Apple 45-Day Certs: Implications for Certificate Lifecycle Management

TLS/SSL certificate lifecycles are shrinking, and Phase 1 is already in effect. Since March 15, 2026, the CA/Browser Forum mandate (Ballot SC-081v3) limits maximum TLS certificate validity to 200 days. By 2027 that drops to 100 days and to 47 days by 2029. The operational consequence is significant. An organization managing 1,000 certificates today processes roughly 900 renewals per year. At 47-day intervals, that same organization will handle more than 7,700 renewals annually, nearly an 8x increase. At that frequency, manual certificate management does not just slow you down, it fails outright. More frequent renewals through manual processes mean more opportunities for missed expirations, unplanned outages, and compliance failures. Certificate Lifecycle Management (CLM) automation is the only way forward. This article explains what the mandate requires at each phase, why it matters for enterprise security operations, and what a structured path to CLM readiness looks like.

Certificate Lifecycles Are Shrinking. Is Your Organization Ready?

Stay ahead of 47-day certificate mandates with automated certificate management.
Explore CLM Services

What Are 47-Day Certificates?

“47-day certificates” refers to the final phase of CA/Browser Forum Ballot SC-081v3, which mandates that TLS/SSL certificates issued by publicly trusted Certificate Authorities (CAs) carry a maximum validity period of 47 days. The ballot was proposed by Apple, immediately endorsed by Google, and passed unanimously by the CA/B Forum in April 2025.

The Phased Validity Reduction Timeline

Why Shorter Certificate Lifecycles Matter for Enterprise Security

Shorter certificate lifetimes reflect a deliberate security improvement. Here is why 47-day direction is right, and what it protects against.

• Reduces the blast radius of a compromised certificate. A certificate with a 398-day lifetime gives an attacker nearly 13 months to exploit a stolen or misissued credential. At 47 days, that window shrinks to seven weeks. Shorter lifetimes limit how long a bad actor can operate undetected using a compromised identity.
• Forces out weak and misconfigured certificates faster. Long-lived certificates allow outdated cryptographic algorithms, weak key lengths, and misconfigurations to persist in production environments for years. Frequent renewal cycles create a natural forcing function for cryptographic hygiene as every renewal is an opportunity to enforce current standards.
• Accelerates post-quantum readiness. Migrating to NIST-standardized post-quantum algorithms (FIPS 203, 204, 205) at enterprise scale requires the ability to re-issue certificates across thousands of systems rapidly. Organizations with automated, short-cycle CLM workflows can execute that migration incrementally with each renewal. Those with long-lived certificates face a single, high-risk cutover event.
• Limits the damage from CA distrust events. When a Certificate Authority is distrusted by browsers, organizations must re-issue all certificates from an affected CA as quickly as possible. Short certificate lifetimes, combined with multi-CA CLM infrastructure, make this a manageable operational task rather than an emergency.
• Keeps pace with the machine identity explosion. Machine identities now outnumber human identities in enterprise environments by an estimated 80:1. Many carry certificates with lifetimes set years ago, when renewal was infrequent. Aligning certificate lifetimes with the ephemeral nature of modern workloads is a security posture improvement.

Why Manual Certificate Management No Longer Works

• Human Error at Scale
  Certificate management is a precision task. A single missed renewal can take down a production service, break an API integration, or trigger a compliance violation. At renewal frequencies of 8x per year per certificate, and across portfolios that commonly number in the thousands, the probability of human error is significantly high.
• Visibility Gaps and Shadow Certificates
  Certificates issued outside of centralized oversight remain one of the most persistent sources of unplanned outages. When different teams, cloud environments, and applications manage their own certificates independently, there is no reliable way to maintain a complete, current inventory.
• Scaling Constraints
  A manual certificate management process that works adequately at 500 certificates will not scale to 2,000 certificates under the 2027 mandate, and will fail entirely at 47-day intervals in 2029. The volume-based argument for automation that security leaders have been making for several years is now a mandate-driven operational requirement.
• Compliance and Audit Overhead
  Demonstrating certificate management compliance to auditors requires a documented, traceable history of every certificate’s lifecycle events such as issuance, renewal, revocation, and ownership changes. Producing this documentation manually is time-intensive and error-prone. Automated CLM platforms generate this record as a byproduct of normal operations.
• Cryptographic Agility Blockers
  Organizations with manual certificate workflows cannot respond quickly to algorithm deprecations or CA distrust events. When a CA is distrusted or an algorithm is deprecated, the ability to rapidly re-issue certificates across the enterprise is contingent on having automated issuance workflows in place. Manual processes make this kind of rapid cryptographic response operationally impossible.

