The move towards 47-day SSL/TLS certificate lifecycles kicks off in late February 2026, and every business needs to be ready. This guide will take you through everything you need to know, from the background behind the decision through to actionable steps to take to be prepared for it.

What is the 47-Day SSL/TLS Certificates Validity Policy?

If you only read one sentence of this guide, what you need to know is that, as a response to growing security concerns, SSL/TLS certificates are gradually moving from their current 398 day maximum length to just 47 days.

You see, on 11 April 2025, the CA/Browser Forum officially approved a proposal that will reduce SSL certificate validity periods over the next four years. Under the new rules, the maximum lifespan of SSL/TLS certificates will shrink from today’s 398 days down to just 47 days by March 2029. This isn’t a one and done, overnight change, but a phased reduction designed to give businesses time to adapt.

The reason for the shift comes down to security. As cybercriminals ability to exploit vulnerabilities and crack codes improve, it isn’t enough to just try and make it harder to do. With shorter certificate lifespans it means that if a certificate is compromised, there’ll be much less time for hackers to use the breach to their advantage. It also forces more frequent validations of domain ownership and pushes the industry toward automated certificate management.

For domain resellers, web hosting providers, and agencies, this policy represents a major shift in how SSL certificates will need to be managed. The days of annual renewals are ending, and replaced with a world where certificates will need to be renewed, or reissued, multiple times per year.

47-Day SSL/TLS Certificates: The New Reality for Domain Resellers

If you want to plan for the SSL lifecycle changes, you need to be away of all the key dates, as well as how your processes will interact them. For instance, just because the maximum validity of a SSL certificate might reduce to 199 days, that doesn’t mean that your offering needs to be tied to that.

Current and Future Validity Periods for SSL/TLS Certificates

The transition to shorter certificate lifespans will roll out in phases. Here’s the complete timeline:

Let’s Adapt Together

Understanding Order Lifetime vs Certificate Lifetime

Here’s where things get important for resellers. Under the new framework, order lifetime and certificate lifetime will no longer always match.

For example, after 12 March 2026, if a customer purchases a 365-day SSL order, they won’t receive a single certificate valid for a full year. Instead, they’ll receive an initial certificate valid for 199 days. The remaining order lifetime will then be used to reissue additional certificates until the order expires.

This reissuance model will become increasingly frequent as validity periods shorten. By 2029, a one-year order could require up to eight certificate reissues throughout its lifetime.

It also creates a key task for every reseller: you will need to let your clients know how their SSL orders are going to work in the future, and how your support processes will need to change to accommodate more frequent certificate management activities.

It’s also worth noting that browsers only verify whether a certificate is valid at the time of use. They don’t evaluate the total order lifetime, so end users won’t notice any difference in how certificates function; which means the change is entirely on the operational end.

Why the 47-Day Mandate Is a Direct Threat to Your Reseller Business Model

The shift to shorter SSL certificate lifespans is a fundamental challenge to how most reseller businesses operate today. If your current processes rely on manual renewals or annual certificate cycles, the 47-day SSL certificate era will expose significant operational vulnerabilities.

Operational Overload: The End of Manual Renewal Processes

It’s simple mathematics. A reseller managing 500 client certificates today should be doing roughly 500 renewals per year. Once the 47-day lifetime has been reached in 2029, those same 500 clients will generate over 4000 renewal events annually: more than eight times the work.

For teams still relying on manual processes, spreadsheets, or calendar reminders, this number of renewals will quickly become unmanageable. Every renewal requires validation, issuance, and installation. Multiply that across hundreds or thousands of domains, and it’ll quickly spiral beyond what most support teams can absorb without significant additional resources.

Skyrocketing Risk of Client Downtime and Expiry

More renewals mean more opportunities for something to slip through the cracks. A single missed certificate renewal results in browser security warnings, blocked access, and immediate loss of customer trust in your client’s website.

For your clients, the consequences of SSL certificate expiry can be severe. An expired certificate triggers full-page browser warnings that actively block visitors from accessing the site. For e-commerce sites, this means abandoned carts and lost sales, while for B2B companies, it can damage credibility with prospects and partners. At the same time, search engines penalize insecure sites, meaning an expired certificate can undo months of SEO work overnight. And for businesses handling sensitive data, certificate lapses can create compliance issues with regulations like PCI-DSS and GDPR.

With 47-day certificates, the chance of something going wrong is just that much higher. What was once an annual task with weeks of buffer time becomes a monthly obligation with only days to spare. For resellers managing diverse client portfolios across different industries and time zones, keeping track of every expiration date manually is a recipe for service failures and angry clients.

