What is the SC-081v3 certificate lifetime reduction timeline?

SC-081v3 reduces maximum TLS certificate lifetimes in three phases: 200 days starting March 15, 2026; 100 days starting March 15, 2027; and 47 days starting March 15, 2029. Domain Control Validation (DCV) reuse periods shrink on the same schedule, reaching just 10 days by 2029.

Does SC-081v3 apply to private PKI and internal certificates?

No. SC-081v3 governs only publicly trusted TLS certificates that chain to root CAs in browser trust stores. Internal PKI, private network certificates, S/MIME, code signing, and IoT device identity certificates operate under separate frameworks and are not subject to the 47-day timeline.

Why is the target 47 days and not 90 days?

The 47-day figure derives from a formulaic cascade: 30 days (one calendar month) plus 15 days (half a month) plus 2 days buffer. Apple's original proposal targeted this number from the start. Google had previously advocated 90 days but voted in favor of Apple's more aggressive timeline immediately once voting opened.

What happens if I don't automate certificate renewal by 2027?

At the 100-day maximum (March 2027), manual certificate management becomes operationally untenable for most organizations. Certificates expire roughly every three months, and DCV reuse drops to 100 days, meaning domain revalidation must happen at every renewal. Missing a renewal causes immediate service disruption with TLS errors in browsers.

What is the relationship between SC-081v3 and Let's Encrypt 6-day certificates?

Let's Encrypt began offering 6-day certificates in general availability in January 2026, and has announced a transition to 45-day default certificates by February 2028. These voluntary shorter lifetimes run ahead of the SC-081v3 mandate, giving the ecosystem a head start on validating automation pipelines at scale.

47-Day TLS Certificates: SC-081 Timeline and Automation Guide

Publicly trusted TLS maximum validity drops in phases to 47 days (March 2029) under SC-081v3; DCV reuse shrinks on the same schedule—this page is the engineer-oriented timeline and scope guide.

47-Day TLS Certificates: SC-081 Timeline and Automation Guide

TL;DR: SC-081v3 is live in phases (200 → 100 → 47 days); 10-day DCV reuse by 2029 forces automated challenges every renewal—pair this with ACME + ARI readiness and renewal automation.

Overview

The ballot passed 2025-04-11 (CA/B Forum). Apple proposed; Google, Microsoft, Mozilla supported. Two coupled parameters move together: maximum subscriber certificate lifetime and DCV reuse period. For business framing and ROI math, see certificate automation ROI.

Problem Statement

Renewal frequency jumps toward ~8×/year per cert at 47 days—manual processes collapse.
DCV reuse to 10 days means near every renewal needs successful automated DCV.
Load balancers / CDNs fail when new certs exist on disk but the edge never reloads.
Legacy gear without ACME needs architecture change (proxy, private PKI) or accepts outage risk.
OV/EV faces the same lifetime rules; SII reuse drops in phase 1 (see below).

Failure scenario: Team hits 100-day phase still using quarterly manual renewals; DCV email approvals miss one cycle—customer-facing API presents expired cert.

SC-081v3 phase-down timeline

Certificate validity

Phase	Effective (approx.)	Max TLS subscriber cert lifetime
1	2026-03-15	200 days (~6-month cadence). SII reuse for OV/EV 825 → 398 days.
2	2027-03-15	100 days. DCV reuse 100 days.
3	2029-03-15	47 days. DCV reuse 10 days.

Major CAs may early-adopt (e.g. 199-day issuance before deadlines).

DCV reuse: the hidden constraint

Shorter cert lifetime gets attention; shorter DCV reuse forces automation of proof-of-control at every renewal. A 47-day cert with 10-day DCV reuse is far harsher than 47-day with long reuse—SC-081v3 moves both.

What SC-081v3 does not cover

Private PKI / internal names
S/MIME, code signing, document signing (other BR tracks)
IoT / IDevID style identities under their own standards

Only publicly trusted TLS for server authentication in scope of the TLS BRs driving this ballot.

Operational impact by stack

Web servers (Apache, Nginx, Caddy)

If ACME already renews (e.g. certbot), 200-day phase may feel similar to today’s short-LV DV certs—risk rises at 100d/47d if ARI and deploy hooks are weak. Verify client version, DNS API token expiry, and reload hooks.

Load balancers and CDNs

Managed (ACM, Cloudflare) often absorb change; self-managed must push + reload on every renewal. At 47 days, a missed reload becomes an outage within weeks.

Kubernetes

cert-manager: tune renewBefore; enable ARI where supported (1.15+); validate Issuer/ClusterIssuer ACME endpoints.

Legacy / embedded

Terminate TLS on a modern proxy, or use private CA for names that cannot meet public-BR automation.

ARI (RFC 9773)

ARI lets the CA steer renewal timing and handle incidents; renewals in-window with replaces may avoid rate limits. See Certificate automation readiness for client matrix—Certbot 4.1.0+, Lego, cert-manager 1.15+, etc.

Priority actions

Immediate

Inventory all public TLS certs: CA, expiry, renewal mechanism, deploy path. Use openssl s_client plus CT for completeness—see inventory and discovery.

Before 100-day phase (2027)

No manual production renewals for public TLS at scale; upgrade to ARI-capable clients; test full pipeline quarterly; alert at ~80% of lifetime.

Before 47-day phase (2029)

DNS API SLOs and fallback paths; confirm pipeline can sustain ~17-day effective cycle if renewing ~30 days before expiry on a 47-day cert.

OV and EV

Same lifetime caps as DV. SII reuse 398 days from phase 1—expect roughly annual org reverification; CAs often sell subscriptions with unlimited issuance to match.

Let’s Encrypt acceleration

LE may ship shorter defaults ahead of the mandate (e.g. movement toward 45-day defaults)—ecosystem tooling stress-tests before the global BR floor.

“Short-lived certificate” definition

BR threshold for “short-lived” 10 days → 7 days after March 2026—aligns policy with very short experimental lifetimes (e.g. 6-day certs).

Operational checklist

Exported inventory: name, CA, expiry, renew method, deploy owner
ACME client version checked for ARI if using LE-scale public DV
DNS API credentials: owner, rotation, monitoring
End-to-end renewal drill documented and scheduled
External monitoring for expiry and renewal failures
Plan for non-ACME gear (proxy, private PKI, or exception list)

Certificate automation readiness — ACME + ARI maturity
Renewal automation
Certificate lifecycle management
CA distrust migration playbook
ACME protocol
TLS protocol
X.509 standard
Certbot renewal automation
Monitoring and alerting
Certificate automation ROI

47-Day TLS Certificates: SC-081 Timeline and Automation Guide

47-Day TLS Certificates: SC-081 Timeline and Automation Guide

Overview

Problem Statement

SC-081v3 phase-down timeline

Certificate validity

DCV reuse: the hidden constraint

What SC-081v3 does not cover

Operational impact by stack

Web servers (Apache, Nginx, Caddy)

Load balancers and CDNs

Kubernetes

Legacy / embedded

ARI (RFC 9773)

Priority actions

Immediate

Before 100-day phase (2027)

Before 47-day phase (2029)

OV and EV

Let’s Encrypt acceleration

“Short-lived certificate” definition

Operational checklist

Related documentation