47-Day Hero

47-Day TLS/SSL Certificates:
Are you ready?

As of March 2026, you will have to renew certificates every 200 days. In 2029, you'll have to renew every 47 days.

Learn more
47-Day Certs
Contact Us

Optional heading that can be visually hidden

You Have Options

There are 3 ways for you to proceed:

47-Days Blade You Have Options

Optional heading that can be visually hidden

Automation Is the Solution

The annual certificate renewal cycle you are used to is coming to an end. Starting in March 2026, the maximum lifetime will begin to drop. In 2029, you’ll have to renew certificates every month.

If you haven’t automated your certificate management, you are probably already experiencing outages as a result of missed renewals. This problem will get worse.

But there’s good news, too. DigiCert can help you to automate your certificate management. This will prevent even the outages you are getting with annual certificates.

LEARN MORE ABOUT AUTOMATION
47-Days Blade Automatinn is the Solution

Optional heading that can be visually hidden

Consider a Private PKI

Public certificates aren’t always required. For internal systems, a private PKI gives you more flexibility and control.

  • Set your own certificate policies, including longer lifespans than the 47-day public TLS limit
  • Issue and manage certificates entirely within your own infrastructure
  • Simplify operations by consolidating fragmented internal CAs
DigiCert Private PKI Download Private PKI Datasheet
47-Day Blade

Optional heading that can be visually hidden

Get Off the Web PKI

Just as some public certificates should be on private PKI, others should be on a different public PKI. New ones are emerging.

The X9 PKI is designed for the financial industry, but may be extended to other applications. It was created by the financial industry through the recently launched X9 PKI Industry Forum so that non-browser financial applications would not be subject to rules designed for public browser certificates.

47-Days Blade
Automation Blade

From Manual to Modern: Practical Steps to Automate Your PKI at Scale

Live automation demo series

This four-part series dives deep into practical, real-world automation scenarios. It’s designed to help teams streamline certificate management and prepare for what’s next: achieving crypto-agility and a modern PKI built for scale, automation, and compliance.

  • Part 1 - we walk through installing automation clients on both Windows and Linux, laying the groundwork for certificate automation.  

  • Part 2 - explores how to automate the DNS-01 challenge, comparing DIY methods using Certbot and API tokens with a fully integrated solution from DigiCert and UltraDNS.

  • Part 3 - we focus on the tasks and environments where ACME alone doesn’t cut it

  • Part 4 - we explore real-world scenarios where organizations relied on public certificates but achieved greater efficiency, control, and scalability by transitioning to internal PKI.

Save Your Spot Now

Answers to All Your Questions

The major one is that the maximum lifetime The major one is that the maximum lifetime for publicly trusted web server TLS/SSL certificates will drop from the current 398 days to 200 days in March 2026, to 100 days in March 2027, and then to 47 days in March 2029. Certificates issued before those dates will be good for the lifetime at the time they were issued.

If you manage your certificates manually, it will start getting harder to keep up with the work next year. In 2029, it will be completely impractical to do so. You have 3 options based on your specific use case: Automate your certificate renewals, move the certificates to a private PKI, or, for certain applications, adopt the new X9 PKI.

A private PKI runs entirely within your own networks. It and the certificates it manages are not accessible or trustworthy outside your networks. If your certificates can work this way, then a private PKI is the most secure and appropriate solution for you.

Automation using open-source tools and standards usually works but does not scale. If you have more than a few certificates, you need a system that can track all the certificates and make changes to policy and their management in a coordinated way. If not, and you need to make a change, you must work on every affected server individually. Also, only a professional CLM solution will provide discovery and inventory of certificates, policy management, and other critical features.

The X9 PKI is a public PKI, but independent of the Web PKI which is run by web browsers and the CA/B Forum. X9 is managed by an ANSI committee. It was designed to meet the needs of the financial services industry but is available to other industries and may meet their needs as well. In the short term, the main use case will be for mutual TLS (mTLS) communications among financial services and with their customers.

  • Q: What changes in certificate lifetime will happen?
  • Q: What do I have to do in response to these changes and how urgent is it?
  • Q: What is a private PKI and why would I use one?
  • Q: Why would I adopt a full Certificate Lifecycle Management (CLM) system rather than manage the certificate automation myself?
  • Q: What is the X9 PKI?

Contact Us

By supplying my personal information and clicking submit, I agree to receive communications about DigiCert products and services, and I agree to DigiCert and its affiliates processing my data in accordance with DigiCert's Privacy Policy.

Related Resources

Whitepaper Related Resource Thumbnail
DATASHEET

Simplify Private Trust

Solution Brief Related Resource Card Image
WHITEPAPER

Modernize Your PKI for Security, Efficiency and Agility

Whitepaper Related Resource Thumbnail
GUIDE

DigiCert X9 PKI

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.