TLS

The 47-Day Certificate: How Apple Killed the Annual SSL Renewal

The CA/Browser Forum just approved shrinking TLS certificates to 47 days by 2029. We'll soon pay the same price for commercial certs that expire faster than a DHCP lease. Time to embrace automation - those 'annoying' 90-day Let's Encrypt certificates suddenly look like visionaries.

Bartosz Maciejewski

5 min read
The 47-Day Certificate: How Apple Killed the Annual SSL Renewal
Photo by Nathan Dumlao / Unsplash

I nearly choked on my morning coffee when I saw the latest news from the CA/Browser Forum. They've just approved a roadmap that'll shrink TLS certificate validity down to 47 days by 2029. You read that right - we'll soon be paying the same price for a commercial certificate that expires faster than a properly configured DHCP lease.

The Timeline Nobody Asked For (But We're Getting Anyway)

Here's what's coming:

  • Until March 15, 2026: Business as usual - 398 days (about 13 months)
  • March 15, 2026: Drop to 200 days
  • March 15, 2027: Another cut to 100 days
  • March 15, 2029: The final countdown - 47 days

Apple pushed hardest for these changes. Of course they did. This is the same company that courageously removed headphone jacks to sell us dongles.

So What's Actually Driving This?

I'll be honest - shorter certificate lifespans aren't inherently evil. They actually make sense from a security perspective:

  • Compromised certificates expire faster
  • Key rotation happens more frequently
  • Less time for attackers to exploit stolen credentials

But 47 days feels like someone at Apple was playing certificate validity limbo and forgot to stop.

Time to Make Friends with Automation (Whether You Like It or Not)

I've been running Let's Encrypt with certbot for years now, dealing with those "annoying" 90-day renewals. Turns out I was living in 2029 while everyone else was stuck in 2019. By the time these changes hit, even your fancy commercial certificates will need replacing every month and a half.

Now, automation isn't always plug-and-play. ACME challenges require HTTP access, which means your aggressive HTTPS redirects might break things. The validation files need to live in .well-known directories, and some web servers treat dot-directories like they're radioactive.

But here's the thing - these are solved problems. I've been dealing with them for years using free certificates. So why exactly would anyone pay for commercial certificates when Let's Encrypt already does what everyone will need in 2029?

The Purchasing Department's New Nightmare

Picture this conversation in 2029:

Purchasing: "We need to renew our SSL certificate."
IT: "Which one? We renewed twelve of them last month."
Purchasing: "The one for the main site."
IT: "That was 40 days ago. It expires next week."
Purchasing: "But we just..."
IT: "Welcome to the future."

Manual certificate management is about to become as obsolete as manually editing DNS zone files. The overhead of processing purchase orders for 47-day certificates will cost more than just setting up proper automation.

Tools That'll Save Your Sanity

I've been using Nginx Proxy Manager in my setup, and it's fantastic. NPM handles certificate renewals automatically, manages reverse proxy configs, and doesn't require memorizing every OpenSSL command flag.

Other solid options I've tested:

  • Certbot with proper scripting (the OG automation tool)
  • Caddy (automatic HTTPS is chef's kiss)
  • Traefik (perfect if you're deep in the container rabbit hole)

The key is starting now. Don't wait until 2026 when your comfortable 398-day certificate suddenly becomes a 200-day ticking time bomb.

The Certificate Vendor Identity Crisis

Here's what keeps me up at night (besides expired certificates): what's DigiCert's business plan here? Their entire model relies on annual renewals. Now they'll need to either:

  1. Keep prices the same (and watch customers discover Let's Encrypt faster than developers discovering Stack Overflow)
  2. Slash prices by 87% to maintain the same annual revenue
  3. Somehow convince people that their 47-day certificates are worth 8x more than free ones

I'm genuinely curious how this plays out.

The Bright Side (Yes, There Is One)

Okay, I've been pretty cynical about this whole thing, but there's actually some good news:

Automation will finally become mandatory, not optional. No more "we'll automate it next quarter" promises. When certificates expire faster than JavaScript frameworks, automation becomes survival.

Security will genuinely improve. Shorter certificate lifespans mean less exposure time for compromised keys. It's proper key hygiene, enforced by necessity.

The entire ecosystem will level up. When everyone needs automation, tools will get better, documentation will improve, and that one vendor who still requires you to generate a CSR, email it to them, wait 48 hours for verification, and then manually download your certificate from their 2003-era portal will finally modernize.

Your Action Plan (Start Yesterday)

  1. If you're renewing certificates before March 15, 2026 - do it on March 14th. You'll squeeze out almost 200 extra days of validity. It's like buying Bitcoin in 2010, but for certificate validity.
  2. Pick an automation tool now - Whether it's certbot, NPM, or something else, start learning today. Those "minor issues" with ACME challenges? Better to debug them with a cup of coffee than at 3 AM during an outage.
  3. Document your setup - Your future self will thank you. Trust me, I've been that future self cursing past me for not documenting which nginx config does what.
  4. Implement proper monitoring - With 47-day certificates, you can't afford to miss a renewal. Set up alerts before your certificate expires, not after.

The Bottom Line

Remember 2014? SSL certificates were for banks and e-commerce sites. Everyone else ran plain HTTP. Users clicking through certificate warnings was so common that malware authors counted on it. If you typed a domain with https://, you'd often get a 404 because nobody bothered setting up HTTPS - the site only existed on port 80.

Fast forward to today: browsers default to HTTPS, actively warn against HTTP sites, and SSL is everywhere. What changed? Let's Encrypt launched in 2016 with their "radical" 90-day certificates. Suddenly, SSL wasn't a $200/year luxury - it was free and automated. Those 90-day certificates we all grumbled about? They normalized automation and made SSL ubiquitous.

Now we're heading for 47-day certificates, and honestly? We're ready. The same automation that made Let's Encrypt successful will handle commercial certificates too. Organizations that embrace automation early will barely notice. The ones that don't? They'll be learning about ACME protocols during emergency maintenance windows.

Me? I'm doubling down on Let's Encrypt and automation. If I'm going to deal with certificates that expire faster than my New Year's resolutions, at least I'm not paying for them.

What's your plan for the great certificate shortening? Drop a comment below - I'm curious how other teams are preparing for this brave new world of perpetual renewals.

You always have a choice — support in the way that suits you best!

Buy Me a Coffee

Fuel my creativity with a coffee — every sip keeps this blog running!

Buy Me a Coffee

Support This Blog — Because Heroes Deserve Recognition!

Whether it's a one-time tip or a subscription, your support keeps this blog alive and kicking. Thank you for being awesome!

Tip Once

Hey, Want to Join Me on This Journey? ☕

While I'm brewing my next technical deep-dive (and probably another cup of coffee), why not become a regular part of this caffeinated adventure?

Subscribe

Read more