47 Day Certificates

Shorter Certificate Lifecycles and emSign’s 90-Day Strategy

The global public trust ecosystem is moving toward significantly shorter certificate lifecycles, with industry discussions and proposals converging on lifetimes as short as 47 days for publicly trusted TLS certificates. This shift is driven by the need to reduce risk exposure from compromised keys, accelerate cryptographic agility, and align certificate usage with modern, automated infrastructure.

Shorter lifecycles limit the window in which a compromised certificate can be abused, encourage faster adoption of new cryptographic standards, and improve overall internet security. However, they also make manual certificate management impractical, placing automation at the center of certificate operations.

Root Store Requirements and Lifecycle Constraints

Browser and operating system root store programs impose strict requirements on newly introduced public trust roots. These requirements increasingly emphasize:

• Strong operational controls and automation readiness

• Demonstrated ability to manage high-frequency issuance and renewal

• Reduced certificate lifetimes as a security baseline

For newly trusted or evolving root hierarchies, certificate lifetime policies must align with these expectations while maintaining operational stability across diverse customer environments.

Why emSign Adopted a 90-Day Certificate Lifetime

emSign has adopted a 90-day certificate lifetime as a deliberate and forward-looking strategy.

This approach reflects three key considerations:

1. Root Store Compliance and Stability A 90-day lifetime aligns with current root store expectations for modern public trust hierarchies, particularly for newer or evolving roots. It demonstrates strong lifecycle discipline while ensuring compatibility across browsers, operating systems, and platforms.

2. Preparation for Even Shorter Lifecycles Moving directly from long-lived certificates to ultra-short lifetimes (such as 47 days) can be disruptive for organizations that are not fully automated. A 90-day model provides a practical transition point, allowing customers to modernize processes and tooling in preparation for future reductions.

3. Driving Automation Adoption Ninety-day certificates make manual renewal processes operationally unsustainable, intentionally encouraging the adoption of automated certificate lifecycle management. This aligns with industry best practices and supports resilient, outage-free operations.

Promoting an Automation-First Trust Model

By adopting shorter lifecycles, emSign reinforces an automation-first approach to public trust. Certificates are no longer treated as static, long-term assets but as dynamic credentials that must be issued, renewed, and rotated continuously and reliably.

This model:

• Reduces reliance on manual tracking and calendar-based renewals

• Encourages integration with automated enrollment protocols and CLM platforms

• Improves security posture by limiting certificate exposure windows

Alignment with the Future of Public Trust

The move toward 47-day certificates represents the future direction of public trust, not a one-time change. emSign’s adoption of 90-day certificates positions it ahead of this curve—balancing present-day operational realities with long-term industry direction.

By aligning root store compliance, security objectives, and automation readiness, emSign enables organizations to transition smoothly toward shorter certificate lifecycles while maintaining trust, availability, and global interoperability.