Certificate lifetimes drop to 47 days
By 2029, every public TLS certificate must be renewed at least every 47 days. This was adopted by the CA/Browser Forum in SC-081v3 and applies to all publicly trusted certificate authorities.
Timeline for shorter lifetimes
March 15, 2026
Maximum certificate validity drops to 200 days. DCV reuse drops to 200 days.
DigiCert implements early on February 24, 2026 at 199 days. Sectigo and GlobalSign follow in March.
March 15, 2027
Maximum certificate validity drops to 100 days. DCV reuse drops to 100 days.
In practice, you should renew around every 85 days to maintain a safety margin.
March 15, 2029
Maximum certificate validity drops to 47 days. DCV reuse drops to 10 days.
This requires renewal roughly every 40 days and domain validation roughly every 10 days.
There is no 2028 phase. The reduction goes from 100 days in 2027 directly to 47 days in 2029.
Renewal volume grows exponentially
The number of certificate renewals per year increases significantly with each phase. Estimates below assume one certificate per server.
| Servers | 2025 (398 days) | 2026 (200 days) | 2027 (100 days) | 2029 (47 days) |
|---|---|---|---|---|
| 10 | ~10/yr | ~18/yr | ~37/yr | ~78/yr |
| 50 | ~46/yr | ~91/yr | ~183/yr | ~389/yr |
| 200 | ~184/yr | ~365/yr | ~730/yr | ~1,554/yr |
Why manual processes do not scale
Cron jobs and scripts
A certbot script on a single server works fine. But 200 servers with different platforms, key types, and CA requirements need central orchestration. A failed script is typically discovered only when the certificate expires.
Key person dependency
When renewal depends on one person, vacation, illness, or a job change creates risk. With 47-day certificates, there is no margin. One missed certificate causes downtime within weeks.
No centralized monitoring
Without central monitoring, problems surface when users report errors. With shorter lifetimes, this happens more often. A dashboard showing all certificates across your infrastructure is no longer nice to have. It is a requirement.
Network appliances are the hardest
Web servers with certbot or ACME clients often manage fine. Network appliances are where automation breaks down.
FortiGate, F5, NetScaler, Palo Alto
These devices typically lack native ACME support. Certificate renewal requires API calls or CLI access, often with vendor-specific formats and constraints. Each vendor works differently.
Exchange, IIS, ADFS
Windows servers running Exchange or IIS require certificate installation via PowerShell or MMC, followed by service binding. This can be automated, but requires an agent running locally with the right permissions.
Heterogeneous environments
Most organizations run a mix of Linux, Windows, appliances, and cloud services. A solution that only covers one platform just moves the problem somewhere else.
How sslbrain handles it
Central scheduler
sslbrain runs a central scheduler that automatically renews certificates before they expire. You configure each certificate once. The scheduler adapts to current validity periods automatically, whether that is 200, 100, or 47 days.
ACME proxy
sslbrain Cloud acts as an ACME proxy for paid CAs (DigiCert, Sectigo, GlobalSign). Your sslbrain speaks ACME regardless of which CA issues the certificate. If you switch CAs, your configuration does not change.
Agents for every platform
sslbrain provides agents for Linux (SSH), Windows (WinRM and Service Agent), and network appliances via API. Certificates are installed automatically on the right platform in the right format.
Monitoring and alerting
All certificates are monitored centrally. You can see the status of every certificate across your entire infrastructure in a single dashboard. Alerts are sent on failure, so you do not discover problems through user complaints.
Set up now, be ready for 2029
Configure your certificates once. When validity periods drop to 100 days and then 47 days, sslbrain automatically adjusts the renewal frequency. Your configuration does not change.
It is the same setup whether certificates last 200 days or 47 days. The only difference is that sslbrain renews them more often.