Remember when SSL/TLS certificates used to last for three years? Those days are long gone. Over the past decade, we’ve seen certificate validity periods shrink from years to months, and now, the conversation has turned to certificates that last just 47 days (that’s less than seven weeks!). At first, this might sound like a headache for IT teams, but the real story is much bigger. It’s a story about security evolution, quantum readiness, and building the agility we need for a future we can’t fully predict.
So what does a 47-day certificate validity period have to do with post-quantum cryptography? A lot more than you might think.
Let’s unpack why shorter certificate validity matters, how it connects to quantum readiness, and why organizations need to embrace crypto-agility now more than ever.
Why are SSL/TLS Certificates Getting Shorter?
In April 2025 the CA/Browser (CA/B) Forum, the body that sets baseline requirements for SSL/TLS certificates, voted on gradually reducing the validity period to 47 days by 2029. The logic is straightforward: shorter validity reduces risk. If a certificate or key is compromised, a shorter lifespan limits the damage window.
“…for the last 10 to 20 years, this has been one of the key threats throughout the whole PKI ecosystem. And that is the fact that whenever you have an issue with a certificate being at a key compromise, another security compromise or a compliance issue, that browsers and CAs were always faced with the fact that websites that were using certificates were unable to replace them quickly. – Arvid Vermote.
Historically, organizations were comfortable with long-lived certificates because they required less operational effort. But long validity comes at a cost: less flexibility and greater exposure if something goes wrong. Short-lived certificates, like those with a 47-day validity, encourage organizations to automate their certificate lifecycle. Instead of manual renewals every year, automation ensures smooth, continuous updates.
Enter Post-Quantum Cryptography (PQC)
Quantum computing has been on the horizon for years, but the race to build powerful quantum machines is accelerating. While today’s quantum computers aren’t breaking RSA just yet, experts agree that it’s a matter of “when,” not “if.” Once large-scale quantum computers become a reality, traditional cryptographic algorithms like RSA and ECC will no longer be secure. Their algorithms, which underpin SSL/TLS, won’t hold up against quantum attacks.
Post-quantum cryptography is about developing encryption methods strong enough to withstand quantum capabilities. But here’s the challenge: the migration won’t happen overnight. When new PQC standards are finalized by NIST and adopted globally, every digital certificate and key pair will need to change. That’s where crypto-agility comes in.
Crypto-Agility and the Role of 47-Day SSL/TLS Certificates
Crypto-agility means your systems and processes can adapt quickly to new cryptographic standards. If your organization still relies on long-lived certificates, migrating to PQC will be a logistical nightmare. Imagine replacing every certificate across every system in your infrastructure when the quantum clock starts ticking.
Shorter certificate lifespans make agility the norm. With 47-day certificates, organizations get used to rapid, automated rotations. When PQC becomes a requirement, swapping algorithms becomes a smooth, routine process rather than a crisis event. Being crypto-agile means you’ll be prepared for the shift, and as there’s no quantum-resistant algorithms yet, organizations need to be braced to swap quickly.
Think of it like exercising flexibility in your infrastructure. Shorter certificate validity means:
- Rapid adaptation: When algorithms change, your systems can adjust without downtime.
- Reduced exposure: If a key is compromised, the damage window is minimal.
- Automation by necessity: Short lifespans make manual management impossible, forcing modernization.
It’s about automation, but it’s about mindset. Organizations that embrace short-lived certificates today are building the operational resilience they’ll need tomorrow.
The Bigger Picture of PKI Evolution and Quantum Readiness
This shift isn’t happening in isolation. The CA/B Forum, browser vendors, and Certificate Authorities, such as GlobalSign, are working to shape PKI for the post-quantum era. Shorter certificate lifetimes are one piece of the puzzle, preparing us for:
- Rapid algorithm transitions.
- Continuous security improvement.
- The eventual rollout of quantum-safe algorithms.
Quantum preparedness isn’t just about picking a new algorithm when the time comes. It’s about evolving processes now to meet potential regulation or security gaps so that when the switch flips, your organization isn’t scrambling.
What Should You Do Next?
If you haven’t already, start exploring certificate lifecycle automation. Implement tools that make renewals seamless. Familiarize yourself with emerging PQC standards and consider hybrid approaches that blend classical and quantum-resistant algorithms.
The move to short-lived certificates is a mindset shift. By adopting 47-day certificates, your organization gains the practice and infrastructure needed for rapid, automated certificate rotation, reduced exposure if a key is compromised, and the flexibility to adopt post-quantum cryptography when the time comes.
Starting today with shorter certificate lifespans ensures that your systems, processes, and teams are ready for whatever the future of PKI holds. It’s about building crypto-agility into the DNA of your organization.
Learn more about how 47-day certificates can future-proof your PKI