Manual Certificate Management Won’t Scale to 47-Day Renewals

Automate certificate renewals and eliminate visibility gaps at scale.
Explore CLM Services

Why Automated Certificate Lifecycle Management is the Way Forward

Automated CLM platforms address the operational, compliance, and security challenges introduced by the 47-day mandate across six core dimensions:

• Certificate visibility: Automated discovery scans networks, cloud environments, and internal systems to build and maintain a complete, current certificate inventory. No certificate goes untracked regardless of where or how it was issued.
• Automated renewals: Policy-driven renewal workflows trigger well before expiration, generate CSRs, submit to the appropriate CA, and deploy renewed certificates without manual intervention. Renewal frequency is irrelevant to operational overhead when the process is fully automated.
• Outage prevention: Real-time monitoring with configurable alerting ensures that expiring, misconfigured, or compromised certificates are identified and remediated before they cause service interruptions.
• Compliance and audit readiness: Every certificate lifecycle event is logged automatically, producing an audit-ready record of issuance, renewal, revocation, and ownership. Compliance reporting becomes a query, not a manual exercise.
• Centralized multi-CA management: Enterprise environments typically rely on multiple CAs: public CAs for externally-facing certificates, private PKI for internal systems, and cloud-native CAs for cloud workloads. A CLM platform provides a unified control plane across all of them, enabling CA agility.
• Faster, more scalable operations: ACME protocol integration allows CLM platforms to automate certificate issuance and renewal interactions with CAs at high velocity, supporting the renewal cadence required by the 2029 mandate without linear increases in engineering headcount.

Manual Certificate Management vs. Automated CLM

5-Step Framework to Prepare for 47-Day Certificates

Every organization is at a different point in its CLM readiness journey. The following framework is structured to be applicable whether your organization is beginning the process or optimizing an existing automated deployment.

Step 1: Assess Your Current Certificate Environment

A credible readiness plan begins with a complete picture of where you stand. Key questions to answer at this stage:

• Certificate inventory: Do you have full visibility into all certificates across on-premises, cloud, and hybrid environments? Certificates issued by different teams, in different cloud accounts, or by shadow IT processes are frequently missing from existing inventories.
• Renewal ownership: Is certificate renewal ownership clearly assigned, and are renewal responsibilities centralized or distributed across teams? Fragmented ownership is a primary driver of missed renewals.
• Automation maturity: What percentage of your certificate renewals are currently automated? Manual renewal workflows that function adequately today will not scale to the renewal frequencies mandated by 2027 and 2029.
• CA relationships: which Certificate Authorities are currently in use across your environment, and do your existing tools support multi-CA management?

Step 2: Identify Certificate Management Gaps

Once you have established an accurate baseline, assess where your current processes will fail under increased renewal frequency. Common gaps include:

• Manual renewals: Any certificate renewed by hand is a point of failure. Identify and prioritize the highest-criticality certificates still on manual renewal workflows for immediate automation.
• Fragmented visibility: Certificates that are not visible to your central management team cannot be monitored, renewed, or revoked in a controlled way. Discovery tooling is the prerequisite to every other CLM capability.
• Decentralized ownership: Where certificate management responsibilities are distributed across business units, cloud teams, or application owners without centralized oversight, governance gaps are inevitable.
• ACME readiness: The ACME protocol is the primary mechanism for automated certificate issuance and renewal from public CAs. Assess whether your infrastructure, web servers, load balancers, and application platforms support ACME integration.

