What is the 47-day mandate?
The 47-day mandate is the CA/Browser Forum's decision (ballot SC-081, approved April 2025) to shrink the maximum lifetime of public SSL/TLS certificates from 398 days down to 47 days, in steps: 200 days from March 2026, 100 days from March 2027, and 47 days from March 2029.
Why: shorter lifetimes limit how long a compromised or mis-issued certificate stays dangerous, and they push the ecosystem toward automation.
What it means in practice: renewing certificates by hand roughly eight times a year per certificate isn't sustainable — automation (ACME protocols like Let's Encrypt) becomes mandatory for websites, and the certificates that CAN'T be auto-renewed (internal systems, appliances, code-signing, anything with manual steps) become the dangerous ones. Those need explicit expiry tracking with owners and reminders, because their renewal frequency just went up sharply.