Skip to content
Enterprise
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial
Datargo OneEnterprise Single-pane-of-glass cockpit for enterprises. All modules from one source. Learn more
Flagships
Datargo Monitor Availability and security posture. Datargo CRM Support hub for every brand.
Operations & commerce
Datargo ID SSO and MFA for the whole suite. Datargo ERP GoBD-compliant commercial core.
Trust & crypto
NextPKINew Certificate lifecycle, 47-day ready.
Bundle of the month
Reliability Bundle

Datargo Monitor + NextPKI as a single billed package. NIS2 evidence and certificate lifecycle from one cockpit.

Learn more
By outcome
Reliability & security NIS2 evidence from monitoring + incident. Customer service hub Live chat, tickets, multi-brand. Identity & SSO One identity for all modules.
By compliance
NIS2-Evidence Evidence at the press of a button. DORA resilience Financial sector, register of information. ISO 27001 & GoBD Annex A controls and e-invoicing.
By size
Solo & indie team Productive in 5 minutes. Mid-market SSO, audit trail, multi-brand. Enterprise & public sector Hundreds of seats, region pinning.
Sovereignty Kit
NIS2 evidence package

Ready-made Datargo Monitor and Datargo CRM controls, mapped against NIS2 obligations. Start straight into the pilot.

Read the NIS2 whitepaper
Learn
Documentation Module guides, API reference, quick start. Best-practice guides NIS2 setup, multi-brand Datargo CRM, SSO rollout. Blog Release notes, compliance news, roadmap.
Trust
Trust Center Hosting, certificates, sub-processors. Status-Page Live availability of all Datargo modules. Legal & privacy DPA, sub-processor list.
Customers
Customer stories Case studies from finance, public, tech. Partner program System integrators, implementers, MSPs. Events & webinars it-sa, EIC, NIS2 roadshows.
From the cockpit
47-day TLS from 2029

NextPKI is already prepared for the new CA/B Forum reality. Whitepaper and migration guide available now.

Read the whitepaper
Platform Datargo Monitor Datargo CRM Datargo ID Datargo ERP NextPKI
Datargo One Pricing Compliance
Language
🇩🇪 Deutsch 🇬🇧 English 🇫🇷 Français
Start your 90-day trial Book a call
Skip to content
PKI & Certificates

47-Day Certificates: The CA/Browser Roadmap to 2029

09.06.2026 · 4 min read

The CA/Browser Forum is cutting maximum TLS lifetimes to 47 days in stages. What the 200-, 100- and 47-day steps mean for discovery, renewal automation and operations teams.

The debate is settled, and part of the outcome is already operational reality: since 15 March 2026, publicly trusted TLS certificates may be valid for at most 200 days, down from 398. That is the first step in a roadmap the CA/Browser Forum adopted in April 2025 with Ballot SC-081v3: unanimously, with 29 votes in favour and none against. At the end of that roadmap sits a maximum lifetime of 47 days.

If you still order certificates by hand and track them in a calendar, treat the next three years as a rebuild project, not a series of individual appointments.

The roadmap in numbers

Maximum validity drops in clearly dated steps:

  • until 14 March 2026: 398 days (the previous standard)
  • from 15 March 2026: 200 days (in effect today)
  • from 15 March 2027: 100 days
  • from 15 March 2029: 47 days

In parallel, and this is the operationally harder part, the reuse window for Domain Control Validation (DCV) shrinks. Once you have proven control over a domain, that proof may be “reused” for a much shorter period before it must be re-established:

  • from 15 March 2026: 200 days
  • from 15 March 2027: 100 days
  • from 15 March 2029: 10 days

For OV and EV certificates, the reuse period for vetted organisation data (Subject Identity Information) additionally falls from 825 to 398 days on 15 March 2026.

So the 47 days are only the headline. The 10-day DCV reuse from 2029 is the real metronome: from then on, you effectively have to re-prove control of your domain every ten days.

