The 47-Day SSL Certificate Era: What It Means for Site Owners and IT Teams
2025年SSL证书有效期将缩短至47天以提升安全性并推动自动化管理。此举旨在减少证书被攻破的风险,并依赖自动化工具实现频繁更新。对网站管理员和IT团队提出更高要求:需采用自动化管理工具以避免因手动更新导致的停机风险,并适应即将普及的短生命周期证书标准。这一变化标志着SSL证书管理向更安全、自动化的方向发展。 2025-7-4 16:15:24 Author: securityboulevard.com(查看原文) 阅读量:17 收藏

Avatar photo

In 2025, the world of SSL certificates is about to undergo a major shift — again. 

The SSL/TLS ecosystem is preparing for a move toward short-lived certificates, with the next big milestone being the introduction of 47-day certificate validity periods. This marks a significant drop from the current 90-day standard commonly seen with free CAs like Let’s Encrypt and an even steeper reduction from the 398-day maximum for commercial certificates.

But what’s driving this change? And how should businesses, developers and IT teams prepare? 

Techstrong Gang Youtube

AWS Hub

Let’s break it down. 

Why the Shift to 47-Day SSL Certificates? 

There are two main forces behind this transition: 

  1. Improved Security Through Shorter Lifecycles
    The shorter a certificate’s lifespan, the lower the risk window if it’s compromised. With short-lived SSL certificates, issues like key compromise or mis-issuance are far less damaging because the certificate expires quickly. 
  2. Industry Push Toward Automation
    Certificate renewal has traditionally been a manual, error-prone process. As automation tools (like ACME clients) become the norm, the argument against shorter lifespans weakens. In fact, automation is now seen as essential. 

This change is being supported — and in some cases, led — by major players in the browser and CA ecosystem, including Google Chrome and Let’s Encrypt. 

From 398 to 90… to 47 Days 

Historically, SSL certificates were valid for up to 2 or even 3 years. That changed in 2020, when browser vendors capped lifetimes at 398 days. The goal was tighter control and faster adoption of new security standards. 

Let’s Encrypt then pioneered the 90-day model and now, the next wave is 47-day validity, with automatic renewal mechanisms renewing certs every 30 days or less. This provides a buffer to handle failed renewals while maintaining high security. 

What it Means for Site Owners 

If you’re managing your website or online store, here’s what you need to consider: 

  • Manual renewals are no longer viable. Renewing certificates every 47 days is not sustainable by hand. 
  • Automated certificate management is now essential. If you’re not using a tool like Certbot, acme.sh, or a managed SSL service, it’s time to implement one. 
  • Downtime risks increase without automation. Missed renewals could lead to expired certificates, browser errors and lost trust from visitors. 
  • Expect browser enforcement soon. While 47-day certificates are not yet a universal requirement, adoption is accelerating. 

What IT Teams Should Do Now 

If you’re part of a development or infrastructure team, preparation is key: 

  1. Audit your current certificate deployment strategy.
    Know which domains, subdomains and environments use SSL, and how certs are issued and renewed. 
  2. Implement ACME-based automation where possible.
    Use tools like Certbot, win-acme, or EFF’s Dehydrated. Many hosting providers and CDNs offer built-in automation. 
  3. Schedule early renewals (e.g., every 30–35 days).
    This ensures a safety buffer and avoids expiry-related outages. 
  4. Integrate monitoring.
    Set up monitoring tools to alert you if a certificate is nearing expiry or if a renewal fails silently. 
  5. Review CA options.
    Some commercial certificate providers are slow to adopt automation-friendly options. Consider switching to vendors that offer ACME support or fully managed renewal. 

Will all Certificates be 47 Days? 

Not necessarily — at least not right away. This shift is expected to start with ACME/automated certificates and gradually become the default for most providers, especially for DV (Domain Validated) certs. Extended Validation (EV) and Organization Validated (OV) certificates may still have longer lifespans for now, due to stricter issuance requirements.

However, the industry trend is clear: Short-lived, auto-renewing SSL is the future.

Final Thoughts 

The move to 47-day SSL certificates is a major step toward a more secure, automated internet. While it introduces new challenges, especially for organizations relying on manual processes, it ultimately pushes the ecosystem toward greater resilience and trust. 

The key takeaway? Automation isn’t optional anymore — it’s foundational.


文章来源: https://securityboulevard.com/2025/07/the-47-day-ssl-certificate-era-what-it-means-for-site-owners-and-it-teams/?utm_source=rss&utm_medium=rss&utm_campaign=the-47-day-ssl-certificate-era-what-it-means-for-site-owners-and-it-teams
如有侵权请联系:admin#unsafe.sh