Step 3: Prepare Infrastructure for 47-Day Certificates

Technical readiness requires validating that your infrastructure can support high-frequency automated certificate operations end-to-end:

• ACME protocol support: Ensure your web servers (NGINX, Apache), load balancers (F5 BIG-IP, Citrix ADC), and cloud platforms (AWS, Azure, GCP) are configured to support ACME for automated certificate issuance and renewal.
• Integration coverage: Your CLM platform must integrate with every system that consumes or deploys certificates. Critical integration points include ITSM platforms (ServiceNow), DevOps pipelines (HashiCorp Terraform, Red Hat Ansible), container orchestration (Kubernetes), and cloud-native certificate services.
• Deployment automation: Automated issuance without automated deployment creates a gap. Validate that renewed certificates can be pushed to all consuming systems without manual intervention.
• DCV automation: With DCV reuse dropping to 10 days in 2029, domain control validation must also be automated. Assess whether your domain validation workflows can be automated alongside certificate issuance.

Step 4: Implement Automated CLM

Selecting and deploying the right CLM platform is the core of the readiness effort. Here’s how to approach it:

• Deploy the Solution: Determine whether your CLM will be deployed on-premises, in the cloud, or as a hybrid. Ensure the deployment fits your infrastructure and security needs. Collaborate with IT and security teams to set up and run smoothly.
• Integrate with Existing Systems: Ensure your CLM integrates with critical infrastructure, such as your PKI, SSO, directory services, VPNs, and firewalls. Test these integrations thoroughly to avoid disruptions and ensure smooth operations. Rapidly and easily conduct live demos and build proof-of-concepts using Accutive Security’s Innovation Lab.
• Automate Certificate Renewals: Configure the CLM to handle certificate renewals automatically. Set renewal policies, expiry alerts, and ensure that renewals happen well before certificates expire to minimize risks.
• Centralize Certificate Management: Before you can perform any automation, you will require a complete valid inventory. CLM platforms support various forms of discovery to ensure visibility into your organization’s current utilization.  While there are various forms of discovery, the two most common are CA Discovery and Network Discovery. CA Discovery performs a mass-import of all issued certs from a specific connected Certificate Authority. Network Discovery outlines all certificates and associated endpoints within the target location(s).
  CLM Platforms enable you to setup multiple discoveries to sufficiently scope the certificate usage within your organization.
• Automate Certificate Renewals: Configure the CLM to handle certificate renewals automatically. Set renewal policies, expiry alerts, and ensure that renewals happen well before certificates expire to minimize risks.CLM platforms support a wide variety of tools out-of-the-box, and also include integrations for DevOps tools such as HashiCorp Terraform and RedHat Ansible. These help enable pull-provisioning for specific use-cases.
• Enforce Security and Compliance: Customize the CLM to meet your organization’s security and compliance needs. Implement security protocols like encryption and access controls, and use the solution’s built-in compliance tools for auditing and reporting to stay aligned with regulatory requirements.

Step 5: Build a Future-Proof Certificate Strategy

The 47-day mandate is a structural shift, not a one-time remediation project. A future-proof CLM strategy addresses ongoing resilience across three dimensions:

• Centralized governance: Enforce certificate policy, CA selection, and renewal standards centrally, even in distributed or multi-cloud environments. Governance gaps that are manageable today become operational crises as renewal frequency increases.
• Automation-first workflows: Every new certificate-consuming system or application should be onboarded with automated CLM integration as a baseline requirement, not a future enhancement.
• Crypto agility and CA agility: The ability to switch between cryptographic algorithms and certificate issuers rapidly and without service disruption is foundational to both PQC migration readiness and resilience against CA distrust events. CLM platforms that support multiple CAs and enable rapid policy changes are the enabling technology.
• Shorter certificate readiness: Plan for certificate lifetimes shorter than 47 days. ACME automation that handles 47-day renewals will handle 30-day renewals with no additional architectural changes. Build for the floor, not the current mandate.

