Your connection to the future is not private

NET::ERR_CERT_VALIDITY_APOCALYPSE

Your certificates
are about to expire.
All of them. Forever, faster.

By March 2029, every public TLS certificate on Earth will live just 47 days. BubOps cannot stop the CA/Browser Forum. But we will be right here in the server room — panicking, professionally — when your padlock turns red.

Issued to every website you have ever loved
Next cliff 100-day certificates enforced  ·  2027-03-15
Valid until days hrs min sec

Broadcast segment 01 · The situation

Certificates are getting shorter. On purpose. On a schedule.

In April 2025 the CA/Browser Forum passed Ballot SC-081v325 certificate authorities in favor, zero against, with Apple, Google, Microsoft and Mozilla all voting yes. Maximum certificate lifetime drops in three steps. Watch a certificate's whole life collapse:

  1. 398 days Before Mar 2026 The good old days. You renewed once a year and forgot about it.
  2. You are here 200 days Since 2026-03-15 In effect now. Most CAs already cap issuance at 199 days.
  3. Next cliff 100 days From 2027-03-15 Roughly quarterly renewals. Manual processes start to hurt.
  4. Final form 47 days From 2029-03-15 Plus domain-validation reuse drops to just 10 days. Automate or perish.

Every publicly trusted TLS certificate is affected. There is no opt-out, no enterprise exception, and no amount of asking the CA nicely. There is only automation.

Broadcast segment 02 · Intercepted transmissions

Field reports from the renewal front

Unverified. Almost certainly fictional. Emotionally accurate.

"I set 47 calendar reminders. My calendar now has its own on-call rotation."
Dana R.renews certs by hand, allegedly
"We moved everything to ACME and now I have so much free time I took up woodworking. Ask me about my birdhouse."
Priya S.SRE who escaped
"Our cert expired on a Friday at 4:59pm. We do not talk about the weekend."
Anonymousstill recovering

Broadcast segment 03 · The part that actually helps

The BubOps five-step survival runbook

Shorter lifetimes only hurt when renewal is manual. Do these, in order, and 47 days becomes a non-event. This is the real advice. We hid it inside a joke so you'd read it.

  1. 01

    Inventory every certificate

    Find them all — including the one on that server nobody will admit they own. You cannot renew what you cannot see. Start with a discovery scan and a single source of truth.

  2. 02

    Automate issuance with ACME

    Let's Encrypt, ZeroSSL, or your CA's ACME endpoint. Point a client (certbot, acme.sh, Caddy, cert-manager) at it and let renewal happen on its own. This is the whole ballgame.

  3. 03

    Monitor and alert before expiry

    Watch expiry dates and warn at 30 / 14 / 7 days out. Page a human only when the automation fails — not as the primary renewal mechanism.

  4. 04

    Shorten your lead times

    Kill manual approval gates for routine renewals. A 47-day certificate cannot wait three weeks for a change ticket. Make renewal boring and fast.

  5. 05

    Manage the whole lifecycle

    Treat certificates as fleet, not pets. Adopt certificate lifecycle management, and stand up a private ACME CA for internal services so the same automation covers everything.

Broadcast segment 04 · Choose your coping strategy

BubOps plans, priced by stage of grief

None of these are real. There is no checkout. The buttons scroll you to the advice, because the advice is free.

Denial

$0/ forever

"Certificates? We don't have any of those."

  • One (1) calendar reminder you will ignore
  • Hope, renewable annually
  • A single manual renewal, at 11pm
Keep pretending

Bargaining

$47/ mo, symbolic

"What if we just… asked the CA nicely?"

  • A spreadsheet of all your certs
  • A Slack channel named #cert-incidents
  • Thoughts and prayers, now automated
Negotiate