The CA/Browser Forum agreed in ballot SC-081v3 that by 2029, the maximum validity for certificates will be reduced to 47 days, following a gradual decrease over the previous years.
Key takeaways:
- Manual certificate management is no longer mathematically viable. The transition from annual to 47-day lifecycles increases operational workloads by nine times, creating a razor-thin margin for error that makes traditional spreadsheets and calendars a guaranteed path to service outages.
- Visibility is the fundamental prerequisite for security. Large organizations often struggle with shadow IT and undocumented endpoints, leading to unexpected downtime; maintaining a centralized, automated inventory ensures that every certificate is tracked and renewed before expiration.
- Mobile applications face a unique risk of becoming “bricked.” Unlike browsers, mobile apps often embed static trust logic that fails when server certificates rotate rapidly, necessitating a shift to dynamic pinning or public key pinning to prevent immediate service denial for users.
- Trust infrastructure must now operate at the speed of software delivery. Treating certificates as isolated administrative tasks leads to deployment bottlenecks; integrating certificate health directly into CI/CD pipelines allows organizations to enforce security policies and validate trust posture continuously.
- Automation must replace human intervention to ensure resilience. Manual CSR generation and email-based approvals introduce latency and inconsistency that cannot scale with 47-day limits; adopting ACME-based, event-driven automation ensures that renewals are programmatic, repeatable, and fail-safe.
Frequently Asked Questions (FAQ)
Under the new mandate, the reuse of DCV will be limited to only 10 days by 2029, meaning organizations must establish proof of domain ownership almost every week.
Mobile apps suffer from an “asymmetry gap” because they often embed trust logic or pinned certificates directly into distributed binaries, which cannot be updated as quickly as the server-side certificates rotate.
Akamai recommends moving away from leaf certificate pinning and transitioning to Subject Public Key Info (SPKI) pinning, which allows certificates to be reissued with new expiry dates while reusing the same key pair.
The first is the certificate presented by the edge platform to the end user, and the second is the certificate presented by the origin server to the edge platform to maintain a complete chain of trust.
If rotating the origin certificate requires manual intervention, Akamai suggests pinning a specific origin certificate in the edge configuration as a stopgap measure, with a process to rotate it annually or biannually.
ACME External Account Binding (EAB) is a mechanism that links automated certificate requests to a verified account with a certificate authority (CA). It ensures that only authorized users can issue certificates by requiring cryptographic proof during account registration. EAB is commonly used to enforce access control, billing, policy compliance, and auditability for automated certificate issuance.
ACME EAB allows for authenticated, policy-driven interactions with commercial certificate authorities, enabling zero-touch automation while preserving existing identity controls and approval workflows.
Leadership should prioritize auditing the certificate inventory to establish a single source of truth, mapping all manual renewal dependencies, and auditing mobile apps to transition away from high-risk leaf certificate pinning.