If renewing TLS certificates already feels like a recurring chore, it’s about to become a full-time job.
Welcome to the world of 47-day certificates.
With the CA/B Forum approving Apple’s proposal to reduce public TLS certificate lifespans from 398 days to just 47 days by 2029, organizations are staring at a major operational shift. The first change, reducing validity to 200 days, arrives as early as March next year.
This isn’t a minor update. It’s a full-blown lifestyle shift for PKI and security teams. To put it in perspective, if you’re managing 5,000 certificates today, that’s 5,000 renewals a year. But by 2029, that number jumps to 60,000 renewals annually. That’s 12x more work, risk, and complexity.
And with shorter cycles, the stakes are higher. Even one missed renewal can lead to costly outages, security risks, and compliance failures. According to a recent Forrester survey, 57% of surveyed organizations reported incurring costs of at least $100,000 per outage.
For PKI admins and security teams already juggling high workloads, manual processes and semi-automated scripts won’t scale. They weren’t built for this pace or this level of complexity. What feels “manageable” today could quickly spiral into chaos—unless automation steps in.
So, what does real, scalable, full-spectrum TLS certificate lifecycle automation look like in a 47-day world? And how are the best teams getting it right?
Let’s break it down.
What Modern-Day TLS Certificate Automation Really Looks Like
Adapting to a 47-day TLS means leaning on automation, but not the kind that just sends you renewal reminders and handles a few renewals.
On the surface, certificate lifecycle management (CLM) might look straightforward—enroll, provision, install, renew, and done. But in practice, it’s a complex and layered process. There’s domain validation to complete, endpoints to bind, configurations to check, policies to enforce, and cryptographic hygiene to maintain. All of it needs to happen on time, in the correct order, and in sync.
That’s why full lifecycle automation is essential. You need complete orchestration across the certificate lifecycle—discovery, monitoring, issuance, renewal, provisioning, revocation, and reporting.
The CISO’s Guide to Certificate Lifecycle Management (CLM)
Here’s what it looks like in practice:
1. Continuous Discovery and Foundational Visibility
You can’t automate what you can’t see.
A best-in-class CLM solution continuously discovers certificates across your entire environment, including on-prem, cloud, DevOps pipelines, public and private CAs, and even those hiding in shadow IT. It builds a centralized inventory, mapping certificates back to owners, systems, expiration timelines, and compliance status, giving you complete visibility into your certificate landscape. Instead of juggling spreadsheets, you get clean, rich visual dashboards to monitor every certificate, flag risks early, and stay ahead of expirations. This visibility forms the foundation for automation.
2. Zero-Touch Renewals at Scale
In a 47-day renewal cycle, manual renewals are a guaranteed bottleneck.
Best-in-class CLM solutions automate certificate renewals and provisioning end-to-end. From generating the key pair and CSR to submitting it to the appropriate Certificate Authority (CA), retrieving the renewed certificate, installing it, and even binding it to the correct endpoint or application, every step is seamlessly managed without human intervention.
These solutions integrate directly with public and private CAs, Cloud providers, DevOps toolchains, ITSM platforms, and endpoints, orchestrating certificate management across cross-functional teams. And instead of juggling CA-specific portals, you manage everything through a single, unified console with complete certificate visibility across the enterprise.
The result? No missed steps, no misconfigurations, no last-minute scrambles.
3. Built-In Policy Enforcement
Automation isn’t just about speed; it’s also about control.
Best-in-class CLM automation solutions enforce cryptographic and operational policies at every step. From key length and algorithms to CA trust, approval workflows, and expiration limits, policies are applied automatically, so every certificate issued meets your standards by default. Requests that don’t comply are blocked or flagged, reducing human error and tightening compliance even as certificate volumes grow.
Role-based access control (RBAC) adds another layer of governance, clearly defining who can request, approve, or issue certificates. That means fewer rogue certs, less sprawl, and tighter control across the board.
And with every action logged in detailed audit trails, both internal and external audits become faster and easier.
4. Real-Time Alerts and Reporting
When certificates only last 47 days, you need to know what’s at risk before it becomes a problem.
Best-in-class CLM automation solutions provide real-time alerts and reports for expiring, misconfigured, or non-compliant certificates. You receive proactive notifications well before a certificate expiry and detailed compliance reports to keep stakeholders informed. This transparency is essential for continuous monitoring when operating on monthly renewal cycles.
5. Crypto-Agility and Rapid Response
While 47-day certificates are the immediate challenge, cryptography is evolving fast.
Post-quantum cryptography, CA distrust events, and changing regulatory standards demand the ability to adapt quickly and at scale.
Best-in-class CLM platforms are built for crypto-agility. They support seamless algorithm changes, bulk certificate replacement, and CA migrations without downtime or disruption. So when the next big cryptographic shift hits, you’re ready, not racing to catch up.
The New Normal for CLM Starts Now
The 47-day mandate marks a turning point: TLS certificate management is no longer a set-it-and-forget-it task. It now demands visibility, automation, policy control, and crypto-agility.
This is your opportunity to move beyond manual workarounds, modernize CLM processes, and build future-ready crypto resilience.
Leading PKI teams aren’t struggling to modernize CLM processes on their own. Instead, they’re investing in purpose-built CLM platforms that scale with today’s demands.
AppViewX AVX ONE CLM is built for this new reality. It delivers the visibility, automation, and policy control that PKI and CLM teams need today to handle 47-day renewals and prepare for PQC.
Don’t wait for outages to force your hand. Learn how AVX ONE CLM can future-proof your certificate operations or request a demo to see it in action.