QCecuring - Enterprise Security Solutions

47-Day Certificates Are Coming — Is Your Team Ready?

Certificate Lifecycle Management 10 Jul, 2026 · 03 Mins read

Google and Apple are pushing 47-day certificate lifespans. Manual processes will catastrophically fail. Here's what you need to automate now.


47-Day Certificates Are Coming — Is Your Team Ready?

Google’s Moving Forward proposal. Apple’s push for shorter validity periods. The CA/Browser Forum’s trajectory toward 47-day maximum certificate lifespans. This isn’t speculation — it’s an active, concrete industry direction with broad support.

And when it arrives, every manual certificate process in your organization will break. Not degrade. Break.


The Timeline

YearMaximum Cert LifespanRenewals/Year (per cert)
Pre-20202 years (825 days)0.5
2020-present1 year (398 days)1
Proposed Phase 1200 days2
Proposed Phase 2100 days4
Proposed Final47 days8

From 1 renewal per year to 8. That’s an 8x increase in certificate management workload for every single certificate.


Why Shorter Lifespans?

  1. Reduced exposure window. If a private key is compromised, a 47-day cert limits the attack window. Revocation (CRL/OCSP) is unreliable in practice — shorter lifespans are more effective.

  2. Forced automation. Manual processes work (barely) with annual renewals. They fail completely with 47-day rotation. The industry is explicitly forcing automation as a security baseline.

  3. Faster algorithm agility. When cryptographic standards change (post-quantum, key size increases), short-lived certificates allow faster ecosystem-wide rotation.


What Works Today (That Will Fail Tomorrow)

Current PracticeWorks at 1 YearWorks at 47 Days
Manual renewal via MMC/certutilYES (barely)NO
Spreadsheet trackingYES (stale but functional)NO
Quarterly certificate reviewsYES (catches most)NO
Email reminder to cert ownerYES (time to act)NO
Manual load balancer updatesYES (tolerable frequency)NO
One-person PKI managementYES (manageable volume)NO

Every single row fails. Not “becomes harder.” Fails completely.


The Math That Breaks Everything

300 certificates, current 1-year lifespan:

  • Renewals per year: 300
  • Average per week: ~6
  • Total annual workload: 150 hours (one engineer, manageable)

300 certificates, 47-day lifespan:

  • Renewals per year: 2,400
  • Average per week: ~46
  • Total annual workload: 1,200 hours (0.6 FTE doing nothing but renewals)

At 500 certificates: 1 full-time engineer doing nothing but renewals.

This is not sustainable manually. Period.

Renewal Workload Explosion

300 certificates: annual renewals & engineer hours as lifespans shrink

More renewals at 47 days vs 1 year

1,200 hrs

= 0.6 FTE doing nothing but renewals

What Breaks First

  1. Volume Overwhelm — 46 renewals per week exceeds human capacity
  2. Error Rate Increases — 2% error rate × 2,400 renewals = 48 problems/year
  3. Missed Renewals — Miss one week = 6-7 simultaneous expiries
  4. Staffing Crisis — Nobody stays in a role clicking through 46 renewals weekly
  5. Audit Nightmare — Documentation quality drops under firefighting conditions

What Must Be Automated

ProcessWhy It Can’t Be Manual
Certificate renewal request2,400/year impossible to trigger manually
CSR generationRepeatable, error-prone
Certificate deploymentCan’t hand-deploy 46 certs/week
Service bindingMust update automatically
Validation/testingCan’t manually verify 46 renewals/week
Rollback on failureToo frequent for manual intervention

The Transition Plan

Phase 1: Assessment (Now)

  • Inventory all certificates by renewal method (auto vs manual)
  • Calculate your environment-specific workload multiplier
  • Identify which certificates will be affected

Phase 2: Quick Wins (Months 1-3)

  • Enable auto-enrollment for all Windows certificates
  • Implement ACME for publicly-facing certificates
  • Automate load balancer certificate deployment

Phase 3: Full Automation (Months 3-6)

  • Automate remaining manual processes
  • Implement automated deployment verification
  • Test at increased rotation frequency

Phase 4: Optimization (Months 6-12)

  • Achieve target: less than 5% of renewals require human intervention
  • Build exception processes for certificates that can’t be automated
  • Reduce certificate count through consolidation

What About Internal Certificates?

“But 47-day maximums are for public TLS certificates. Our internal certs aren’t affected.”

Partially true. But:

  1. The security logic applies equally to internal certificates
  2. Tools and expectations will align — auditors will ask why internal certs lag behind
  3. If you build automation only for external certs, you maintain two processes
  4. Internal certificate lifespan reduction will follow within 2-3 years

The Bottom Line

47-day certificates will arrive. The timeline is 12-36 months for public certs. Internal practices will follow.

Your current workload × 8. That’s what’s coming. Can your current process survive that multiplier?

Start automating now, while you have the luxury of time.


47-day certificates aren’t a threat. They’re a forcing function for automation that should have happened years ago.


Tags: 47-Day Certificates, Short-Lived Certificates, Certificate Automation, ACME, PKI Automation, Certificate Lifecycle Management, CLM, Google Apple CA/Browser Forum

Automation Readiness Assessment

Evaluate which certificate processes can survive 47-day lifespans and which need automation.

Get Assessment

Related Insights

Certificate Lifecycle Management

How Many Internal Certificates Does Your Company Actually Have?

Most teams think they manage hundreds of internal certificates. The real number is usually 3-5x higher. That gap is where risk hides.

By Mani sri kumar

10 Jul, 2026 · 03 Mins read

Certificate Lifecycle ManagementCertificate Discovery

Certificate Lifecycle Management

The Real Cost of a Certificate Outage (It's Not Just Downtime)

Certificate outages cost $22K per incident when you factor in engineer hours, lost productivity, helpdesk surge, and compliance findings. See the full cost breakdown.

By Mani sri kumar

10 Jul, 2026 · 04 Mins read

Certificate Lifecycle ManagementEnterprise Security

Certificate Lifecycle Management

Certificate Issued ≠ Certificate Deployed: The Gap Nobody Tracks

Why a certificate issued by your CA doesn't mean it's deployed in production. The dangerous gap between issuance and deployment in AD CS environments.

By Mani sri kumar

10 Jul, 2026 · 04 Mins read

Certificate Lifecycle ManagementAD CS

Ready to Secure Your Enterprise?

Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.

Stay ahead on cryptography & PKI

Get monthly insights on certificate management, post-quantum readiness, and enterprise security. No spam.

We respect your privacy. Unsubscribe anytime.