All renewal & expiry questions

What is the 47-day mandate?

The 47-day mandate is the CA/Browser Forum's decision (ballot SC-081, approved April 2025) to shrink the maximum lifetime of public SSL/TLS certificates from 398 days down to 47 days, in steps: 200 days from March 2026, 100 days from March 2027, and 47 days from March 2029.

Why: shorter lifetimes limit how long a compromised or mis-issued certificate stays dangerous, and they push the ecosystem toward automation.

What it means in practice: renewing certificates by hand roughly eight times a year per certificate isn't sustainable — automation (ACME protocols like Let's Encrypt) becomes mandatory for websites, and the certificates that CAN'T be auto-renewed (internal systems, appliances, code-signing, anything with manual steps) become the dangerous ones. Those need explicit expiry tracking with owners and reminders, because their renewal frequency just went up sharply.

Track the certs automation can't reach

Related questions