as of March 2026. By 2029, certificate lifetimes are expected to shrink to just 47 days , following a unanimous vote from the CA/Browser Forum. This is quickly changing how enterprises manage certificates at scale.

What worked with near annual renewals will not work with a new 47-day timeline. Manual processes, unclear ownership, and limited visibility will lead to missed renewals, outages, and increased audit risk.

This change is designed to strengthen trust, reduce exposure to compromised certificates, and encourage modern, automated management practices across the ecosystem.

The CA/Browser Forum introduced this shift to address growing security risks tied to long-lived certificates. Shorter lifetimes limit the window of exposure if a certificate or private key is compromised, reduce reliance on revocation mechanisms that are often inconsistently enforced, and ensure organizations regularly rotate keys and validate domain ownership. The move also reflects the need to keep pace with increasingly automated, short-lived infrastructure and machine identities.

This shift is fundamentally changing how organizations approach public key infrastructure (PKI) and certificate lifecycle management (CLM). Rather than defaulting to public trust, organizations must first determine whether public trust is appropriate for each use case, or if private PKI is a better fit. Once evaluated, automation becomes essential for publicly trusted certificates, as manual processes can’t keep up with 47-day renewal cycles.

As we move towards a 47-day certificate era, it’s important for organizations to first consider how trust models align with use cases.

Public trust and private PKI operate under different policies, with operational risk largely determined by who sets and enforces those rules. In public trust, requirements are dictated by browser and platform providers like Google, Apple, Microsoft, and Mozilla, primarily to secure public internet traffic. As these certificate requirements evolve, organizations relying too heavily on public trust face growing operational complexity and risk.

With private trust, organizations maintain more control over PKI strategy. So, the first question should not be “How do we automate everything?” but rather “Am I using the right PKI for this use case?”

After evaluating current PKI strategy and shifting appropriate use cases to a private trust model, you can reduce the scope of what needs to be automated to meet public trust requirements.

Reducing certificate lifetimes creates significant new complexity for enterprises. Certificate renewal shifts from annually to once every six weeks, increasing the need for intervention at every stage.

Certificate volumes have also increased across enterprises as cloud and DevOps environments grow. This creates a challenge when large volumes of certificates are spread across fragmented, hard-to-track systems.

Most enterprises still rely on manual certificate tracking and calendar-based renewals. Across sprawling environments with a large volume of certificates, manual management is neither effective nor scalable for growing businesses.

The impact:

• Missed renewals leading to outages and downtime
• Increased incident response burden
• Greater risk to customer experience and revenue

The shift to 47-day TLS certificates gives organizations an opportunity not only to reassess public vs. private trust models, but also to move from manual processes to automated certificate lifecycle management to scale with evolving security needs in the post-quantum era.

Organizations that modernize early will:

• Prevent certificate-related outages
• Reduce operational risk and cost
• Improve compliance and audit readiness
• Scale securely across cloud and machine identities

Those that delay risk falling behind as manual processes become unsustainable.