TLS Certificate News: Certificate Lifetimes Shrinking to 47 Days

The latest TLS certificate news means it’s time to take a closer look at how you manage website security and take advantage of automations.

The CA/Browser Forum has approved new TLS Baseline Requirements that will steadily shorten TLS certificate lifetimes over the next several years. By 2029, certificates will last just 47 days.

That’s a big change.

On the plus side, shorter certificate lifetimes improve trust and security across the internet. However, they also increase the risk of outages if your organization isn’t prepared to track and renew certificates more frequently.

For security teams, this TLS certificate news means you need to improve your certificate lifecycle management.

New TLS Certificate News: Lifetime Shortens in Staggered Schedule

TLS certificate changes will roll out as follows:

• Until March 15, 2026: Maximum lifetime of 398 days
• March 15, 2026: Maximum lifetime drops to 200 days
• March 15, 2027: Maximum lifetime drops to 100 days
• March 15, 2029: Maximum lifetime drops to 47 days

Major browser vendors like Apple Inc. and Google supported the change, arguing that shorter lifetimes help ensure certificate data stays accurate and trustworthy.

If your organization manages dozens—or hundreds—of domains, this TLS certificate news highlights the growing need for better visibility into where certificates exist and when they expire.

The Hidden Risk: Expired Certificates

While this change improves security, it also introduces a practical challenge you’ll need to manage certificate expiration outages.

When a TLS certificate expires, the impact can be immediate:

• Your website may stop loading securely
• Browsers may display security warnings
• APIs and applications may fail
• Customers may lose trust in your services

Many organizations already struggle to track certificates across cloud platforms, SaaS tools, and distributed infrastructure. With shorter SSL certificate validity periods, the risk of missing renewals increases dramatically.

Why Automation Is Becoming Essential

The CA/Browser Forum and browser vendors have been gradually reducing certificate lifetimes for years. Moving to 47-day certificates makes automated certificate lifecycle management essential.

Without centralized monitoring and automation, it becomes far too easy to overlook certificates deployed across:

• Cloud infrastructure
• Development environments
• Third-party services
• Legacy systems

As certificate lifetimes shrink, automation becomes less of a convenience and more of a requirement.

How Halo Security Helps Prevent Certificate Expiration

Our Halo Security EASM solution can help automate and manage these TLS certificate changes and continuously monitors certificates across your external attack surface so you don’t have to manually track them.

With Halo, you can automatically:

• Track TLS and SSL certificates across discovered external assets
• Maintain a centralized certificate inventory
• Receive alerts before certificates expire
• Identify weak ciphers and outdated encryption protocols
• View SANs, issuers, and certificate chains

Our Halo Security EASM platform also monitors additional website security elements, including HTTP headers, third-party scripts, cookies, forms, downloads, and links.

By continuously monitoring these components, you can prevent outages and maintain strong encryption across your web infrastructure.

What Security Teams Should Do Now

This TLS certificate news should serve as a wake-up call.

If you manage websites, applications, or cloud services, now is the time to modernize certificate management practices.

Start by:

• Inventorying all TLS certificates across external assets
• Implementing automated renewal workflows
• Monitoring encryption strength and configurations
• Using attack surface monitoring to track new domains and assets

Organizations that prepare early will avoid outages and security gaps as certificate lifetimes continue to shrink.

If you’re still relying on manual tracking, the risk of certificate expiration—and the outages that follow—will only increase.

Ensure Your Certificates Don’t Expire Unexpectedly

At Halo Security, our EASM platform continuously monitors TLS and SSL certificates across your external attack surface, alerts you before expirations occur, and identifies weak encryption or configuration issues before attackers do.