· security · 10 min read
Trust on a Timer: Why 47-Day Certificates Break Static Pinning
By 2029, public TLS certificates will live just 47 days. The math alone retires a decade of mobile-app security practice — and forces every architect to revisit how trust is established, rotated, and revoked.
The 8× problem
If you manage 1,000 TLS certificates today, you handle roughly 1,000 renewal events per year. By March 2029, that same inventory generates more than 8,000 renewal events per year, and the validation data that proves you control your domains has to be re-established every 10 days.
That isn’t a forecast. It’s the schedule the CA/Browser Forum approved in April 2025 with Ballot SC-081v3, endorsed by every major browser vendor and 25 certificate authorities, with zero votes against. The phased reduction looks like this:
| Effective date | Max certificate validity | Max DCV reuse |
|---|---|---|
| Today (398-day era) | 398 days | 398 days |
| 15 March 2026 | 200 days | 200 days |
| 15 March 2027 | 100 days | 100 days |
| 15 March 2029 | 47 days | 10 days |
Three milestones, three years, one trajectory: trust anchors that used to outlive your phone are now shorter-lived than a typical sprint cycle.
This isn’t an operational nuisance to absorb with extra calendar reminders. It’s an architectural change that retires several practices most organisations still rely on — chief among them, static certificate pinning in mobile apps.
How we got here, briefly
Pinning made sense in 2011. After DigiNotar was breached and used to issue rogue certificates for *.google.com, Chrome detected the attack precisely because Google had pinned a small set of trusted public keys directly into the browser. Pinning short-circuited the entire CA trust hierarchy: even if a rogue CA signs a bad cert, the client refuses to accept it because the key doesn’t match the pin.
The web tried to formalise this with HTTP Public Key Pinning (HPKP). It failed so completely — too easy to brick your own site, no recovery from a misconfiguration — that Chrome and Firefox both deprecated it. Browsers moved on to Certificate Transparency, which scaled better and didn’t put a footgun in every site operator’s hands.
But mobile didn’t move on. Mobile apps still routinely embed pinned certificates or pinned public keys directly into the binary, because the threat model — defending against a state-level adversary or a compromised CA on a hostile network — felt important enough to justify the rigidity. And until certificate lifespans shrank, the rigidity was tolerable.
It is no longer tolerable. And the reason is structural.
The asymmetry gap
Akamai’s recent white paper on 47-day lifecycles gives this problem a precise name: the asymmetry gap. Server-side certificates rotate at the speed of an ACME job — minutes. App binaries rotate at the speed of an app store review plus a user’s willingness to tap “Update” — days, weeks, sometimes months.
Think of it like this: imagine a bank vault where the lock is rekeyed every 47 days, but the keys handed to the bank’s customers are physically welded into their wallets and can only be replaced by visiting a branch in person. As long as the lock changed once a year, no one minded the inconvenience. Change it every six weeks, and the entire scheme collapses — not because the lock is bad, but because the update channel for the keys can’t keep up.
That’s the asymmetry. The server side is automating; the client side is shipping firmware. When the gap is small (one rotation per year), pinning is forgiving. When the gap is large (eight rotations per year), every misalignment is an outage.
We’ve seen the failure mode already. In 2016, Barclays’ UK mobile banking app stopped working for thousands of customers when an intermediate certificate they had pinned in the app reached end-of-life. People couldn’t pay for things. The fix required an emergency app release. That was a one-off in a 398-day world. In a 47-day world, this class of failure becomes a steady-state operational risk.
OWASP’s own pinning guidance has acknowledged this for years: “If the site rotates its certificate on a regular basis, then your application would need to be updated regularly… pinning will lead to an outage.” The guidance was true at 398 days. It becomes existential at 47.
What replaces static pinning
The answer isn’t “stop pinning.” Pinning still defends against real attacks — rogue CAs, MITM on hostile networks, supply-chain compromise of trust stores. The answer is to make the pinned identity longer-lived than the certificate that carries it, and to make the pin set itself updatable without a binary release.
Three patterns, in increasing order of maturity:
1. Pin the public key, not the certificate
This is Akamai’s specific recommendation in the white paper, and it’s also the OWASP-endorsed approach: pin the Subject Public Key Info (SPKI) hash, not the leaf certificate.
Why it matters: the SPKI is the hash of the public key. As long as your CA reissues the certificate with the same key pair at renewal — which most CAs and ACME clients support — the SPKI hash is stable across rotations. The certificate’s serial number, validity dates, and signature all change. The pin doesn’t.
This is a one-line change in most mobile pinning libraries (Android NetworkSecurityConfig, iOS NSPinnedDomains, OkHttp’s CertificatePinner, AlamoFire), and it converts most rotation events from outage risks into non-events.
2. Make the pin set runtime-configurable
Pin a small, signed configuration document hosted on a high-availability endpoint, not the certs themselves. The app downloads the signed pin list at startup, verifies the signature against a long-lived signing key embedded in the binary, and uses the result for the session.
