Blog | 3-minute Read
Certificate lifetimes are shrinking: What it means for your TLS/SSL strategy
Anna Webb
Head of Global Security Operations
Published: 11 June 2025
TLS certificate lifetimes are set to shrink significantly, bringing big changes to how organisations manage renewals. With the first deadline less than a year away, it’s time to review your processes and prepare for a more automated future.
TLS/SSL certificates. A pain to renew. A task to deploy and manage.
In recent years, the maximum certificate lifetime has been reducing, creating a more frequent headache for many organisations.
Now, some companies might have a team in place dedicated to managing certificates. For most, however, it’s a handful of skilled IT staff picking up the task whenever it lands.
And then there’s always that one system isn’t there? You know, the one that only one person can access or knows how to update. The infamous single point of failure (SPOF).
You might already be thinking about automating the process. You may even be halfway there. Either way, changes are coming that are going to force your hand.
What’s changing, and when?
In April this year, the CA/Browser Forum – the industry body of Certificate Authorities and browser vendors – voted to shorten the maximum lifetime of TLS certificates and their associated validation periods.
After several rounds of proposals, driven primarily by Apple, the schedule has now been set:
- Until 15 March 2026: The current maximum TLS certificate lifetime remains 398 days
- From 15 March 2026: New maximum lifetime drops to 200 days (including Domain Control Validation)
- From 15 March 2027: Drops further to 100 days
- From 15 March 2029: Just 47 days maximum
Find our more on Domain Control Validation here.
Why it’s happening: Trust, control, and risk
The rationale behind this change is all about strengthening trust. By reducing certificate validity periods, the aim is to tighten lifecycle management and reduce the risk of revoked or expired certificates being used in error.
In theory, it’s a security improvement. In practice, it’s an operational upheaval.
Manual renewal cycles of around a year have been tolerable for most IT teams. But 100-day or 47-day cycles? That’s unmanageable without automation.
And it’s unlikely to stop at automated renewals. You’ll need integration across systems, seamless deployment pipelines, and tighter monitoring to avoid lapses.
Final thoughts: Time to take stock
The first major milestone is less than a year away.
Now is the time to audit what you have, prioritise the systems that matter most, and begin testing automation for certificate renewal and deployment.
The clock is ticking – and the manual approach simply won’t scale.
The good news: Kocho is here to help with advice and assistance with Certificate Lifecycle Management solutions.
Get in touch with the team today.
Key takeaways
TLS certificate lifetimes are shrinking significantly over the next four years.
From March 2026, certificates will only last 200 days, and just 47 days by 2029.
Manual management will no longer be viable, making automation essential.
Start by auditing your current certificates and planning your automation strategy.
Kocho can help with advice and assistance in making the transition.
Free Guide
The Ultimate Guide to Microsoft Security
The most comprehensive guide to Microsoft Security. Over 50 pages. Microsoft licensing and pricing simplified.
Discover technologies that:
- Detect and disrupt advanced attacks at machine-speed
- Tap into the world’s largest threat intelligence network
- Protect identities, devices, and data with ease
Great protection starts here
Keep pace with the latest security threats
Sign up to receive the latest threat intelligence articles and reports from our SecOps team.
You’ll get:
- Notifications of critical vulnerabilities
- Recommendations to reduce your risk level
- Expert advice to defend against new threats
