47-Day Public TLS Certificates: Strategy, Automation, and Risk Management

The age of annual certificate renewals is over. The industry shift to 47-day validity drastically increases your renewal volume by 8 times or more, turning manual certificate management into a major operational liability. We help you automate for resilience.

The 47-Day Mandate: What’s Changing?

Public TLS certificates will soon have a maximum validity of 47 days. This change, driven by major browser vendors and passed by the CA/Browser Forum, requires certificates to be renewed and deployed almost monthly by 2029. Manual Certificate Lifecycle Management (CLM) will become unsustainable, making automation a critical business necessity for every enterprise.

Phased Timeline

The transition is being implemented in phases, providing a runway for strategic planning, but demanding action now, especially for organizations managing high certificate volumes (10,000+).

31 Dec 2025
- Baseline (Pre-Mar 2026)
  - 398-day validity with roughly one renewal per host each year.
15 Mar 2026
- 200-Day Transition
  - 200-day validity with about two renewals per host annually.
15 Mar 2027
- 100-Day Milestone
  - 100-day validity with around four renewals per host annually.
15 Mar 2029
- 47-Day Era
  - 47-day validity with renewals about every month.

47-Day Certificate Readiness

Building automation and resilience for short-lived certificates

8×

Renewal Volume Increase

1 - 1M

Certificates

Tolerable Outages

100%

Automation Goal

Common Challenges for Enterprise CLM

Enterprises with complex, hybrid environments face significant hurdles in adopting machine identity automation at scale. These challenges are magnified by the sheer volume and accelerated timelines when using public TLS certificates with 47-day validity for this purpose.

“Ghost” certificates in legacy systems, shadow IT, or forgotten environments remain untracked, creating ticking time bombs for outages. Decentralized ownership across siloed teams leads to incomplete inventory.

Manual renewal processes inevitably lead to missed expirations, causing $5,600 to $9,000 per minute in downtime. Legacy systems lack native support for modern automation protocols.

Organizations struggle to determine when to automate public-facing certificates versus moving internal machine identities to Private PKI or PKIaaS for better governance and cost control.

Migration Strategy & Automation Protocols

Automation & Vendor Ecosystem

Automation must be a strategic fit. We ensure your solution works within your current ecosystem, while also providing the necessary guidance and expert support to implement essential best practices and protocols, setting a strong foundation for future growth.

Core Automation Protocols

Protocol	Description	Primary Enterprise Use Case
ACME	Automated Certificate Management Environment. Open standard for web server automation via REST/HTTPS.	High-volume, public-facing TLS (web servers, cloud workloads).
EST	Enrollment over Secure Transport. Modern, highly secure successor to SCEP using TLS mutual authentication.	Internal device/IoT enrollment, enterprise PKI, modern MDM.
SCEP	Simple Certificate Enrollment Protocol. Older protocol, simple but less secure (uses shared secret), no native revocation.	Legacy devices, basic network equipment.
CMP	Certificate Management Protocol. Feature-rich, complex protocol supporting full lifecycle and key recovery.	High-assurance private PKI, government, and military systems.

Key PKI/PKIaaS and CLM Vendors and Systems

We provide vendor-independent advice to navigate this complex landscape, focusing on integration capabilities, scalability, and cost-effectiveness for your volumes.

Category	Representative Vendors/Systems	Key Strategy Focus
Dedicated CLM Platforms	Venafi (CyberArk), Keyfactor, AppViewX	End-to-end orchestration, discovery, policy, and automation across multi-CA, multi-cloud environments.
Public CAs / PKIaaS	DigiCert, Sectigo, GlobalSign, Entrust	Sourcing public certificates and managed services for private, internal trust roots (PKIaaS).
Cloud/DevOps PKI	AWS Private CA, Google Cloud CA, HashiCorp Vault	Integration with cloud-native workflows and ephemeral machine identities (containers, serverless).
Internal / Legacy PKI	Microsoft AD CS, EJBCA	Migrating legacy internal PKI or building highly customized, self-managed environments.

Migration Journey

Phase 1
- Identify
  - Establish certificate visibility, inventory, and ownership. Identify where it is easy to implement automation and where will it be a challenge?
Phase 2
- Pilots and Plans
  - Launch automation pilots for ACME, EST, CMP, SCEP. Consider where you can or need to move to private certificates.
Phase 3
- Migrate and Scale
  - Migrate to automation or of the WebPKI where public trust is not required. Scale automation across all environments.
Phase 4
- Monitor and improve
  - Operate continuous automation, monitoring, and governance.

Supporting Capabilities

We provide comprehensive support across the entire certificate automation journey, from strategic planning to operational excellence.

Our recommendations are neutral and tailored to your existing infrastructure, ensuring the best technical and financial fit from the entire vendor landscape.

End-to-end automation for issuance, renewal, and deployment, including complex integrations for legacy and modern systems (ACME, EST, CMP).

Consulting on when to move internal identities to a private or shared PKIaaS for better governance, cost control, and operational flexibility.

Real-time monitoring and alerting integrated with your CLM to ensure 24/7 coverage and prevent missed renewals before they cause outages.

Detailed roadmaps and playbooks for staged migration, risk mitigation, and rapid adaptation across hybrid and multi-cloud estates.

CP/CPS updates, key hygiene reviews, and continuous audit-ready reporting to maintain alignment with industry and regulatory standards.

47-Day Public TLS Certificates