The DevOps Jedi

Taking the cloud by storm one line of code at a time....

From Years to Days: Preparing For The Future of TLS Certificates

2025-09-145 min readCertificatesDarren Johnson

Public TLS certificates have been reducing in lifetime over the past decade. What was once a three, or even five year certificate is now valid for little over a year. The next major step will be far more dramatic: certificate lifetimes are set to reduce to just 47 days by 2029, with the first reductions beginning in 2026.

For cloud, product, and security teams, this is not just an incremental policy change — it will fundamentally reshape how certificates are managed, deployed, and renewed across internal and external services. Manual processes will no longer be sustainable, and automation will become a compliance necessity.

This post provides a clear breakdown of what’s changing, why it’s happening, and when, along with practical advice on what teams should do to prepare. By the end, you’ll understand the industry drivers behind the change, the risks of standing still, and the steps to take now to future-proof your certificate management strategy.

Certificate Lifetime Reduction: What’s Changing, Why & When

The industry is moving to significantly shorter certificate lifetimes, and this has important implications for anyone using Let’s Encrypt or other public CAs. Below is a breakdown of what is changing, why now, and what product / cloud / security teams must do to stay ahead.

What The Changes Are

Following the CA/Browser Forum’s Ballot SC-081v3 , the maximum validity period for public TLS (SSL) certificates, and related domain validation reuse periods, will be progressively reduced.

Here’s the timeline:

Effective Date Maximum Certificate Validity Period Domain Control Validation (DCV) / Validation Reuse Period*
Now until 14 March 2026 Up to ~398 days Reuse of validation data up to ~398 days
From 15 March 2026 200 days DCV reuse also capped to 200 days
From 15 March 2027 100 days DCV reuse to 100 days
From 15 March 2029 47 days DCV reuse will be limited to 10 days

*DCV reuse period means how long the CA can accept previously validated proof of domain control or IP in new certificate issuance (or renewals) without re-validating.

Why These Changes Are Happening

There are several motivating factors behind this shift:

Reducing the Window of Risk: Longer-lived certificates mean that if a private key is compromised, or a certificate is mis-issued, there’s a larger window in which an attacker could exploit that. Shorter lifetimes reduce that risk.

Encouraging Frequent Validation: Cryptographic hygiene demands that assertions in certificates — domain control, organisational identity, etc. — be periodically re-checked. Reducing both certificate lifetime and validation reuse interval forces regular revalidation, keeping certificates more aligned with current reality (e.g. domain ownership changes).

Limitations of Revocation Mechanisms: Many revocation systems (CRL / OCSP) do not function; clients simply ignore revocation information, or there are delays. With shorter lifetimes, a compromised certificate simply expires sooner, reducing reliance on perfect revocation coverage.

Promoting Automation: If certificates expire every few weeks rather than every year, manual renewal becomes untenable. The policy is therefore both a driver and a requirement for robust automation in certificate management.

Security & Compliance Pressure: Standards bodies, browser vendors, large cloud providers and others are pushing for stronger security practices. Reducing certificate lifetimes is a simple yet effective control. Organisations that lag behind may face compliance risk, auditor scrutiny, or even browser trust issues.

When The Changes Take Effect

As shown in the table above:

  • The first phase begins on 15 March 2026, lowering the max validity to ~200 days.
  • Then another reduction on 15 March 2027 (100 days).
  • Finally by 15 March 2029 the maximum validity period will be 47 days and DCV reuse will be down to 10 days.

Why Automated Renewal Must Be In Place Before These Changes

Given the pace and scale of these changes, there are several reasons why organisations must have automated certificate issuance / renewal strategies in place before these future dates:

Increased Renewal Frequency: With lifetimes dropping steeply, certificates will need to be renewed far more often. For example, moving from ~398 days to 47 days implies renewing roughly 8 times per year for a given certificate. Manual workflows will struggle to keep up.

Error & Outage Risk: Human mistakes — missed renewals, incorrect validation, deployment lags — become much more costly when there’s less leeway. If a certificate expires unexpectedly, it can lead to service interruption, especially for internal services, microservices, APIs, etc.

Operational Overhead: Manual certificate tracking, auditing, and renewal (especially in hybrid / internal + external scenarios) becomes exponentially more painful as expiry windows narrow.

Compliance and Audit Pressure: Organisations under ISO 27001 or other frameworks will be expected to demonstrate that certificate management is reliable, documented, and auditable. Automation eases that, manual processes increase the likelihood of non-conformance.

Security Practices: Automated renewals help enforce up-to-date practices (e.g. updated cipher suites, best TLS configurations), reducing risk tied to stale certs or misconfigurations.

Scalability: As the number of certificates in an organisation grows (across clusters, microservices, internal tools, etc.), without automation, administration becomes a bottleneck.

Suggestions For Preparing

To ensure that your organisation is ready for the shift, here are some practical actions:

  • Build or improve your certificate inventory: know what certificates you have, where they are used, who owns them.
  • Ensure ACME-supporting clients are used (e.g. certbot, lego, Nimbus, etc.), and that they are configured to auto-renew (perhaps at a fraction of the expiry window, e.g. 33%% before expiry).
  • Automate deployment of new certificates to services (ingress, load balancer, internal services).
  • Add monitoring and alerting for certificate expiry and renewal failures.
  • Test failures / renewal paths ahead of time (DNS failures, permissions issues, internal services not restarted, etc.).
  • Ensure your operations processes / CI/CD pipeline can handle more frequent certificate rotations.
  • For compliance, ensure that your audit trail captures renewals, validation results, issuance, deployments, etc.
TLSCertificatesGovernanceSecurity
© 2025 The DevOps Jedi 
Disclaimer