Why 47-Day TLS Certificates Will Break Most Enterprises (Unless They Act Now)

There is a change coming to TLS certificates that most enterprise security teams are not ready for. And when it hits, the disruption will not be subtle. We are not talking about a minor inconvenience here. We are talking about outages, compliance failures, and security teams scrambling at 2 a.m. because a certificate expired and nobody caught it in time.

Let us walk through exactly what is changing, why it matters more than most organisations realise, and what the window to act actually looks like.

From 398 Days to 47 Days: The Timeline Nobody Is Talking About Enough

Right now, a publicly trusted TLS certificate can be valid for up to 398 days. That is roughly 13 months, which has historically given IT teams enough breathing room to track renewals manually, raise purchase orders, and get things done without a formal system in place.

That window is closing fast.

Apple introduced a landmark ballot proposal at the CA/Browser Forum in early 2025 to dramatically shorten the maximum allowed lifespan for TLS certificates. The Forum voted to adopt a phased reduction schedule that looks like this:

  • March 2026: Maximum validity drops to 200 days
  • March 2027: Drops further to 100 days
  • March 2029: Final reduction to 47 days, with Domain Control Validation (DCV) reuse capped at just 10 days

Google has publicly supported the direction. DigiCert, Sectigo, and other major Certificate Authorities are already preparing their issuance pipelines. The train has left the station.

The problem is that most enterprises are still standing on the platform, looking at their paper ticket.

Why 47 Days Is a Breaking Point for Manual Processes

Think about what a 47-day certificate lifespan actually means in practice. It means your team needs to renew every TLS certificate across your environment roughly eight times per year. Not once a year. Eight times.

Now multiply that by the number of certificates your organisation actually holds. According to research from Sectigo published in 2024, large enterprises manage an average of over 50,000 digital certificates. Many do not have accurate inventory of even half of them. Certificates exist in load balancers, API gateways, IoT devices, internal applications, edge nodes, and legacy systems that have not been touched in years.

Under the current 398-day regime, a missed renewal is painful but survivable. You might get a week of warning from monitoring tools. Someone catches it. Crisis averted.

Under a 47-day regime, the margin for error essentially disappears. A team that relies on calendar reminders or spreadsheet-based tracking will experience outages. It is not a matter of if. It is a matter of when and how many.

The Compliance Layer Makes This Worse

For organisations in regulated sectors, certificate expiry is not just an availability problem. It is a compliance event.

Financial institutions operating under MAS TRM, PCI-DSS, or DORA have obligations around cryptographic controls and the integrity of secure communications channels. An expired certificate on a customer-facing portal or an internal system handling payment data can trigger an incident report, an audit finding, or worse.

Healthcare organisations under HIPAA are in a similar position. If a TLS certificate on a system that transmits Protected Health Information lapses, that is not a routine operational error. It is a potential breach notification scenario.

The 47-day timeline does not change these compliance obligations. It simply shrinks the window in which manual processes can fail silently without anyone noticing.

What Most Enterprises Are Actually Doing Right Now

Here is the hard truth. A large portion of enterprise IT shops are still managing certificate renewals through a combination of spreadsheets, email reminders, and tribal knowledge. The person who set up the certificate three years ago is sometimes the only one who knows it exists.

Even organisations that have invested in some form of certificate visibility often lack the automation layer needed to act on what they can see. Visibility without automation is just an early warning system for problems you still cannot fix fast enough.

Some teams have leaned on their CA portal’s built-in renewal notifications, which is better than nothing, but still requires a human to act on every single alert, every single time, across every single certificate. At 47 days and eight renewals per year per certificate, that human overhead becomes genuinely unsustainable.

Automation Is Not Optional Anymore

The CA/Browser Forum’s timeline is, in part, a deliberate push toward a world where certificate management is automated by default. Shorter lifespans reduce the risk of long-lived compromised certificates going undetected. Automated renewal through protocols like ACME (Automated Certificate Management Environment) is already proven in environments like Let’s Encrypt, where it has been running at scale for years.

For enterprises, the shift requires more than just enabling ACME somewhere. It requires:

A complete, accurate inventory of every certificate in the environment, including those sitting on devices nobody has touched in 18 months. A centralised Certificate Lifecycle Management platform that can automate discovery, renewal, and deployment across heterogeneous infrastructure. Integration with existing workflows, including your CA, your ticketing system, and your monitoring stack. Governance controls that ensure no certificate falls outside policy, and that renewals are verified, not just triggered.

The organisations that build this capability now will treat the 2026 and 2027 milestones as a non-event. The ones that wait will face a scramble that gets progressively worse each year.

The Question Worth Asking Today

The 47-day certificate world is not a distant hypothetical. The 200-day milestone is less than a year away. If your current process would struggle to sustain renewals at 200 days, it will not survive 47.

The right question for any CISO, PKI team lead, or IT infrastructure manager to be asking right now is not whether to automate certificate management. That debate is settled. The question is how far behind the curve your organisation currently is, and how much runway you have left to close the gap before the first deadline arrives.

How ready is your organisation?

If you are not sure of the answer, that is itself an answer worth taking seriously. Sixscape works with enterprises to build certificate lifecycle management programmes that scale with reduced certificate lifespans, from inventory discovery through to fully automated renewal and deployment. Reach out to our team to find out where your organisation stands.