Headline: 47-Day Certificates: SSL/TLS Enters the Age of Crypto-Agility 🔐⏳
Date: 17 November 2025
A new analysis in CIO highlights a quiet but important shift: SSL/TLS certificates are moving toward very short lifetimes, with proposals and implementations for 47-day certificates now on the table.
This trend is tied directly to quantum readiness. The NIST roadmap for post-quantum cryptography expects widely used algorithms like RSA and ECC to be phased out by around 2030, making crypto agility—rapid, automated rotation and replacement of keys and certificates—an operational necessity, not a luxury.
What’s changing
-
📉 Certificate lifetimes are shrinking dramatically; an industry ballot has already pushed towards six-month max lifespans by 2026.
-
🧪 Some providers are introducing 47-day certs as a way to build “crypto agility muscles” inside organisations—forcing teams to automate issuance, renewal and rollback.
-
🧩 This operational agility will be essential when companies start migrating en masse to post-quantum algorithms in the web PKI ecosystem.
Why it matters
-
🕳️ No more “set and forget” crypto: Static, long-lived certificates were already risky; in a quantum-threatened world, they become a liability.
-
🧠 Readiness is procedural as well as mathematical: It’s not enough to deploy PQ algorithms; teams must be able to rotate, inventory and replace crypto at scale.
-
🌐 Quantum as the new Y2K: The article compares quantum risk to a kind of “cryptographic Y2K,” but with no single deadline and far more moving pieces.