The future of digital security: 47-day certificate lifecycles are happening

The passage of the CA/B Forum ballot approving a maximum certificate lifespan of 47 days is one of the most significant changes in the digital security industry in years. This decision will have profound implications for certificate management, security practices, and the long-term evolution of how organizations approach trust on the internet. While this change introduces new operational challenges, it also represents a critical step forward in strengthening online security and ensuring that digital identities remain trustworthy and resilient in an era of constant threats.

The evolution of certificate lifespans in the CA/B Forum

The process leading to this decision was a lengthy one, marked by extensive discussions, competing interests, and an ongoing struggle to balance security with practical implementation. The CA/Browser Forum - a consortium of certificate authorities (CAs) and the providers of browsers, operating systems and other software that use digital certificates - has long debated the optimal lifespan of SSL / TLS certificates. Historically, the maximum certificate validity has been reduced incrementally, beginning with the shift from a maximum of three-years to two-years, then from two-years to one. Each of these reductions faced resistance, particularly from organizations concerned about increased administrative burden. Yet, over time, the security benefits have consistently outweighed the operational challenges, making these changes not only necessary but inevitable.

Browser vendors, including Apple, Google, and Mozilla, strongly supported the reduction, citing the necessity of agility in responding to emerging security threats. Sectigo was the only CA to sponsor the ballot. The final vote, with no “No” votes, demonstrated a clear industry-wide shift toward prioritizing security over convenience.

Why shorter certificate lifespans enhance security

The push for shorter certificate lifespans gained momentum in recent years, particularly as security researchers and industry leaders highlighted the risks associated with longer-lived certificates. When certificates remain valid for extended periods, attackers have a larger window to exploit compromised keys, outdated cryptographic algorithms, and vulnerabilities that could have otherwise been mitigated through renewal cycles. Shorter certificate lifespans force organizations to refresh their cryptographic keys more frequently, reducing exposure to potential threats and ensuring that the security infrastructure remains up to date.

Research has also shown a very real tendency for SSL certificate ownership and domain control to get out of synch, and potential exploits exist to capitalize on this disconnection. Shortening the maximum validity of an SSL certificate reduces this attack window.

Industry reactions and the push for automation

Now that the ballot has passed, the real work begins. Organizations that have not yet embraced automation will need to accelerate their adoption of certificate lifecycle management tools. The manual renewal process that may have been manageable under previous lifespan limits will become untenable under a 47-day cycle. Those who fail to adapt run the risk of service disruptions, compliance failures, and weakened security postures. This change is, in many ways, a catalyst for modernization - pushing the industry toward automation, better key management, and more streamlined security processes.

What the 47-day certificate policy means for the future

For the digital security industry, this decision represents a major inflection point. It underscores the reality that static security measures are no longer sufficient in an age of rapidly evolving cyber threats. Agility and proactive risk management must be at the core of modern security strategies. Certificate authorities, security teams, and IT administrators alike will need to rethink their approaches, ensuring that their infrastructures are capable of handling the increased cadence of certificate renewals while maintaining operational efficiency.

Beyond the technical implications, this shift also reflects a broader movement toward a security-first mindset across industries. The argument for longer certificate lifespans has historically been rooted in convenience, but convenience can no longer be the primary driver of security decisions. The adoption of shorter certificate lifespans is a recognition that the stakes are simply too high. Trust on the internet is built on the integrity and security of its underlying infrastructure, and the passage of this ballot strengthens that foundation.

The road ahead will not be without obstacles. Organizations will need to make significant investments in automation, education, and process improvements. Certificate authorities will need to support their customers through the transition, providing the tools and resources necessary to navigate this new reality. And, as has been the case with every previous reduction in certificate lifespans, there will be continued discussions about how to refine and improve these policies in the years to come.

The approval of the 47-day certificate lifecycle is more than just a technical change; it is a defining moment in the evolution of digital security. It signals a clear commitment to reducing risk, increasing agility, and fostering a more resilient internet. While challenges remain, the long-term benefits of this decision will far outweigh the initial hurdles, reinforcing the principle that security must always come first in an increasingly connected world.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

eBook: The 47-Day Survival Guide

7 reasons to shorten SSL certificate validity periods

Root Causes 466: Apple Moves 47-day Ballot to CABF Vote