CA/B Forum Ballot SC-081: 47-Day TLS Certificate Validity — What Enterprise PKI Teams Need to Do
CA/Browser Forum Ballot SC-081 passed in March 2026, establishing a phased reduction of maximum TLS certificate validity from 398 days to 47 days by March 2029. This is the most significant change to TLS certificate management in a decade. Enterprise teams that rely on manual certificate renewal workflows will be most affected.
What Ballot SC-081 Changes
Ballot SC-081 establishes a phased reduction of maximum TLS certificate validity periods:
- March 15, 2026: Maximum validity reduced to 200 days (from 398 days)
- March 15, 2027: Maximum validity reduced to 100 days
- March 15, 2029: Maximum validity reduced to 47 days
- Domain Control Validation (DCV) reuse period also reduced in parallel
Why the CA/B Forum Made This Change
The primary driver is reducing the window of exposure for compromised certificates. A certificate with a 398-day validity that is compromised on day 1 remains valid for over a year unless actively revoked. With 47-day validity, the maximum exposure window is dramatically reduced.
A secondary driver is encouraging automation. Short-lived certificates are only practical with automated renewal (ACME protocol, SCEP, EST). The CA/B Forum is effectively mandating that the industry move to automated certificate lifecycle management.
Enterprise Impact
The 47-day validity requirement will break any manual certificate renewal workflow. Organizations that currently renew TLS certificates annually or semi-annually will need to renew approximately every 40 days to maintain a safety margin before expiration.
Internal PKI environments using Microsoft ADCS are not directly subject to CA/B Forum requirements — those rules apply to publicly-trusted CAs. However, organizations that use public CAs for internal services, or that want to align internal PKI practices with industry standards, should plan for this change.
Recommended Preparation
The 200-day limit is already in effect as of March 2026. If you have TLS certificates with validity periods over 200 days issued after that date, they will not be trusted by major browsers. Audit your certificate inventory now.
The 47-day validity requirement effectively mandates automated certificate lifecycle management for any organization using publicly-trusted TLS certificates. Organizations that have not invested in automation will face operational disruption as the phased deadlines approach.
- 1Audit your TLS certificate inventory for certificates with validity over 200 days issued after March 15, 2026.
- 2Evaluate ACME-compatible certificate management tools (Certbot, cert-manager, Venafi, Keyfactor) for automated renewal.
- 3Identify all manual certificate renewal workflows and prioritize them for automation.
- 4For internal ADCS environments, consider aligning internal TLS certificate validity to 90 days as a best practice.
- 5Subscribe to CA/B Forum ballot notifications to track future changes.
The 47-day deadline is three years away, but the 200-day limit is already in effect. If you have not audited your certificate inventory for compliance with the current limit, start there. The organizations that will be most disrupted in 2029 are the ones that treat this as a future problem.
InsecurePlanet provides original technical analysis based on the sources listed below. This article does not claim facts beyond the cited source material.