Posted by Suresh Sathyamurthy
December 2, 2025
The CA/Browser Forum (CA/B Forum), the global standards body responsible for TLS/SSL certificate governance, has introduced a sweeping policy change that will transform how enterprises manage digital trust. Under the new Ballot SC-081v3, certificate lifetimes will shrink from 398 days today to just 47 days by March 2029.
This is not just a technical update, it’s a fundamental shift in how organizations must manage security and compliance. Manual tracking and renewal of certificates are no longer sustainable. To remain compliant, avoid outages, and protect their digital ecosystems, enterprises must embrace continuous automation and crypto-agility.
Akeyless enables exactly that. Through its Zero-Knowledge Certificate Lifecycle Management (CLM) and PKI-as-a-Service platform, Akeyless automates issuance, renewal, and policy enforcement while keeping private keys fully protected under customer control.
The TLS Landscape Is Changing, Fast
For years, TLS certificates have steadily shortened in lifespan, from five years to 825 days, then to 398 days. The CA/B Forum’s latest move to 47 days represents the most dramatic evolution yet.
The rationale is clear: shorter-lived certificates improve global internet security. By forcing more frequent key rotations, organizations can limit the potential damage caused by key compromises or mis-issuance. In parallel, faster expiration cycles encourage a cultural shift toward automation and strong key governance.
Yet, this also poses a major operational challenge. A 47-day validity period means companies will need to renew and redeploy certificates nearly eight times more frequently than they do today. Without automation, this will lead to human error, outages, and compliance headaches. Manual certificate management is effectively becoming obsolete.
What the 47-Day Readiness Window Means
While the 47-day limit officially takes effect in 2029, many Certificate Authorities (CAs), including GlobalSign, and ZeroSSL, are already adapting to shorter operational readiness cycles.
This “47-day readiness window” reflects the time required for validation checks, Certificate Signing Request (CSR) generation, internal approvals, and propagation across distributed systems. In practice, organizations must now prove they can renew and deploy certificates in this compressed timeframe, continuously and reliably.
For security and DevOps teams, that means automation must become a central part of the enterprise trust strategy. Without it, the risk of expired certificates and service disruptions increases exponentially.
Akeyless: Your Foundation for Automated Certificate Compliance
Akeyless provides a unified, SaaS-based Certificate Lifecycle Management and PKI-as-a-Service platform that simplifies automation and compliance. It combines security, visibility, and control within a Zero-Knowledge framework, ensuring no one but the customer can ever access their private keys.
Automated Certificate Issuance and Renewal
Akeyless integrates seamlessly with major public and private CAs, including GlobalSign, ZeroSSL, etc., to automate the entire certificate lifecycle. Certificates are issued and renewed automatically based on configurable schedules and deployed instantly to load balancers, Kubernetes ingress controllers, and other endpoints.
This eliminates the manual processes that slow down operations and ensures continuous compliance with CA/B Forum requirements. With Akeyless, outages caused by expired certificates become a thing of the past.
Zero-Knowledge Key Protection (DFC™)
Akeyless’s patented Distributed Fragments Cryptography (DFC™) ensures that private keys are never stored, transmitted, or reconstructed in full. Instead, they are mathematically split into fragments and distributed across secure regions. This Zero-Knowledge architecture guarantees that only the customer retains control of their cryptographic material, not even Akeyless can access it.
This approach exceeds industry expectations for cryptographic integrity and aligns with FIPS 140-2 and CA/B Forum best practices for secure key management.
Policy-Driven Rotation and Dynamic Secrets
Through policy-based automation, Akeyless enables certificate renewal and rotation well ahead of expiration deadlines. Admins can define flexible rules, for instance, automatically renewing a certificate ten days before it expires and triggering downstream automation such as service restarts or notifications.
This proactive approach ensures that every certificate stays valid, minimizing operational risk while reducing the burden on administrators.
Full Auditability and Compliance Evidence
Every action, issuance, renewal, or revocation, is logged in Akeyless’s immutable audit trail. These logs can be integrated directly into SIEM platforms such as Splunk, Datadog, and Azure Sentinel, allowing real-time visibility and continuous compliance reporting.
This provides security and compliance teams with the evidence they need to demonstrate adherence to CA/B Forum Baseline Requirements and internal governance standards.
Unified Secrets and Certificate Management
Unlike traditional certificate management systems that treat certificates as isolated assets, Akeyless brings them into the broader security ecosystem. TLS certificates, SSH keys, API tokens, and machine credentials are all managed within the same secure, Zero-Knowledge platform.
This consolidation reduces complexity, prevents “shadow certificates,” and strengthens both security posture and audit readiness across the organization.
Future-Ready for the Short-Lived Certificate World
The 47-day rule is more than a regulatory adjustment, it’s a preview of a future built on ephemeral trust and machine identity automation. As digital ecosystems expand, organizations must ensure every certificate is issued, rotated, and revoked automatically.
With Akeyless, enterprises can confidently navigate this future. Its platform provides end-to-end automation, cryptographic protection through DFC™, and full visibility across hybrid and multi-cloud environments. It’s not just about meeting compliance, it’s about achieving crypto-agility and resilience in an increasingly dynamic world.
Key Takeaways
- The CA/B Forum’s Ballot SC-081v3 shortens TLS certificate lifetimes to 47 days by 2029.
- Manual certificate management is no longer sustainable, automation is mandatory.
- Akeyless automates issuance, renewal, rotation, and compliance under a Zero-Knowledge architecture.
- The platform integrates with all major CAs and provides full auditability and reporting.
The Bottom Line
The 47-day mandate represents a turning point for enterprise certificate management. Organizations that act now to automate and secure their certificate ecosystems will not only stay compliant but also gain a lasting operational advantage.
Akeyless empowers that transformation, delivering secure, automated, and quantum-resilient certificate lifecycle management built for the future.
Ready to future-proof your certificate management?
Request a demo and see how Akeyless can help you stay compliant, automated, and outage-free in the 47-day certificate era.
Frequently Asked Questions
What is the CA/B Forum?
The Certificate Authority/Browser Forum is the global consortium that defines rules and best practices for trusted TLS certificates used by browsers and CAs worldwide.
What does “47-day certificate” mean?
It refers to the new maximum validity period for publicly trusted TLS certificates under Ballot SC-081v3, which mandates continuous renewal cycles every 47 days.
When does it take effect?
The rollout begins in stages, shortening validity from 398 to 200 days in 2026, and ultimately to 47 days by 2029.
Why is automation necessary?
With such short lifetimes, manual renewals are impossible to scale. Automation ensures uninterrupted trust and compliance across all systems.
How does Akeyless help?
Akeyless automates every stage of the certificate lifecycle while ensuring private keys are fully protected through its Zero-Knowledge DFC™ encryption.
