Tips and Tricks

News: Why TLS/SSL certificates get shorter lifespans — and how to prepare for them

Each TLS/SSL certificate has an expiration date: the date when the certificate is no longer valid. At the CA/Browser Forum, a group of certification authorities and web browser vendors voted to reduce the maximum lifetime of certificates to 47 days by March 2029. Let’s dive into this and see how Semonto can help you stay in control.

TLS/SSL certificate monitoring in Semonto
Jelle De Laender 18 April 2025

Contents

What is an SSL certificate?

Quick recap: What’s a TLS/SSL certificate? An SSL (or TLS/SSL) certificate creates a secure, encrypted connection between a server and a browser. It ensures that the data transferred between them remains private and safe.

Every SSL certificate includes:

  • An expiration date
  • A list of the domains it applies to
  • A start date
  • The organisation it’s issued to
  • And more technical metadata

Each certificate is digitally signed by another certificate — an intermediate certificate — which in turn is signed by a trusted root certificate owned by a Certificate Authority (CA). If your computer trusts the CA, and all validations (like domain match and valid dates) pass, the certificate is accepted.

Renewing certificates

There are two main ways to obtain an SSL certificate: manually or through an automated process.

  • Manual method:
    You purchase a certificate and prove that you own the domain. These certificates are typically valid for 1 year.
  • Automated method:
    Providers like Let’s Encrypt offer free certificates with a shorter validity—usually 3 months—to make the Internet more secure and privacy-friendly. All major systems trust their root certificate.

The importance of certificate lifespan

When it comes to trusting a certificate, its lifespan is an important factor. Originally, certificates were only provided by a small set of CA providers. Their certificates were valid for 2–3 years, mainly because purchasing, validating, and installing and configuring them on the servers required manual effort.

However, in 2020, it was decided to reduce the lifespans of certificates. The new maximum was set at 13 months (398 days). Certificates with a longer validity would be marked as unsafe and untrusted. This was announced at the CA/Browser forum by Apple.

Why a shorter lifespan is better

The shorter the lifespan of the TLS/SSL certificate, the higher the trust. Here’s why:

  • More frequent checks
    Every time a certificate is renewed, the domain ownership gets verified again, ensuring the requester actually controls the domain. Without this validation, anyone could obtain a TLS/SSL certificate for any website, create a duplicate site, and serve it through a seemingly secure connection. This vulnerability enables hackers to conduct online theft, phishing attacks, and other malicious activities.
  • Fewer opportunities for abuse
    Also, if a private key is leaked or stolen, shorter lifespans limit how long it can be abused because the certificate will not be valid for a long time. For this reason, LetsEncrypt announced in January 2025 that it would experiment with certificates that are only valid for 6 days.

What’s coming next?

So, while Let's Encrypt is testing certificates with ultra-short 6-day lifespans, the CA/Browser Forum has also made some announcements. Currently, new TLS/SSL certificates are valid for 13 months, and there are proposals to reduce this duration further.

This is the timeline suggested by the CA/Browser Forum:

  • March 2026: a maximum validity of 200 days
  • March 2027: down to 100 days
  • March 2029: further reduce to 47 days

This shift helps maintain stronger validation and security. For instance, if domain ownership changes hands, the old owner won’t retain a valid certificate. It also encourages the use of up-to-date standards for encryption and signing methods.

The downside? Manually managing certificates will become too much work. Automation will be the norm moving forward.

How Semonto can help

One of the features of Semonto is to monitor the validity of certificates. Semonto will alert you when a certificate isn’t valid, for example, when the certificate is expired, when the server returns a wrong certificate, or when a certificate is revoked. This helps remind teams to renew manual certificates in time. Semonto also detect failures in automated renewals, often caused by validation errors or script issues.

As certificate lifespans shrink, the chances of renewal problems increase. That’s where Semonto comes in. You can use Semonto to catch certificate issues before they result in downtime. All without any manual work. Want to give it a try? Claim your free trial here, and let us know what you think!

Latest blogs

A person inspecting charts

Use Case

What problems can you solve with the Semonto website audit?

Read blog →
Hand on laptop keyboard

New

New: marking broken links as fixed

Read blog →
TODO

Tips and Tricks

How to monitor your Let’s Encrypt certificates

Read blog →

Like what you read?

Subscribe to our newsletter and get our next blog posts straight into your inbox.

Our privacy policy.

Related blogs

Lighthouse monitoring in Semonto on a desktop background

Tips and Tricks

4 ways to reduce notifications when monitoring your website

Read blog →
Mockup of a 404 page on a desktop background

Tips and Tricks

The ultimate guide to 404 pages

Read blog →
Broken link check results in Semonto

Tips and Tricks

How to prevent 404 errors on your website

Read blog →
Semonto's 404 page on a desktop background

Tips and Tricks

Improve your 404 page: 6 things you can do right now

Read blog →
No credit card required. Cancel anytime. No automatic renewal after the trial.

Like what you read?

Subscribe to our newsletter and get our next blog posts straight into your inbox.

Our privacy policy.
Get in touch!

We use cookies for marketing purposes. See our cookie policy for more information.
Our cookie policy