Prepare Your Organization for 47-Day Certificates

Phase 1 of the CA/Browser Forum mandate is in effect. Phase 2 arrives in March 2027, when maximum certificate validity drops to 100 days. Organizations that begin building CLM automation infrastructure now will meet the 2027 milestone with capacity to spare and be fully prepared for the 47-day threshold in 2029. Those that wait will face compounding operational pressure at each phase transition.

Accutive Security is the Center of Excellence in Cryptography, Identity Security, and Data Protection. We hold certified implementation status with leading CLM platforms including Keyfactor, Venafi/CyberArk, AppViewX, and DigiCert, and we provide vendor-neutral solution selection, proof-of-concept testing in our Innovation Lab, and full-lifecycle implementation and managed services.

Whether you are assessing your current certificate environment, evaluating CLM platforms, or accelerating an in-progress deployment, our team provides the expertise to move from strategy to operational readiness.

Request a complimentary CLM readiness assessment now.

We will evaluate your current certificate environment, identify gaps, and provide a prioritized remediation roadmap.
Click Here

Frequently Asked Questions

What are 47-day certificates?

47-day certificates refers to TLS/SSL certificates with a maximum validity period of 47 days, the final phase of CA/Browser Forum Ballot SC-081v3, which takes effect on March 15, 2029. The mandate was passed unanimously by the CA/B Forum in April 2025 and reduces certificate lifetimes in three phases between 2026 and 2029.

Why are certificate validity periods getting shorter?

Shorter certificate lifetimes reduce the window of exposure when a certificate is compromised or misconfigured. They also accelerate the deprecation of weak cryptographic algorithms and create the conditions for faster post-quantum cryptography migration. The CA/B Forum’s position is that the security benefits of shorter-lived certificates outweigh the operational burden, provided that organizations automate certificate management.

How does the 47-day mandate affect enterprises today?

Phase 1 is already in effect: any TLS certificate issued after March 15, 2026 has a maximum validity of 200 days. Organizations with manual certificate management processes are already experiencing increased renewal workload. By 2029, annual renewal volume per certificate will increase approximately 8x compared to the pre-mandate baseline, making automation operationally non-negotiable.

What is Certificate Lifecycle Management (CLM)?

Certificate Lifecycle Management is a set of processes, policies, and tools used to manage the complete lifecycle of digital certificates, from discovery and issuance through monitoring, renewal, revocation, and decommissioning. CLM platforms automate these operations across complex multi-CA, multi-cloud, and hybrid environments, providing centralized visibility, policy enforcement, and compliance reporting.

Why is certificate automation critical for 47-day readiness?

Manual certificate management cannot scale to the renewal frequencies required by the 47-day mandate. An organization managing 1,000 certificates will need to process more than 7,700 renewals per year by 2029. Without automation, this volume creates unacceptable outage risk, compliance exposure, and engineering overhead. Automated CLM removes the human error risk and scales to any renewal frequency.

Which CLM platforms are best for 47-day certificate readiness?

Keyfactor Command, Venafi TLS Protect (CyberArk), AppViewX CERT+, and DigiCert CertCentral are the leading enterprise CLM platforms for 47-day readiness. The right choice depends on your PKI complexity, infrastructure, and whether you require support for public certificates, private PKI, code signing, or machine identity at scale. Accutive Security provides vendor-neutral solution selection and certified implementation services for all four platforms.

What is ACME and why does it matter for the mandate?

ACME (Automated Certificate Management Environment) is the protocol that automates interactions between certificate clients and Certificate Authorities, enabling automated certificate issuance, renewal, and revocation. ACME support is the foundational technical requirement for 47-day certificate automation. Major CAs including DigiCert, Entrust, and Sectigo support ACME, and all leading CLM platforms include native ACME integration.

Does the 47-day mandate apply to internal/private PKI certificates?

No. The CA/Browser Forum mandate applies only to publicly trusted TLS/SSL certificates issued by commercial Certificate Authorities. Private PKI certificates issued by internal CAs, for internal services, device authentication, or machine-to-machine communication, are not subject to CA/B Forum rules and may retain longer lifetimes. However, many organizations choose to apply consistent automation practices to both public and private certificate management.