SSL Certificate Validity Changes 2025: How to Prepare Your Business Now
In this blog
In April 2025, the CA/Browser Forum approved Ballot SC-081v3, setting in motion a major change to the way public SSL/TLS certificates are issued and managed. The goal: reduce the maximum certificate validity to just 47 days by 2029. While that number may seem extreme today, the industry is moving quickly toward tighter security standards, and organizations need to start preparing now.
This transition is not just about security for its own sake. It reflects a broader push to reduce the window of exposure in the event of a certificate compromise, to encourage automation, and require better hygiene around certificate lifecycle management.
What's changing?
Currently, publicly trusted TLS certificates have a maximum validity of 398 days (approximately 13 months).
Starting in 2026, certificate lifespan limits will decrease in the following three phases:
March 15, 2026: Maximum validity drops to 200 days
March 15, 2027: Drops again to 100 days
March 15, 2029: Final limit set at 47 days
Alongside this reduction, the period for reusing domain validation will shrink to 10 days, requiring more frequent domain control checks by certificate authorities (CAs). Currently, CAs can reuse domain validation data for up to 398 days, aligning with the maximum certificate validity period. However, the CA/Browser Forum has also outlined a phased reduction in the domain validation reuse period:
March 15, 2026: Domain validation reuse period reduced to 200 days
March 15, 2027: Drops again to 100 days
March 15, 2029: Final limit set at 10 days
Why this matters
Shorter certificate validity means fewer opportunities for attackers to exploit stolen or misused keys. Recent incidents like the 2023 misuse of Ivacy VPN's code-signing certificate by a Chinese APT group and the 2024 Cisco breach exposing SSL certificates highlight just how dangerous compromised keys can be—and how critical it is to minimize their lifespan and manage them at scale. But it also presents a challenge: manual certificate management simply won't scale under this new model. If you are still tracking certificates with spreadsheets or managing renewals by hand, you are going to quickly fall behind.
Quantum computing threatens to significantly shorten the time required to break current encryption standards used in certificates, such as RSA 2048, which would undermine their security. While current quantum computers lack the power and stability needed to crack RSA 2048 encryption—meaning there is no immediate threat—experts estimate that practical quantum attacks capable of breaking such keys could emerge within the next decade. This looming future risk is another reason the industry is preparing by tightening certificate practices and making it easier to rotate keys more frequently. Shorter certificate lifespans are a foundational step toward a more agile, post-quantum cryptographic future.
If organizations do fall behind and certificates expire or are misconfigured, it can trigger security warnings in browsers, leading users to question the safety and legitimacy of the website as well as lead to your site being ranked further down in the results from the major search engines. These warnings and poor search rankings often result in abandoned sessions and lost business. As the certificate lifecycle becomes shorter, organizations will need to ensure they are consistently renewing and managing certificates to avoid these issues. The new standards will push organizations to be more proactive and reliable in their certificate operations, ensuring that users can trust their digital interactions.
How to prepare
Preparing for the upcoming SSL/TLS certificate validity reductions will involve multiple teams within IT to analyze processes, implement technology, and provide operational support. The following list recommends a set of tasks to begin preparing for the upcoming reductions:
Conduct a Discovery and Inventory of Certificates
Identify all certificates across your environment, including internal and third-party certificates. Establish a centralized inventory and monitoring process to track expiration dates, certificate authorities, and associated systems.
Automate Certificate Management
Use automated tools that handle discovery, issuance, and renewal at scale, especially across multi-cloud and hybrid environments.
Evaluate Infrastructure and Workflows
Review current systems and update processes to support faster renewal cycles and more frequent domain validations. The cost for any new systems or systems that require upgrades will need to be incorporated into future budget cycles.
Train and Align Teams
Ensure that your IT, security, and development teams understand the changes and are aligned on new processes and tools. If required, provide training (or access to third-party training resources) to various teams that will need to adjust processes, tools and even developed applications. Budget approvers may also need to be educated on the upcoming changes and impacts to the business to provide funding for new or upgraded hardware or software.
Audit Regularly
Monitor certificate health, expiration dates, and compliance with updated CA/Browser Forum rules to stay ahead of issues.
Depending on the size of the organization's Internet presence and data security requirements, these recommended tasks may require ongoing project/program management to ensure effective preparation.
Get ahead of the curve
The transition to 47-day certificates may feel aggressive, but it's coming — and the organizations that prepare now will find themselves at an advantage as the reduction phases take effect. By modernizing certificate management, businesses can reduce security risk, avoid costly outages, and demonstrate their commitment to secure digital communication.
In a world where quantum computing and evolving cyber threats are becoming part of the strategic risk landscape, agility in cryptographic operations is no longer optional — it is foundational. Preparing now ensures you will stay ahead rather than just keep up.