Erosion of Client Trust and Broken SLAs

When a client’s website displays a security warning due to an expired certificate, they don’t blame the powers that be which mandated 47-day lifetimes; they blame their service provider – you. Repeated issues erode trust, damage your reputation, and put SLA commitments at risk.

In a competitive market, clients have options. If your renewal processes can’t keep pace with the new requirements, they’ll find a provider whose can.

The Direct Revenue Impact: Churn and Support Cost Spiral

The financial consequences extend beyond lost clients. Increased support ticket volumes, emergency out-of-hours renewals, and the staff time required to manage a higher renewal workload all eat into the bottom line.

On the flip side, clients frustrated by service disruptions are more likely to look elsewhere. And as every businessperson knows, acquiring new customers costs significantly more than retaining existing ones, so every preventable loss adds to bleeding from your bottom line.

But all that doom and gloom comes with an upside. It’s true for your competition too. The resellers who thrive in this new environment won’t be those who work harder; they’ll be those who work smarter, with automation and robust processes at the core of their SSL management strategy. And they’ll reap the benefit of clients moving to find more reliable platforms.

How to Adapt Your Business to the New 47-Day SSL/TLS Era: Strategic Framework

Want more good news? You have time to prepare. The transition is phased, with the first changes taking effect in early 2026 and the full 47-day requirement only arriving in March 2029. Resellers who act now can turn this industry shift into a competitive advantage.

Here’s a practical framework for adapting your business.

Step 1: Embrace Full Automation as Your New Foundation

Manual certificate management won’t scale in a 47-day world. The first step is accepting that automation isn’t optional; it’s essential.

Conduct a Mandatory SSL Certificate Inventory Audit

Before you can automate, you need to know what you know and what you don’t know. Start by building a complete inventory of every SSL certificate you manage across your client base. You should document domain names, certificate types, expiration dates, issuing CAs, and the validation methods used.

This audit will reveal your exposure: how many certificates need attention, which clients have the largest portfolios, and where gaps in your current tracking might exist. It’s also vital for any automation strategy, as you can’t automate what you haven’t mapped.

Enable Universal Auto-Renewal as a Default Policy

One of the simpler changes you can make is to switch from opt-in to opt-out for automatic certificate renewals. By making auto-renewal the default setting, you reduce the risk of expired SSL certificates when your clients miss emails or just forget to act.

In the same vein, make sure your clients’ payment methods are current, and that they understand how auto-renewal protects their business. Remember to present this change as a way of making your clients’ lives better, not an extra hoop they need to jump through.

Evaluate Your Current Platform’s ACME Protocol Readiness

The ACME (Automatic Certificate Management Environment) protocol has become the industry standard for automated certificate issuance and renewal. It’s the technology behind Let’s Encrypt’s success and is now supported by major commercial CAs including DigiCert and Sectigo.

Find out whether your current platform either supports ACME-based automation or has plans to support it by the time SSL certificate validity times drop to 100-days in 2027.

Quantify Your Manual Overhead and Risk Profile

Next, you need to put numbers to your current process. How many hours does your team spend on certificate renewals each month? How many certificates have lapsed in the past year? And how much did that cost you in client goodwill, support time, or lost revenue?

Knowing these figures will help you build the business case for investing in automation and then measure the ROI of any changes you implement.

Step 2: Partner with a Platform Built for the 47-Day Era

Choosing the right reseller platform to partner with will be vital to navigating the move to 47-day validity. You need a provider that’s proactively adapting to the new requirements, not scrambling to catch up.

Implement API-First Certificate Lifecycle Management

API integration is the backbone of scalable SSL management, saving you time and effort on every single operation. Look for platforms offering robust APIs that support the full certificate lifecycle: ordering, validation, issuance, renewal, and reissuance.

Part of the reason CentralNic Reseller’s recently introduced our new SSL API 2.0 was to support the new certificate lifecycle rules, with enhanced functionality across key commands:

• AddCertificate for streamlined validation and expanded coverage options
• RenewCertificate for flexible coverage periods aligned with the new validity limits
• GetCertificateInfo for updated validity period details across all product classes

Proactive Alerting and Dashboard Intelligence

Visibility is everything when managing high-volume certificate renewals. You’ll need to receive clear certificate status data across your portfolio, with proactive alerts before expiration dates.

These can be in the form of their dashboard, or through direct data that you can use to form your own picture.

Streamlined Deployment and Integration

The faster you can deploy certificates, the less operational drag on your team. Look for platforms that integrate with your existing infrastructure.

CentralNic Reseller offers both Blesta and WHMCS integrations, our own METAregistry, plus a whole suite of bespoke SSL API calls, that make it straightforward to incorporate automated certificate management into your existing workflows.

Step 3: Master Proactive Client Communication

Technical readiness is only half the battle. Your clients need to know what’s changing, why it’s changing, and they need to trust that you have it all in hand.

