Introduction
47-day SSL certificates are reshaping web security operations: shorter lifetimes force automation, vendor decisions, and process redesign to keep services reliable.
Context
Certificate lifespans have steadily decreased from multi‑year validity to the ~398‑day era and now toward a staggered timeline ending at 47 days by 2029. Browsers and the CA/Browser Forum justify reductions to reduce exposure from compromised certificates and the weaknesses of traditional revocation methods like CRL and OCSP.
Quick definition
47‑day SSL certificates are TLS credentials valid for at most 47 days, intended to improve security and enable faster cryptographic rollovers.
Why this is happening
Browser vendors—most notably Apple—have driven shorter maxima, forcing industry compliance. Shorter lifespans also prepare infrastructure for larger migrations such as post‑quantum cryptography, which will require rapid, large-scale certificate transitions.
The Problem / Challenge
Operationally, moving from ~398 days to 47 days increases renewal frequency by over 8x. Many organizations lack full automation, and legacy or embedded systems are particularly hard to update in tight cycles.
- Governance lag: change approvals can exceed certificate lifespans
- Embedded devices and medical systems may be impractical to update monthly
- ACME implementation faces restrictions: port access, DNS API, and load balancer limitations
Solution / Approach
Automation is central: adopt ACME where feasible, use DNS APIs for challenges, and select vendors that bridge cloud and on‑premises environments. Practical steps:
- Deploy ACME clients and test in staging
- Automate distribution to proxies, load balancers, and CDNs
- Catalog systems and separate public vs internal certificate needs
- Plan fallback for non‑automatable embedded devices
Vendors and options
Options range from free (Let's Encrypt) to CDN-managed (Cloudflare) and enterprise platforms (DigiCert, Sectigo, ZeroSSL, CertKit). Each offers different integration levels for ACME, legacy hardware, and monitoring.
Enterprise, the missing middle, and embedded systems
Large enterprises may implement internal PKI or buy full-suite management; the "missing middle"—manufacturers, local services, mid-size companies—face complex, mixed environments and limited budgets. Embedded and regulated devices pose the hardest constraints and may require internal PKI or special operational exemptions.
Operational checklist
- Inventory all certificates and their dependencies
- Prioritize automation for public endpoints and critical infrastructure
- Consider internal PKI for air‑gapped or heavily regulated systems
- Validate automated renewals in preproduction
Conclusion
The shift to 47-day SSL certificates moves internet security from periodic maintenance to continuous automation. Organizations that act now to automate and consolidate certificate workflows will improve resilience and readiness for future cryptographic changes; those who delay risk outages and rising operational costs.
FAQ
-
How will 47-day SSL certificates affect my infrastructure?
They require far more frequent renewals, making automation essential to avoid downtime and manual errors.
-
Can I use ACME to manage 47-day SSL certificates?
Yes; ACME is the standard automation path, but it needs HTTP/DNS access and adjustments for legacy systems.
-
Do CDNs eliminate the operational burden of 47-day certificates?
Often they do: CDNs like Cloudflare handle certificate management when traffic is routed through their network.
-
What about embedded or medical devices that cannot be updated every 47 days?
Consider internal PKI or exemptions; balance regulatory constraints with practical maintenance plans.
-
Which vendors best support the transition to 47-day SSL certificates?
Choices include Let's Encrypt for free ACME, CDN providers for managed certs, and enterprise vendors for full lifecycle management; suitability depends on your environment.