You now have two trust anchors with very different lifecycles:
- The signing key in the binary — long-lived, rotated only on major releases
- The pin set fetched at runtime — short-lived, rotates as often as the certs do
Approov, Firebase Remote Config, and the open-source TrustKit all implement variants of this. The architecture is sound regardless of which vendor you pick.
3. Move trust from pins to provenance
The most modern pattern stops pinning entirely and validates trust against Certificate Transparency logs instead. CT logs are append-only Merkle trees that record every publicly trusted certificate the moment it’s issued. If a rogue CA issues a cert for your domain, it shows up in the logs within hours — and your monitoring catches it before any client sees it.
This shifts the security model from “block at validation time” to “detect at issuance time.” It scales: instead of every client carrying a pin set, your security team carries a single CT-log subscription and a SIEM rule. For internal certificates, mTLS with dynamic trust anchors fills the same role.
Server-side: the part you control
Mobile is where the headlines will be. The server side is where the work actually happens. A few things to get right before March 2026:
Inventory first, automation second. Akamai’s white paper is blunt about this: “Visibility is the fundamental prerequisite for security.” Most large organisations discover during the migration that they have hundreds of certificates they didn’t know about — shadow IT, decommissioned services that someone forgot to remove from the load balancer, wildcard certificates pinned in third-party SDKs. Until you have a single source of truth, automation just industrialises the chaos.
Adopt ACME everywhere it can run. Let’s Encrypt has been on a 90-day cadence since 2015 and runs the majority of public-facing TLS on the internet today. The protocol works. The clients are mature. For commercial CAs that need policy controls, ACME External Account Binding (EAB) lets you keep the automation while preserving identity, billing, and approval workflows. There’s no plausible reason left to be issuing certificates by email.
Treat origin certificates as a separate problem. If you’re behind a CDN, you actually have two certificates in play: the one the edge presents to the user, and the one your origin presents to the edge. Both will be subject to the new lifecycle. The edge cert is usually managed by the CDN provider — Akamai, Cloudflare, Fastly, etc. — and rotates automatically. The origin cert is yours, and is often the forgotten one.
If you can’t fully automate origin certificate rotation yet, Akamai recommends a pragmatic stopgap: pin a specific origin certificate in the edge configuration and rotate it manually on an annual or semi-annual schedule. This buys time without leaving you exposed, and it’s a much easier scope of work than retrofitting every internal service with ACME on day one.
Wire certificate health into CI/CD. A failing TLS health check should fail a deployment, not page someone at 3 AM. The same pipelines that run your tests, lint your config, and gate your deploys can verify “every host this release will serve has a certificate with at least N days of remaining validity.” Trust posture becomes a build artefact.
Subscribe to your own CT logs. Free services like crt.sh and commercial monitoring (Akamai’s DNS Posture Management embeds this; so do most enterprise PKI platforms) will alert you when any certificate is issued for a domain you control. This is how you catch a misissuance — yours or an attacker’s — before it matters.
What to do Monday morning
If you read nothing else, read this list. Each item is doable inside 90 days and meaningful.
- Inventory every certificate your organisation depends on, including third-party SDKs your mobile app embeds. You probably don’t have this list.
- Audit every mobile app for static pinning. Identify whether it pins leaf certificates, SPKIs, or CA certificates. Leaf-pinned apps are your highest risk.
- Switch leaf pins to SPKI pins as a first migration step. Same defensive value, dramatically lower rotation risk.
- Pilot a runtime-configurable pin set in one non-critical app to learn the pattern before it becomes urgent.
- Verify ACME automation on every server-side certificate that can use it. Document which ones can’t, and what it would take to fix them.
- Subscribe to CT-log alerts for your primary domains. This costs nothing and catches misissuance immediately.
- Add a “TLS validity” check to your CI/CD health gates. Fail deployments that ship hosts with certs expiring inside 14 days.
- Map your edge-to-origin certificate dependencies if you sit behind a CDN. The two-certificate problem is the most commonly missed.
The takeaway
Static certificate pinning was a tactical answer to a real problem in a slow-moving certificate world. That world is gone. The 200-day milestone arrives in March 2026, the 100-day milestone in March 2027, and 47 days in March 2029. Each of those dates eliminates a margin that legacy security practice quietly relied on.
The good news is that the same forces driving the change — ACME, CT logs, CI/CD-integrated trust — also give us better tools than we had a decade ago. The architecture exists. The protocols are mature. The vendor support is broad. What’s missing in most organisations is just the institutional decision to retire the old patterns before the new schedule retires them for us.
If you’re a security architect, the question isn’t whether to act. It’s whether you want to do the work in 2026 on your own schedule, or in 2029 under pressure with users locked out of your app.
Note: This post draws on Akamai’s TLS Certificate Lifecycles white paper for the asymmetry-gap framing and the SPKI-pinning recommendation, and on the CA/Browser Forum’s Ballot SC-081v3 for the schedule of record. Opinions are my own.