Execute a Proactive Client Communication Campaign

Don’t wait for clients to discover these changes themselves. Get ahead of the news with clear, jargon-free communication explaining:

• What’s changing and when
• Why the industry is making this shift
• How it affects their certificates and websites
• What you’re doing to ensure seamless continuity
• What, if anything, they need to do

Consider a phased communication approach: an initial announcement in early 2025, followed by reminders as each milestone approaches.

Reposition Yourself as the Expert

This industry shift is an opportunity to demonstrate your value. Clients who might have viewed SSL certificates as a commodity, a box to tick, will suddenly need guidance navigating more complex renewal cycles.

Create educational content explaining the changes. Talk to top clients directly. Offer certificate audits as a value-added service. The resellers who position themselves as trusted advisors, rather than just vendors, will find this is a great opportunity to forge stronger client relationships.

Train Your Sales and Support Teams on the New Value Proposition

Your client-facing teams need to understand the changes well enough to explain them confidently. Build training materials covering the technical details, common client questions, and how your services address the new challenges.

Equip your sales team to articulate why automation and a robust platform matter more than ever. This is a chance to prove your service quality.

Turn a Threat into a Trust Signal

If you handle this transition well, it’ll be proof that your company can be trusted. When clients see you communicating proactively, offering solutions, and managing the change smoothly, they will have renewed confidence in working with you. And that trust will translate into more retention, referrals, and further opportunities to expand the relationship.

Discuss Your Needs Now

SSL Certificate Validity Change: Transforming Threat into Opportunity

The move to 47-day SSL certificate renewals will undoubtedly create challenges, but it also opens doors for resellers willing and able to adapt. While your competition might struggle with operational overload, forward-thinking businesses take this opening to launch new services, deepen client relationships, and build sustainable recurring revenue.

Here’s some ideas to turn the 47-day mandate into a genuine business opportunity.

Launch a Premium “Managed SSL” Service Tier

When certificate management becomes more complex, clients will pay for simplicity. This is your chance to move from just selling SSL certificates as a product, to offering SSL management as a service.

Consider introducing a “Managed SSL” tier that includes full lifecycle management: certificate ordering, validation, installation, monitoring, and renewal. Price it as a recurring monthly or annual fee rather than a one-time transaction. For clients with large or complex certificate portfolios, this hands-off approach will be worth a premium.

This way, you can transform unpredictable, transactional revenue into a stable, recurring income stream. It also has the benefit of changing your client relationship from vendor to partner: you’re no longer just selling certificates; you’re ensuring their websites stay secure and online.

Solidify Your Competitive Advantage

Many resellers will be caught flat-footed by these changes, scrambling to adapt their processes while service quality suffers. By preparing now, you can position yourself as the reliable alternative.

Invest in automation, train your team, and refine your processes before the deadlines hit. Each time the SSL timing reduces, you’ll be operating smoothly while competitors are firefighting. That contrast, between you and them, will become your competitive advantage: a reason for prospects to choose you and for existing clients to stay.

Achieve Powerful Client Lock-In and Reduce Churn

Clients who become used to your seamless SSL management are far less likely to switch other resellers. And the more deeply your services integrate into their operations, the stickier the relationship becomes.

Managed SSL services create natural retention. A client who knows their certificates are handled, monitored, and renewed without any effort on their part has little incentive to go through the hassle of moving to a new provider. This reduces churn and increases lifetime customer value.

Streamline Operations and Unlock New Efficiencies

Automation doesn’t just help you cope with higher renewal volumes; it fundamentally improves how your business operates. Processes that once required manual intervention, and the errors that came with them, can be standardized and streamlined.

The investment you make in automation for SSL management often pays dividends elsewhere. API integrations, monitoring dashboards, and proactive alerting capabilities can be extended across other product lines, improving efficiency across your entire operation and becoming selling points to clients in and of themselves.

Upsell and Expand Wallet Share with Existing Clients

The conversation about SSL certificate lifetime changes is also a conversation about security more broadly. Use it as an opportunity to review your clients’ wider security posture.

Do they have adequate protection across all their domains? Are they still relying on free, basic certificates where premium options like OV or EV certificates would better serve their needs? Could they benefit from additional security services your platform offers?

For resellers offering a broad product range, this is a natural moment to cross-sell. A client thinking about SSL security is already in the mindset to consider related services. CentralNic Reseller’s portfolio of over 1,200 domain extensions, combined with SSL certificates from trusted CAs like DigiCert and Sectigo, and our premium KeyDNS offering, means you can position yourself as a one-stop shop for your clients’ domain and security needs.

For more on why premium SSL certificates matter for your clients, see our guide: Why You Should Rethink a Free SSL Certificate.

