47-Day SSL Certificates Are Coming

200 days in 2026. 100 days in 2027. 47 days by 2029.

Updated: February 2026

The SSL industry is transitioning to short-lived certificates.

Under CA/Browser Forum Ballot SC-081v3, the maximum validity of publicly trusted SSL/TLS certificates will be reduced in phases:

  • March 15, 2026: 200-day maximum
  • March 15, 2027: 100-day maximum
  • March 15, 2029: 47-day maximum
By 2029, SSL certificates will need to renew up to seven times per year. Automation is no longer optional.

Why 47-day SSL certificates?

The shift toward shorter certificate lifespans is designed to improve ecosystem security and reduce risk exposure.

Reduced compromise window

If a private key is exposed, the certificate is valid for a shorter time period, limiting impact.

Faster validation cycles

Shorter lifespans require more frequent validation of domain ownership and organizational control.

Automation-first infrastructure

The industry is standardizing around automated ACME-based renewal workflows rather than manual CSR processes.

In practical terms, this change aligns commercial SSL with the model Let’s Encrypt introduced years ago.

What this means for developers

If you are deploying modern applications, you already understand this reality.

Infrastructure must be:

  • Automated
  • Repeatable
  • Deployment-friendly
  • Integrated into CI/CD workflows

Manual CSR generation and once-per-year certificate installs do not scale in a 100-day or 47-day certificate world.

Renewal needs to be part of your infrastructure automation, not a calendar reminder.

How Arcustech is adapting

Standardizing on Let’s Encrypt

Let’s Encrypt operates on an automation-first model and uses the same modern cryptographic standards and browser trust as commercial certificates.

It integrates cleanly into automated server environments and deployment workflows.

Let’s Encrypt is now our standard and fully supported SSL solution.

No longer directly selling commercial SSL certificates

As lifespans shorten, manual commercial SSL sales and CSR-based renewals become operationally impractical in managed environments.

We will no longer directly sell commercial SSL certificates.

Clients who require commercial certificates for compliance reasons may still use them, but automation will be required.

Full implementation details are available here:

https://www.arcustech.com/add-ons/ssl-certs/

CDN-first architecture simplifies SSL

We strongly recommend placing a CDN or abuse protection layer in front of every site.

Services such as Cloudflare, Bunny, and Fastly provide:

  • DDoS mitigation
  • Bot filtering
  • Global performance optimization
  • Simplified certificate lifecycle management

When SSL is terminated at the CDN layer, origin server complexity is reduced and renewals become more resilient.

Encryption strength is not changing

A 47-day SSL certificate provides the same encryption strength as a traditional 1-year commercial certificate.

Modern certificates, whether issued by Let’s Encrypt or a commercial CA, rely on the same cryptographic standards and browser trust chains.

For most modern deployments, the distinction between commercial and Let’s Encrypt certificates is policy-driven, not technical.

The future is automated SSL

Short-lived certificates are not a temporary experiment. They are the new baseline.

SSL management must now be:

  • Automated
  • Integrated into infrastructure workflows
  • Operationally predictable

Arcustech is aligning our hosting platform with that reality to ensure stable renewals, reduced outage risk, and modern deployment compatibility.

Back to Articles