47 days instead of a year:
TLS/SSL certificates become a hurdle race

The rules for publicly trusted TLS/SSL certificates are changing fundamentally: The maximum permitted term will be gradually reduced until 2029 – to 47 days. At the same time, Organization Validation (OV) will also be valid for a much shorter period in the future. For organizations that operate their web and application landscape via CDN and edge platforms (such as Akamai's solutions ), this is a clear signal: Without automated certificate processes, default and compliance risks increase significantly.

47-day TLS/SSL certificates: CDE automated renewal           5 Min.

What is changing?

Typical stumbling blocks

Recommendations

Contact us

The following article provides an overview of how you can overcomethe new hurdles step by step.

What exactly is changing? 

  • The maximum term will be reduced in stages:
  • until March 15, 2026: 398 days
  • from March 15, 2026: 200 days
  • from March 15, 2027: 100 days
  • from March 15, 2029: 47 days

Renewals are no longer planned annually, but become a recurringoperational process.

Typical stumbling blocks in CDN environments 

  • Especially with CDN-operated host names, technical"validability" determines success or chaos:
  • Automated challenges (e.g., HTTP-01) only work properly inmany setups if all hostnames correctly point to the CDN viaDNS (CNAME).
  • Mixed landscapes (partly CDN, partly origin, partly legacy)increase the error rate. Therefore, the system does notforgive mismanagement with a 47-day.

Our recommendations: 3 measures that really count 

Create a certificate & domain inventory
Which certificates run where, for which domains, with what criticality(CDN, APIs, portals, B2B interfaces)?

Automate & operationalize renewal
ACME/automatedrenewals, clear ownership, runbooks, change windows,monitoring/alerting.

Check DNS/validation setup for Akamai
CNAME chains, hostname patterns, edge/origin demarcation – sothat automation does not fail in reality.

Avoid certificates becoming a risk for your next incident.

Are you still using third-party or organization-validated (OV)certificates? If so, we strongly recommend switching to domainvalidated(DV) certificates. This will allow you to fully automate yourcertificate renewal process.

We are happy to support you in switching to short terms – frominventory and risk analysis to automation and operational integration(monitoring, processes, governance).

Weitere spannende Projekte

Jetzt buchen
Silvio Raggini, Leiter Qualitätsmanagement, Coop

Swiss Federal Gymnastics Festival Lausanne

Swisscom Broadcast provided networking services for the 2025 Swiss Federal Gymnastics Festival Lausanne
Mehr erfahren
Jetzt buchen
Silvio Raggini, Leiter Qualitätsmanagement, Coop

Security centre at the Tour de Suisse

Security at this year's Tour de Suisse (TdS) will be massively increased thanks to a new security centre set up by SwisscomSwisscom Broadcast.
Mehr erfahren
Jetzt buchen
Silvio Raggini, Leiter Qualitätsmanagement, Coop

House of Switzerland Paris

Swisscom Broadcast connects the House of Switzerland in Paris during the Olympic and Paralympic Games.
Mehr erfahren