47-Day TLS/SSL Certificates:
Are you ready?
As of March 2026, you will have to renew certificates every 200 days. In 2029, you'll have to renew every 47 days.
The Experts Explain
See a recorded Q&A with senior officers of CA/B Forum about the changes. LEARN MORE >>
The Rules Explained
A blog explains what the changes are and why they were made.
LEARN MORE >>
Automation is the Solution
Humans can’t keep up, so let your computers handle it.
LEARN MORE >>
Optional heading that can be visually hidden
Renewals Every Month? Only Automation Can Keep Up.
By 2029, certificates will live for just 47 days. The annual renewal cycle that once felt manageable is about to disappear.
Without automation, the risk of missed renewals, downtime, and outages skyrockets. But with DigiCert automation, certificate management runs seamlessly in the background-renewing, deploying, and staying compliant without the chaos.
Stay secure. Stay ahead. Automate now.
Optional heading that can be visually hidden
Consider a Private PKI
Public certificates aren’t always required. For internal systems, a private PKI gives you more flexibility and control.
- Set your own certificate policies, including longer lifespans than the 47-day public TLS limit
- Issue and manage certificates entirely within your own infrastructure
- Simplify operations by consolidating fragmented internal CAs
Optional heading that can be visually hidden
Get Off the Web PKI
Just as some public certificates should be on private PKI, others should be on a different public PKI. New ones are emerging.
The X9 PKI is designed for the financial industry, but may be extended to other applications. It was created by the financial industry through the recently launched X9 PKI Industry Forum so that non-browser financial applications would not be subject to rules designed for public browser certificates.
FROM CHAOS TO CONTROL:
Automating PKI for Modern Workflows
Our Automation Series is back with Season 2, a four-part deep dive into real-world integration scenarios that help teams streamline certificate management from end to end.
This season focuses on how automation unlocks seamless integrations across your ecosystem—simplifying workflows, reducing manual effort, and ensuring consistency at scale. Each session provides practical guidance and proven strategies your team can put to work immediately.
Answers to All Your Questions
The major one is that the maximum lifetime The major one is that the maximum lifetime for publicly trusted web server TLS/SSL certificates will drop from the current 398 days to 200 days in March 2026, to 100 days in March 2027, and then to 47 days in March 2029. Certificates issued before those dates will be good for the lifetime at the time they were issued.
- Q: What changes in certificate lifetime will happen?
- Q: What do I have to do in response to these changes and how urgent is it?
- Q: What is a private PKI and why would I use one?
- Q: Why would I adopt a full Certificate Lifecycle Management (CLM) system rather than manage the certificate automation myself?
- Q: What is the X9 PKI?
The Total Economic Impact of DigiCert ONE
Forrester estimates a composite organization achieved 312% ROI and a Net Present Value of $10.1M with DigiCert ONE.
Related Resources
DATASHEET
Simplify Private Trust
WHITEPAPER
Modernize Your PKI for Security, Efficiency and Agility
GUIDE
DigiCert X9 PKI
Contact Us
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2025 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings