The Road to 47-Day Certs: A Timeline Every IT Team Should Pin to Their Wall

The Full Picture: Three Deadlines, One Destination

The CA/Browser Forum's Ballot SC-081v3 didn't just shorten certificate validity — it set a multi-year trajectory that fundamentally changes how organizations manage TLS certificates. Every IT team, security engineer, and DevOps practitioner needs this timeline burned into their planning.

The Official SC-081 Timeline

┌────────────────────────────────────────────────────────────────────┐
│                  SC-081 Certificate Validity Reduction             │
├──────────────────┬──────────────┬───────────────┬─────────────────┤
│ Date             │ Max Validity │ Max DCV Reuse │ SAN Reuse (OV)  │
├──────────────────┼──────────────┼───────────────┼─────────────────┤
│ Before Mar 2026  │ 398 days     │ 398 days      │ 398 days        │
│ March 15, 2026   │ 200 days     │ 200 days      │ 200 days        │
│ March 15, 2027   │ 100 days     │ 100 days      │ 100 days        │
│ March 15, 2029   │ 47 days      │ 10 days       │ 10 days         │
└──────────────────┴──────────────┴───────────────┴─────────────────┘

Let's break down what each milestone actually means for your operations.

Milestone 1: 200-Day Certificates (March 15, 2026) ✓ NOW ACTIVE

What Changed

This milestone is already in effect. Since March 15, 2026:

• No publicly trusted CA can issue a certificate valid for more than 200 days
• Domain control validation results expire after 200 days
• Organizations must renew certificates approximately twice per year

Operational Impact

Renewal frequency:  ~2x per year per certificate
Operational load:   2x compared to 398-day era
Automation need:    Strongly recommended
Manual feasibility: Difficult for portfolios > 500 certificates

What You Should Have Done

• Completed a full certificate inventory audit
• Identified all manual renewal workflows
• Begun ACME pilot programs for automated renewal
• Deployed or evaluated a CLM platform

What You Still Can Do

If you haven't started, begin now. The October 2026 expiration wave — when the first batch of 200-day certificates expires — is your real deadline.

Milestone 2: 100-Day Certificates (March 15, 2027)

What Changes

In less than a year, maximum validity drops again to 100 days. This is the milestone that separates organizations with automation from those without.

• Renewal frequency quadruples compared to the 398-day era
• DCV reuse drops to 100 days, requiring more frequent domain re-validation
• Manual processes become operationally unsustainable at scale

Operational Impact

Renewal frequency:  ~4x per year per certificate
Operational load:   4x compared to 398-day era
Automation need:    Required for any portfolio > 100 certificates
Manual feasibility: Not viable at enterprise scale

What You Should Be Doing Now

1. Achieve 75%+ automation coverage for certificate renewals
2. Automate DCV using DNS-01 or HTTP-01 challenge methods
3. Implement automated deployment — issuing a certificate isn't enough if deploying it is manual
4. Test renewal pipelines under load — simulate 4x renewal volume
5. Establish escalation procedures for failed automated renewals

The 100-Day Trap

Many organizations will treat 200-day certificates as manageable with semi-automated processes. When 100-day certificates arrive, those same processes will break:

• Semi-annual manual reviews become quarterly or more frequent
• Approval workflows that take 2 weeks eat 14% of the certificate's lifetime
• Manual DNS validation for DCV at 4x frequency overwhelms DNS administrators

Milestone 3: 47-Day Certificates (March 15, 2029)

What Changes

The final milestone brings maximum validity to 47 days and DCV reuse to just 10 days. This is the end state the industry is building toward.

• Certificates must be renewed approximately every 6-7 weeks
• Domain ownership must be re-proven every 10 days
• Manual certificate management becomes impossible at any scale

Operational Impact

Renewal frequency:  ~8x per year per certificate
Operational load:   8x compared to 398-day era
Automation need:    Mandatory — no exceptions
Manual feasibility: Impossible

The DCV Reuse Shock

The most underappreciated change at this milestone is the 10-day DCV reuse period. Today, you prove domain ownership once and reuse that validation for months. By 2029:

• Domain validation results expire in 10 days
• You must be able to prove domain ownership on demand, automatically
• DNS-01 automation with API-controlled DNS becomes essential
• Organizations without programmatic DNS control face a fundamental blocker

What This World Looks Like

# A typical day in the 47-day certificate era
daily_certificate_operations:
  organization_size: 10,000 certificates
  daily_renewals: ~219  # 10,000 / 47 days ≈ 213 renewals per day
  daily_dcv_validations: ~1,000  # 10,000 / 10 days

  required_capabilities:
    - fully_automated_acme_renewal
    - api_driven_dns_validation
    - automated_certificate_deployment
    - real_time_monitoring
    - self_healing_on_failure

An enterprise with 10,000 certificates will process approximately 219 renewals per day and 1,000 domain validations per day. This is not a manual operation. It's an automated system.

Planning Your Journey

The Three-Phase Approach

Phase 1: Survive 200 Days (Now — September 2026)

• Deploy CLM platform with automated discovery
• Automate renewal for top 50% of certificates by volume
• Establish monitoring and alerting for all certificates
• Build runbooks for renewal failures

Phase 2: Thrive at 100 Days (October 2026 — February 2027)

• Achieve 90%+ automation coverage
• Implement automated DCV with DNS API integration
• Deploy automated certificate installation to all endpoints
• Load test renewal infrastructure at 4x volume
• Eliminate all manual approval bottlenecks

Phase 3: Own 47 Days (2027 — March 2029)

• Achieve 99%+ automation coverage
• Implement 10-day DCV automation
• Deploy self-healing renewal with automatic retry and failover
• Integrate certificate operations into observability platform
• Conduct chaos engineering exercises for certificate infrastructure

Key Metrics to Track

Budget and Staffing Considerations

The Cost of Inaction

Certificate-related outages cost enterprises an average of $300,000 per incident in direct costs, with some high-profile incidents exceeding $1 million. As renewal frequency increases 8x, the probability of outages grows proportionally for organizations without automation.

Investment Priorities

1. CLM Platform — The foundation of automated certificate management
2. ACME Infrastructure — Client deployment and CA integration
3. DNS Automation — API-controlled DNS for DCV automation
4. Deployment Automation — Automated certificate installation across infrastructure
5. Monitoring & Observability — Real-time visibility into certificate health

The Bottom Line

The road to 47-day certificates is a three-year journey with three hard deadlines. Each milestone roughly doubles the operational burden of the previous one. Organizations that build automation infrastructure today will navigate each transition smoothly. Those that wait will face exponentially growing operational risk.

Print this timeline. Share it with your leadership. Build it into your 2026-2029 infrastructure roadmap. The dates are fixed — your readiness is the only variable.

TigerTrust automates every step of this journey — from discovery through renewal to deployment. Start your free assessment today.