SSL/TLS certificate lifetimes are reducing to 47 days by 2029, requiring organizations to automate renewal, monitoring, and certificate lifecycle management.

Why SSL/TLS Certificate Lifetimes Are Being Reduced

Last year it was widely reported that the CA/Browser Forum had voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029. The first reduction will come into action in a few weeks, on March 15th 2026, accelerating the need for organizations to automate their monitoring and renewal processes around certificate expiry. The CA/Browser Forum is a group of certificate authorities (CAs) and software vendors, including major CAs such as DigiCert and GlobalSign, as well as browser vendors such as Google, Apple, Mozilla, and Microsoft.

SSL/TLS certificates are digital credentials that secure communication between a client and a server by encrypting data, authenticating the server’s identity, and ensuring data integrity. They enable HTTPS and protect sensitive information such as passwords, personal data, and payment details from interception or tampering. When a user connects to a secure site, the certificate is verified by a trusted Certificate Authority before an encrypted session is established.

Although commonly called SSL certificates, modern systems use TLS. When certificates expire without renewal, users see a warning on their browser informing them that their connection isn’t private or secure.

Why is the Lifespan of SSL/TLS Certificates Being Reduced?

The lifespan of SSL/TLS certificates is being reduced to improve security, reduce risk, and better align with modern, automated IT environments. Shorter-lived certificates limit the damage caused by compromised private keys, mis-issued certificates, or outdated / deprecated cryptographic standards, as any exposure window is significantly reduced. In principle the reduction should sets the expectation that organization will automate and should encourage the adoption of automation for certificate issuance, renewal, and rotation, reducing human error and operational risks.

SSL/TLS Certificate Lifetime Reduction Timeline (2026–2029)

The reduction to a 47-day maximum lifetime for certificates will be phased in over the next few years according to a schedule of:

  • March 15, 2026: the maximum lifetime for a TLS certificate will be 200 days.
  • March 15, 2027: the maximum lifetime for a TLS certificate will be 100 days.
  • March 15, 2029: the maximum lifetime for a TLS certificate will be 47 days.

The current maximum certificate lifespan is 398 days.

What is Domain Control Validation (DCV) in SSL Certificates?

Domain Control Validation (DCV) is a process used by Certificate Authorities (CAs) to verify that an individual or organization requesting an SSL/TLS certificate actually controls the domain name for which the certificate is being issued.

Changes in DCV Reuse Period & Impact on Certificate Management

The changes in maximum certificate lifetime will also be accompanied by significant reductions in the DCV reuse period allowed, which will drop to 10 days by March 2029. This means organizations will need to work on significantly tighter schedules within their certificate lifecycle processes. DCV is concerned with how long the CAs will accept the same proof that you own and control a domain before it needs to be reverified.

Why Proactive SSL Certificate Monitoring is Critical

Monitoring SSL certificates for expiry is critical to avoid service disruptions, browser warnings, and user trust issues. An expired certificate can block access to your website or application, break secure connections, and cause compliance failures.

Certificate expiry can also disrupt APIs and services, leading to lost revenue or data exposure. Regularly checking which certificates are nearing expiry ensures continuity, maintains security, and supports compliance. Alerting in advance allows timely renewal and prevents last-minute emergencies.

How eG Enterprise Helps Monitor SSL/TLS Certificates

eG Enterprise V7.5 introduced a number of enhancements for SSL/TLS certificate monitoring. With eG Enterprise you can answer questions including:

  • Which SSL certificates are nearing expiry? Have any expired?
  • Which (if any) SSL certificates are privately signed?
  • Certificate Chain Validity – Are root/intermediate certificates valid? Are any nearing expiry?
  • Revocation Status – Have any certificates been revoked?
  • Signature Algorithm – Are any certificates using lower strength public keys?

Further details on the SSL/TLS certificate monitoring capabilities of eG Enterprise are covered in another blog, see Advanced Proactive SSL Certificate Monitoring | eG Innovations.

SSL/TLS Certificate Expiry Reporting & Visibility

For those of you using eG Enterprise and looking to prepare for the changes on March 15th, you may want to access the ready-to-go SSL Certificate Expiry Report via the “Reporter” tab in the main eG Enterprise console. Navigate to the “Reports by Function” section and “Domain Specific Reports -> Security and Compliance -> SSL Certificate”

Screenshot of the eG Enterprise built-in report on SSL/TLS certificate lifetimes and expiry timescales

The always available ready-to-go SSL/TLS Certificate Expiry Report within eG Enterprise will give you instant visibility on certificate validity

Best Practices for Managing SSL/TLS Certificate Lifecycle

Best practices for managing SSL/TLS certificate lifecycles include automating discovery, issuance, renewal, and revocation, enforcing short-lived certificates, using centralized management platforms, integrating with DevOps pipelines, maintaining inventory visibility, monitoring expiry alerts, and ensuring strong key protection and compliance controls across systems.

Business Impact: Security, Compliance & Downtime Risks

With SSL/TLS certificate lifetimes shrinking to 47 days, organizations face increased operational pressure as renewal cycles become continuous and manual tracking becomes unsustainable. As covered in this article, expired or unmanaged certificates can quickly lead to service outages, broken APIs, and loss of secure connectivity. This increases security exposure, raises compliance risks, and significantly heightens the likelihood of downtime unless automation and proactive monitoring are implemented.

Frequently Asked Questions

1. Why are SSL/TLS certificate lifetimes being reduced?

The lifespan of SSL/TLS certificates is being reduced to improve security, reduce risk, and better align with modern, automated IT environments. Shorter-lived certificates limit the damage caused by compromised private keys, mis-issued certificates, or outdated / deprecated cryptographic standards, as any exposure window is significantly reduced.

2. What happens when an SSL certificate expires?

An expired SSL certificate causes trust failure, leading to browser warnings, blocked access, and service disruptions. In enterprise systems, it can halt authentication, APIs, and management operations until the certificate is renewed and redeployed. When certificates expire without renewal, users will see a warning on their browser informing them that their connection isn’t private or secure.

3. What is Domain Control Validation (DCV)?

Domain Control Validation (DCV) is a process used by Certificate Authorities (CAs) to verify that an individual or organization requesting an SSL/TLS certificate actually controls the domain name for which the certificate is being issued.

4. How often will certificates need renewal after 2029?

After March 15, 2029: the maximum lifetime for a TLS certificate will be 47 days.

5. How can organizations automate SSL certificate management?

Certificate providers usually offer advice and tools as to how you can automate your management of SSL certificates. For example DigiCert provides an overview of options, here: How Do You Automate Certificate Management? | DigiCert FAQ and information from Sectigo is available, here: Enterprise SSL Certificate Management | Sectigo® Official.

6. What are the risks of not monitoring certificate expiry?

Not monitoring SSL certificate expiry is a significant risk that can lead to immediate website outages, severe reputational damage, and security vulnerabilities. As SSL certificate lifespans shrink—with public certificates moving to a 47-day maximum in March 2029—the risk of expired certificates causing service disruptions is accelerating.

7. How does eG Enterprise help in certificate monitoring?

eG Enterprise helps with certificate monitoring by continuously tracking SSL/TLS certificates across infrastructure, applications, and web services to prevent unexpected expirations and outages. Alerting and reporting mean that administrators can proactively address certificate lifecycle issues before services are impacted.

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

Related Information

About the Author

Ramesh is a Product Lead at eG Innovations with 15+ years of experience in enterprise Java development. He specializes in software architecture and monitoring technologies like Java APM, Real User Monitoring, and JMX. Passionate about clean code and scalability, he enjoys solving complex problems and sharing his expertise with the developer community.