Resources · 47-Day Readiness Guide

A practical guide to the new renewal cadence.

TLS validity is dropping toward 47 days. This guide breaks down why, what it means operationally, and exactly how to prepare — with forecasting, a readiness checklist, and an executive planning framework.

Run a readiness assessment
Analyst-gradeChecklist includedUpdated 2026
renewal pressure · 12 weeksforecast
now+6 wks+12 wks
The path to 47 days
398d
today
200d
Mar 2026
100d
Mar 2027
47d
Mar 2029
Inside the guide

Everything you need
to get ready.

Why lifetimes are shrinking

The CA/Browser Forum’s path to 47-day validity and the security logic behind it.

Operational impact

How roughly 8× the renewal volume reshapes day-to-day certificate operations.

Renewal forecasting

Modeling your renewal load by week so spikes never surprise you.

Automation requirements

What must be automated — discovery, monitoring, renewal — to keep pace.

Team readiness checklist

A concrete checklist to assess whether your team is prepared.

Executive planning guide

Framing the change, budget, and risk for leadership.

Readiness checklist

Are you 47-day ready?

Complete, continuous certificate discovery
Real-time expiry and risk monitoring
Renewal volume forecast by week
Automated, zero-downtime renewal
Clear ownership for every certificate
A readiness score you can track
FAQ

47-day readiness,
answered.

The CA/Browser Forum has approved a phased reduction of maximum TLS certificate validity to 47 days by 2029, down from 398 days today. The goal is to limit the risk window of compromised or mis-issued certificates and push the ecosystem toward automation.
The reduction is gradual, stepping down over several years and reaching 47 days in 2029. Each step increases renewal frequency, so preparing early avoids a last-minute crunch.
Moving from roughly 398-day to 47-day validity means certificates renew about 8 times as often. For large estates that is a dramatic, ongoing increase in renewal operations.
Start with complete, continuous discovery so you know every certificate you have, then add real-time monitoring and automated renewal. You can’t automate renewals for certificates you don’t know exist.
Yes. By plotting certificates by expiry week, you can model the renewal load under shorter lifetimes, identify pressure spikes, and plan automation and capacity accordingly.
At 8× the volume, manual tracking and renewal become unsustainable. Automation of discovery, monitoring, and renewal becomes a practical requirement, not a nice-to-have.
The guide covers why lifetimes are shrinking, the operational impact, renewal forecasting, automation requirements, a team readiness checklist, and an executive planning framework.
MachineCert provides the full readiness stack — continuous discovery, unified inventory, renewal forecasting, automated zero-downtime renewal, and a readiness score — so the 47-day transition becomes a non-event.
Go deeper

Related resources

47-day readiness solutionPrepare with MachineCert.Renewal automationAbsorb the renewal surge.Expiration monitoringSee pressure spikes early.Certificate lifecycle managementThe lifecycle, explained.Prevent certificate outagesShorter windows, more risk.MethodologyOur approach to machine trust.
Get started

Run a 47-day readiness assessment.

Scan your domain to size your footprint, forecast renewal load, and get your readiness score in 60 seconds.

Book a demo