Cover image showing TLS certificate expiry countdown

TLS Certificate Expiry is Changing: Why You Must Automate Now

In less than four years, public TLS certificates will only last 47 days. Manual renewals are dead. Automation is no longer optional. Here's what's changing and how to stay ahead.

🔐 The Timeline: Shorter and Shorter Certs

The CA/Browser Forum has formally agreed to reduce certificate lifespans incrementally. Backed by Apple, Google, and Mozilla, the roadmap is:

  • ✅ 2020: Capped at 398 days
  • 🔜 2026: Drops to 200 days
  • 🔜 2027: Reduced to 100 days
  • 🚨 2029: Final step to 47 days max

Browsers will reject any cert beyond those limits. You must adapt before enforcement hits.

⚙️ Why This Breaks Old Ops Models

Until now, many orgs have gotten away with semi-manual or slow renewal processes. But soon:

  • ❌ You can't rely on 12-month reminders
  • ❌ You can't bake certs into static builds
  • ❌ You can't assume ops will remember in time

Shorter expiry forces smarter systems: ACME-based automation, instant reloads, and central inventory tracking.

🚀 What You Should Do Right Now

  1. Audit all certs - inventory everything, especially obscure subdomains and legacy endpoints.
  2. Automate renewals using Let's Encrypt, ZeroSSL, or internal ACME-compatible tools.
  3. Hot-reload TLS in NGINX, Apache, HAProxy - no more manual restarts.
  4. Monitor expiry with Cert Spotter, Checkly, or your own API-based watchers.
  5. Test failure modes - simulate expired certs, network breaks, and blocked CRLs.

📉 Who's Already Doing It Right?

Major platforms like Cloudflare, GitHub, and AWS already automate cert rotation at scale. So can you. Use the same patterns:

  • Use short-lived certs on all public endpoints
  • Rotate keys as frequently as you rotate secrets
  • Make cert expiry a testable requirement in CI/CD

🔮 What This Means for the Future

By 2029, cert expiry will be as frequent as password rotation once was.

This pushes the ecosystem toward crypto agility, post-quantum certs, and eventually ephemeral credentials tied to device attestation or token binding.

Appendix: Certificate Expiry Reduction Timeline

The CA/Browser Forum ratified Ballot SC‑081v3 in April 2025, formalising a stepwise reduction in TLS certificate validity periods. This decision is already reshaping the operational landscape for PKI infrastructure and DevOps teams worldwide.

Below is a summary of the upcoming changes:

Effective Date Max Cert Lifetime Reuse Limit for DCV / Site Info
Before 15 March 2026 398 days 398 days
From 15 March 2026 200 days 200 days
From 15 March 2027 100 days 100 days
From 15 March 2029 47 days 10 days

These changes aim to improve overall cryptographic hygiene, enforce tighter key rotation, and accelerate industry-wide adoption of certificate automation — particularly ACME-based renewal.

For more details, see:

👋 Enjoyed the article?

Book a Call with Us