Reduction of public TLS certificate validity to 47 days

The CA/Browser Forum – an association of certification authorities and web browsers representing DigiCert, GlobalSign, Apple, Google, Microsoft, and others – decided in April 2025 to reduce the current validity of public TLS certificates from 398 days to 47 days, according to the following roadmap:

• March 15, 2026: Certificate validity limited to 200 days
• March 15, 2027: Further reduction to 100 days
• March 15, 2029: Certificate validity limited to 47 days

For many organisations, the above timeline means that there is an urgent need to address the long-neglected issue of certificate management. Although the first reduction in certificate validity does not take effect until March 2026, most organisations will need many months to inventory certificates, redesign processes and implement automation, which means work on this topic needs to start now. And, as the main reason for the validity reduction were security risks, CISOs should be closely involved in this process.

Background: Importance of public TLS certificates

TLS certificates are used to secure Internet connections using the Transport Layer Security (TLS) protocol. They ensure the confidentiality and integrity of data transmitted between a browser and a web server.

In practice, this means that if certificates expire, companies face significantly higher risks when users access their websites and services. Data sent to the website can, for example, be intercepted by a “man-in-the-middle” attack. Accordingly, browser manufacturers flag such websites as “unsafe” when users attempt to access them and recommend avoiding the site.

Expired TLS certificates therefore have direct consequences for companies, including:

• Loss of revenue due to abandoned purchases or deterred visitors
• Loss of customer trust, as the website is displayed as “unsafe”
• Reputational damage resulting from security incidents
• Possible negative effects on search engine rankings

Many organisations are not ready for the changeover

In many organisations, certificate management still plays a secondary role for both internal and public certificates. Technical implementation for both certificate types is often based on solutions that require extensive manual work, such as manual certificate rotation or manual maintenance of the certificate inventory.

Organisations are also frequently unprepared from an organisational perspective. For example, certificate validity periods are often tracked in Excel spreadsheets or calendar entries. When an employee who is responsible for one or more certificates leaves the company, a frantic search for a successor begins; or the problem only becomes visible when the application suddenly stops working.

This makes it clear that certificate management is not purely a technical issue. It must be viewed holistically – from governance to careful definition and implementation of processes to technical implementation. Ultimately, certificate management is often treated as a secondary topic until it causes an outage – and outages of this kind occurred in 72% of organisations last year (source).

Solutions for organisations 

Although the change only affects public TLS certificates, CISOs and CIOs should view the transition as an opportunity to introduce comprehensive, modern guidelines and solutions in the area of certificate management.

From a CISO perspective, certificate management should follow clear guidelines that secure the organisation in the area of cryptography. This should take into account both the future topic of post-quantum encryption, which is already relevant today due to the possibility of “harvest now, decrypt later”, and any applicable regulatory requirements (e.g., the Digital Operational Resilience Act, DORA, in the finance industry in the European Union). The change in the certificate validity period is a good opportunity to review and adjust current guidelines. The goal must be to create clear responsibilities for certificates, define a lifecycle, and ensure their protection.

CIOs, in turn, are under even greater pressure to act. With the change, the workload of the responsible team is likely to increase, while the labor market and cost pressures will only allow for limited new hires. This means that there is no way around a critical review of the existing tool and process landscape. If current tools and processes do not enable a high degree of automation in certificate management, this must be addressed. At the same time, this change can be seen as an opportunity to further improve and automate the processes and tools related to internal certificates.

Specifically, the CISO and CIO should work together to ensure that at least the following points are met: 

• There are clear guidelines regarding cryptography that also address future risks such as quantum computing.
• All of the organisation's certificates are inventoried, responsibilities are defined, and an appropriate lifecycle is established.
• Certificate management is as automated as possible.

Conclusion

The CA/Browser Forum is reducing the validity period of public TLS certificates to 47 days by 2029 in order to minimize security risks. This poses major challenges for many organisations, as the management of public certificates, often neglected in the past, will become significantly more complex. With the first reduction to 200 days already scheduled for March 2026, organisations that delay action risk entering this transition with incomplete certificate inventories, manual processes and unclear ownership, thus increasing the likelihood of outages, fire-fighting and avoidable cost. CIOs and CISOs are therefore now called upon to actively address this change, establish clear responsibilities, and introduce modern, automated processes. This is the only way to manage the increased workload while ensuring security and compliance in the long term.

At PwC we provide organisations with comprehensive support, from governance and strategy through to implementation and managed services for your PKI solution, helping you absorb the impact of shorter certificate lifetimes without increasing risk or headcount.