Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and forced automation. To keep pace—and stay secure—organizations need to inventory, automate, and integrate certificate management right now. Red Sift Certificates makes it easy to adapt and scale for this new reality.
Key takeaways:
- Certificate lifespans are shrinking fast: Starting March 2026, TLS certificates will last just 200 days—dropping to 100 days in 2027 and 47 days by 2029. This isn’t just a technicality—it fundamentally changes your renewal cadence and risk posture.
- Automation is now mandatory: With up to 7,500 renewals a year for large estates, manual processes will fail. Automate discovery, renewal, and recovery using tools like ACME and cloud-native APIs.
- Red Sift Certificates future-proofs your strategy: Helping you find every certificate, auto-renew them, and monitor for issues—so you stay secure, compliant, and ahead of looming expiry deadlines.
TLS certificates are set to expire faster, with the first change being less than a year away. On 15 March 2026, every newly issued public-trust TLS certificate must max out at 200 days.
One year later the ceiling drops again to 100 days, and by 15 March 2029 you’ll be renewing every 47 days. The decision, codified in CA/Browser Forum Ballot SC-081, sailed through in April 2025 with backing from Google, Apple, Microsoft, Mozilla and every major certificate authority. The simple reality? Any certificate you issue in the second half of 2025 will expire five months sooner than you planned the moment the rule takes effect.
How did we get here?
Certificate lifetimes have been reducing for years. 5 years in 2018, 2 years in 2020, 13 months in 2021, and now this three-step sprint. The case for shorter validity is simple:
Reason | Benefit |
Fresh identify data | Organisations change names, addresses and IP blocks rapidly. Frequent re-issuance keeps the certificate ecosystem accurate. |
Streamlined revocation | Browsers routinely skip Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) checks to save milliseconds. Expiry is the only revocation signal every client honours. |
Crypto agility | When post-quantum algorithms ship, a 47-day roll-over means you can upgrade in weeks, not years. |
Forced automation | At four (soon eight) renewals a year, manual spreadsheets collapse under their own weight. |
Industry leaders argue that short certificates are safer not because they never fail, but because they fail fast and visibly, encouraging automatic recovery.
The operational reality
Take an estate of 1000 certificates:
- Under today’s 398-day rule you plan roughly 1000 change windows per year.
- The 200-day cap doubles that to ~2000.
- Two years later you’re at ~3600.
- With 47 days you’re facing 7500 renewals annually.
And that’s before counting certificates you don’t know about—the ones embedded in staging sub-domains, mobile apps, forgotten IoT widgets or an engineer’s personal test site.
Remember the mid-April 2025 Zoom meltdown? A registrar mis-flagged zoom.us as serverHold, and 300 million users were locked out for almost two hours.
Five moves to make before March 2026
- Inventory everything—automatically: Use active scanning and public-log monitoring to discover every certificate, public or private, issued by any CA.
- Adopt Automated Certificate Management Environment (ACME) or native cloud Application Programming Interface (APIs): Most major Certificate Authorities (CAs), clouds and load balancers speak ACME. Script renewals now; you’ll thank yourself when the window shrinks to 47 days.
- Integrate renewal into Continuous Integration/ Continuous Deployment (CI/CD): Treat certificates like code: version-control them, push with infrastructure-as-code and roll back instantly.
- Test expiry failure and auto-recovery: Stage an intentional lapse in a non-production environment. Verify that alerts fire, auto-renewals trigger and services restart with a fresh certificate.
- Educate developers and DevOps teams: Certificates touch every layer—from API gateways to build pipelines. Make sure anyone who spins up an endpoint understands the new shelf life.
Get support with Red Sift Certificates
Red Sift Certificates makes it easy for businesses to stay ahead of the accelerating TLS certificate renewal cycle. With certificate lifetimes dropping to 200 days in 2026—and just 47 days by 2029—manual tracking and renewals simply won’t cut it.
Red Sift supports the discovery and monitoring, which will help the renewal process across your entire infrastructure, keeping you secure and in sync, without the risk of human error or missed expiry dates. As an added value, the Red Sift Certificates will perform an assessment on the configuration of your deployed certificates to avoid any unintended vulnerabilities.
As the industry shifts toward shorter certificate lifespans, Red Sift Certificates ensures your organisation doesn’t just keep up—it leads. By integrating directly with ACME and native cloud APIs, it renews and deploys certificates seamlessly, reducing downtime and keeping you compliant. Dashboards track every certificate against the new 200/100/47-day standards, while real-time alerts surface issues before they reach your users. It’s proactive, scalable security built for the future of the web.
The time for action is now
The CA/Browser Forum gave a timetable, not a buffer. The 200-day rule lands during the budgeting season; the 100-day cut arrives as you prepare for next year’s holiday freeze; the 47-day sprint hits right before the 2030 financial year. The sooner you automate, the less these dates will matter.
Stay one step ahead today: Book a Red Sift Certificates demo and get started.