Why the reduction is happening

The reasoning is straightforward. A certificate is a trust statement with an expiry date. The longer it is valid, the longer a mis-issuance, a compromised key or an outdated cryptographic parameter keeps having effect. The classic countermeasure, revocation via CRL and OCSP, works unreliably in practice: revocation lists are not evaluated promptly everywhere, and OCSP is increasingly being deprecated. Short lifetimes replace revocation with expiry. A problem heals itself because the affected certificate will soon be invalid anyway.

The second driver is crypto-agility. If you renew certificates regularly, you can change algorithms, key lengths and profiles in ongoing operation, a precondition for the upcoming migration to post-quantum methods. Long lifetimes, by contrast, cement the status quo.

What this means for operations

The central consequence is mundane and unavoidable: manual renewal no longer scales. A 47-day certificate, with a sensible buffer, gets replaced roughly every 30 days. Across a mid-sized estate, that is no longer a calendar entry but a process that has to run without human intervention.

Three capabilities decide whether this rebuild succeeds:

Automation. ACME (RFC 8555) is the established standard for automatic issuance and renewal, not only for Let’s Encrypt, but increasingly for commercial and internal CAs too. Where ACME does not reach, you need API-driven renewal workflows with approval, so that compliance controls remain intact.

Discovery. You can only automate what you know about. The typical outage in 2029 will not be the well-maintained certificate on the main system, but the forgotten one on a load-balancer endpoint, an appliance or in a cloud account nobody is watching any more. Active network scans and passive cloud discovery are what keep short lifetimes from turning into short-notice outages.

Ownership. Every certificate needs a clearly assigned owner, a known CA and a defined renewal procedure. An inventory that carries those three facts per certificate is the real insurance against the 47-day reality.

This pattern (discovery first, then CA-agnostic automation with approval) is exactly what underpins our NextPKI module. The regulatory direction is independent of any tool: whoever makes the estate visible and automates renewal is prepared, regardless of which instrument they use.

What makes sense now

Three years sounds like plenty of time, but the 200-day step is already running. Concretely, it is worth doing now: a complete inventory of all TLS certificates across network, cloud and endpoints; identifying every place that still renews by hand today; a pilot of ACME-based auto-renewal on non-critical services; and clarifying which internal systems can technically sustain ten-day domain re-validation at all by 2029.

The 47 days are not arriving by surprise, and not all at once. They arrive in steps, and the first one is already here.

Back to the blog

Datargo Datargo

The European Business Operations Platform. Monitoring, customer service, identity, accounting, and certificates in one sovereign suite. Auditable by design. Made in Germany.

EU hosting, Frankfurt GDPR-native Made in Germany
Platform
  • Datargo One
  • Datargo Monitor
  • Datargo CRM
  • Datargo ID
  • Datargo ERP
  • NextPKI
Solutions
  • Reliability & Posture
  • Customer service hub
  • Identity & SSO
  • Commerce & GoBD
  • Scaling
Compliance
  • NIS2 evidence
  • DORA resilience
  • ISO 27001 mapping
  • GoBD & e-invoicing
  • Sovereignty
Industries
  • Financial services
  • Public sector
  • Health & pharma
  • Industry & TISAX
  • SaaS & tech
Resources
  • Trust Center
  • Documentation
  • Status page
  • Customer stories
  • Partner program
  • Blog
Company
  • Datargo One for enterprises
  • Start your 90-day trial
  • Book a call
  • Contact
  • Careers
© 2026 Datargo GmbH. All rights reserved.
Imprint Privacy Terms DPA SLA Sub-processorsDORA / NIS2
Germany · English

Datargo® and Databurg® are registered trademarks of Datargo GmbH. All other product names, logos, and trademarks mentioned are the property of their respective owners.

Cookies & optional features. Datargo uses technically necessary cookies. Optionally we enable comfort features such as our live-chat support, an in-house Datargo service that processes personal data in the process. You can accept everything or keep only the necessary cookies.

More in the privacy policy