Enhance Your Brand as a Security Thought Leader

Finally, the way you approach the SSL/TLS certificate validity changes says a lot about your business. Resellers who communicate proactively, educate their clients, and lead through change will build reputations as trusted experts.

Do all the usual things: publish content explaining the changes, share updates on how you’re preparing on your socials, and be visible in industry conversations. Because being a thought leader positions your brand for the long term, attracting clients who value expertise and professionalism.

The 47-day SSL certificate lifetime change will reward resellers who see beyond the operational burden to the strategic opportunity underneath. Those who adapt early emerge stronger from this transition, using it an opportunity to thrive.

Secure Your Clients Now

Conclusion: Don’t Wait for 2029 – Start Your SSL Validity Adaptation Now

The move to 47-day SSL certificates is no longer a proposal or a possibility; it’s confirmed industry policy. The CA/Browser Forum has spoken, the major Certificate Authorities are aligned, and the countdown has begun.

The timeline is clear:

• 15 March 2026: Maximum certificate validity drops to 200 days
• 15 March 2027: Maximum validity drops to 100 days
• 15 March 2029: Maximum validity drops to 47 days, with DCV reuse limited to just 10 days

Note: both Sectigo and Digicert are taking their first step-down earlier than the CA/Browser Forum date and are setting it to 199 days.

For domain resellers, web hosting providers, and agencies, this represents the biggest change to SSL certificate management in over a decade. Those who prepare early will find it easy to navigate. Those who wait will risk operational chaos, service failures, and client churn.

The steps are straightforward: audit your certificate portfolio, embrace automation, choose the right platform partner, and communicate proactively with your clients. Resellers who treat this as an opportunity, rather than just a burden, will find new revenue streams in managed SSL services, stronger client relationships, and a genuine competitive edge.

CentralNic Reseller is committed to supporting our partners through this transition. Our platform is being updated to fully support the new certificate lifecycle requirements, with API enhancements, flexible coverage options from DigiCert and Sectigo, and more. Whether you’re managing dozens of certificates or thousands, we’re here to help you adapt.

The 47-day SSL certificate era is coming. The only question is whether you’ll be ready for it.

Get in contact with our team to see how CentralNic Reseller can help you through the transition.

FAQs

What should I do in response to the new SSL/TLS changes?

Start by auditing your current SSL certificate portfolio to understand your exposure. Then evaluate your platform’s automation capabilities and begin shifting toward auto-renewal processes. Hard work now will lead to smooth SSL certificate management when shorter validity periods take effect.

Why do 47-day SSL/TLS lifespans matter for my business?

Shorter certificate lifespans mean significantly more renewal events each year. Without automation, managing this increased workload becomes unsustainable. For resellers, adapting to 47-day SSL certificates is essential to maintaining service quality and preventing costly client downtime.

When does the 47-day SSL certificate rule officially take effect?

The 47-day certificate validity limit comes into force on 15 March 2029. However, to help make the transition smoother, gradual decreases start much sooner, with SSL/TLS certificate lifetimes dropping to 199 days from 24 February 2026 and 100 days from 12 March 2027.

Why are SSL/TLS certificate and validation data lifespans being reduced?

The CA/Browser Forum approved these changes to enhance security. Shorter SSL validity periods limit exposure if certificates are compromised, so that when a cyberattack happens it won’t have a long time to do damage.

How do 47-day SSL certificates affect domain resellers and hosting providers?

Resellers will face massively increased renewal volumes, with annual certificates requiring up to eight reissues per year. This makes automation essential to avoiding unsustainable support workloads and missed renewals.

Is the 398-day SSL certificate still available until 2026?

398-day certificates are only available until 11 March 2026. The current maximum SSL certificate validity of 398 days remains in effect for certificates issued on or before 23 February 2026 for DigiCert and 11 March 2026 on Sectigo. After that, maximum validity drops to 199 days.

What industries are most affected by SSL/TLS lifespan reductions?

Any industry relying heavily on secure web services will feel the impact. E-commerce, financial services, healthcare, and SaaS providers, who often manage large certificate portfolios, face the greatest operational challenges from shortened digital certificate lifespans. And, of course, those who supply SSL certificates.

What about OV and EV certificates?

OV (Organisation Validation) and EV (Extended Validation) certificates are subject to the same validity reductions as DV certificates. Additionally, Subject Identity Information reuse for OV and EV certificates drops from 825 days to 398 days from 12 March 2026.

How do I audit my current client SSL certificates to prepare for the change?

You need to compile a complete inventory documenting every certificate’s domain, type, issuing CA, expiration date, and validation method. This will show you what your renewal workload is, and help form the foundation of your automation strategy.