` reads). %> The 47-Day Certificate Schedule: SC-081v3, DCV Reuse, and What to Automate | TLS Radar Skip to main content
lifecycle 3 min read By TLS Radar Team

The 47-Day Certificate Schedule: SC-081v3, DCV Reuse, and What to Automate

In April 2025 the CA/Browser Forum passed ballot SC-081v3, "Introduce Schedule of Reducing Validity and Data Reuse Periods." It does two things on the same set of dates: it shrinks maximum certificate validity, and - the part that gets less attention - it shrinks how long a CA may reuse domain control validation (DCV) before it has to re-check. Here is the schedule and what it does to your renewal pipeline.

The schedule

EffectiveMax validityDCV data reuse
Until 2026-03-15398 days398 days
2026-03-15200 days200 days
2027-03-15100 days100 days
2029-03-1547 days10 days

The 200-day tier is already in force. The two that bite hardest are still ahead.

Validity is the obvious half. DCV reuse is the sharp one.

Most coverage focuses on the validity column, because that is the number that maps to "how often do I reissue." But the DCV reuse column is what changes the shape of automation. Today, having validated control of a domain, a CA can reuse that proof for up to 398 days - so you can reissue freely without re-running an HTTP-01 or DNS-01 challenge each time. By 2029, reuse drops to 10 days. In practice that means validation stops being a once-a-year event and becomes a near-continuous background process: most reissuances will require a fresh challenge.

If your renewal automation treats validation as the rare, fragile step it bolts on around a stable cert - manual DNS TXT updates, a human approving a CNAME, a challenge file dropped by a deploy script - that assumption breaks. Validation has to be as automated and as monitored as issuance itself.

Multi-perspective validation, in passing

Running alongside this is MPIC (Multi-Perspective Issuance Corroboration), which requires CAs to confirm domain control from several network vantage points rather than one, to resist BGP-hijack-based misissuance. It is a CA-side requirement, so it does not change your config - but it is part of why the whole validation surface is getting stricter, and why a flaky DNS or HTTP challenge that "usually works" is a worse bet than it used to be.

What this means operationally

  • ACME everywhere, no exceptions. Any certificate still issued or installed by hand is a recurring liability at 47/10-day cadence. Inventory the manual holdouts now - the load balancer someone configured in 2021, the appliance with a web UI, the internal service with a long-lived cert - because those are where the 2027 and 2029 outages will come from.
  • Validation is now a monitored dependency. Track challenge success/failure as a first-class signal. A DNS-01 that silently stops resolving, an HTTP-01 blocked by a new WAF rule, clock drift breaking issuance - these now recur every few weeks instead of yearly.
  • Short-lived certs change rollout assumptions. Pinning, certificate caching, and anything that assumes a stable cert fingerprint needs review. Overlap windows shrink; "renew three weeks early and observe" compresses.
  • External validation matters more, not less. Your renewal pipeline reporting success is not the same as the endpoint actually serving a valid, complete chain. The more often renewals run, the more often that gap appears. An outside check that doesn't trust the pipeline is the backstop. We walked through the failure-mode catalogue in Why Expiry Monitoring Alone Isn't Enough.

The bottom line

SC-081v3 is not really a "certificates expire faster" story - it is a "manual certificate operations stop working" story. The validity reduction is survivable with automation you may already have. The DCV reuse reduction is the one that turns validation into a continuous, monitored process. Teams that get there before March 2027 will barely notice 2029; teams that wait will meet both cliffs at once.

Source: CA/Browser Forum, Ballot SC-081v3.

Get the next post in your inbox

TLS monitoring tips and product updates. No spam, unsubscribe anytime.

Keep reading

Related guides

Comparing tools? See how TLS Radar stacks up against DigiCert and SSL.com.