The change applies to all TLS certificates issued by any public certificate authority. There are four stages.

• From today until 2026-03-15, the maximum lifetime for a TLS certificate is 398 days (365 plus buffer)
• From 2026-03-15 through 2027-03-15, the maximum lifetime is 200 days (180 plus buffer)
• From 2027-03-15 through 2029-03-15, the maximum lifetime is 100 days (90 plus buffer)
• After 2029-03-15, the maximum lifetime for TLS certificates will be limited to 47 days (45 plus buffer)

On top of this, the maximum validity period of domain ownership validation will drop to ten days on 2029-03-15.

This schedule has been set by the CA/Browser Forum, and was originally proposed by Apple with Google and Mozilla quickly concurring. Longer certificates are still technically possible, they just won't be trusted by browsers. If you're already using certificate pinning or you're already clicking through a "This certificate is expired/self-signed/whatever!" warning, nothing changes for you.

If you use certificates issued by a public CA for IPSec VPNs, these certificates will be affected. For site-to-site VPNs, this is an extremely rare configuration. After years handling VPN issues in the TAC, I'm pretty sure I can count the number of times I've seen it on one finger. It's fairly common for remote access, though (Mobile Access, SNX, etc.).

This will definitely affect inbound (WAF-style) HTTPS Inspection.

It will affect certificates presented by Mobile Access, SNX, and so on.

It might affect the certificates used for access to the web UI of the firewalls, web SmartConsole, SmartView, and so on. These are often self-signed, which would not be affected at all. Certificates signed by a CA would need to have shorter lifespans to be trusted by browsers.

It will not affect the certificate authority used for client-to-random-website HTTPS Inspection. The internal certificates generated by the feature will need shorter lifespans, otherwise client browsers won't trust them, but those are generated automatically anyway.

It will not affect site-to-site VPNs using shared secrets.

It will not affect site-to-site VPNs using certificates signed by the ICA.

It will not affect SIC certificates.

If you're doing site-to-site VPNs with certificates signed by a public CA, I'd love to hear more about it.

Those are the only things I can think of offhand which can interact with certificates, public CAs, or browsers (which is where the change is actually being made).

Yes but TAC contradicted itself, First response Yes, which they would have asked to close the case at that point until I provided the AI output. Then the second response was NO.
I have not got a response yet from DigiCert for approx 2 weeks

I was hoping someone on here could get a response from DigiCert, like they did with the previous DigiCert change.
The previous DigiCert change was announced on this forum. i.e.

IMPORTANT - Action Required For VPN/Remote Access Security Gateways Using DigiCert - by Sep 8, 2025

If I were you, I would check with your local SE about it and see if they can get an absolute confirmation, so there is no ambiguity.

I had not see any announcement from any other fw vendor for PSK, but lets see.

FWIW, this is AI answer.

*********************************

Below is the most accurate industry-reality check I can give you right now, based on how PKI, browsers, and VPN vendors actually work, and what the 47-day change really affects.

✅ 1. The 47-day Limit Does NOT Apply to IPSec VPN Certificates (Today)

Even though DigiCert said “no exceptions, applies to all environments”, that answer is technically correct only for certificates issued under the CA/Browser Forum rules (i.e., public TLS server certificates).

✔ CA/B Forum rules apply to public, browser-trusted certificates.

✘ They do not apply to:

• IPSec / IKE certificates

• Internal PKI

• Machine identity certificates

• S/MIME certs

• Private trust roots

• Most non-HTTP certificate use cases

IPSec VPN certificates are not governed by CA/B Forum rules unless you are doing something very unusual—like using a publicly-trusted certificate from DigiCert for IKE authentication, which almost no enterprises do.

This is why you’re hearing contradictory answers:
Support reps answer literally (“all environments”), but the CA rules do not apply to non-browser use cases.

✅ 2. Will there be exceptions in the future?

Most likely no, because IPSec VPNs are not in scope to begin with.

Vendors like DigiCert follow:

• CA/B Forum Baseline Requirements → for public TLS

• Their own PKI policies → for private PKI, code signing, device identity, VPN usage

The 47-day limit is only for public TLS certificates.
VPN certs generally come from:

• Your internal CA, or

• A private intermediate issued by DigiCert, Sectigo, Entrust (private hierarchies are not subject to the 47-day rule)

Those can still have:

• 1-year,

• 2-year,

• or even 5-10 year validity depending on your policy.

✅ 3. Will other certificate authorities follow the 47-day rule?

For publicly-trusted TLS?
Yes, 100%—they have no choice. The CA/B Forum mandated it.

For IPSec VPN certificates?
No. They are outside the scope.

✅ 4. Will Check Point, Cisco, Palo Alto, Fortinet etc. need to modify IPSec VPN certificate handling?

Not for this rule.

Why? Because none of them require or expect:

• 47-day public certs

• public CA-issued certs for IKE

They all expect:

• Internal CA or

• Private PKI hierarchy with long validity certificates

Check Point specifically:

Check Point’s documentation explicitly says:

Use internal CA or private CA for VPN certificate enrollment.

Public CAs are barely mentioned outside HTTPS inspection.

❗ 5. What will require major vendor changes?

✔ Cisco’s announcement about removing pre-shared keys

This is a completely separate initiative (cryptographic hardening).

Cisco is pushing:

• IKEv2 only

• Certificate-based authentication only

• No PSK (eventually)

If others follow—and they likely will over the long term—this increases:

• certificate management effort

• PKI dependencies

• automation requirements

But this still does NOT require short-lived certificates.

Vendors expect:

• 1–3 year certificates

• automated enrollment via SCEP / EST / CMP

• internal CA

❗ 6. Why DigiCert told you “47 days affects all environments”

Because:

1. Their support reps answer according to the public TLS policies, not the technical PKI context.

2. Many customers mistakenly use public TLS certs for non-browser purposes, so support gives a safe universal answer.

3. The internal/private CA products are not being forced to 47-day validity.

💡 7. Your concern about operational overhead is valid

You wrote:

"If the single cert is used on multiple VPNs… admins, peer admins, testers, business outages… takes weeks"

Yes—certificate-based IKE authentication is operationally painful unless you automate it.

The only realistic long-term solution is:

• Automated enrollment (SCEP, EST, CMPv2)

• Automated push to both VPN peers

• Automated rekeying

• Avoiding public CAs entirely for IKE

Check Point already supports:

• SCEP (somewhat clunky)

• LetsEncrypt via CPAC is for HTTP only, not IKE

• Internal CA with long validity

They do NOT expect you to rotate IKE certs every 47 days.

⭐ Bottom Line

The 47-day certificate lifetime does not apply to IPSec VPN certificates.

You can safely use:

• Internal CA

• Private DigiCert CA

• 1–3 year validity certs

No firewall vendor currently intends to enforce 47-day IPSec certificate renewals.

Check Point has restricted the use of PSKs to static IP endpoints for as long as I can remember, FWIW.

As the deadline approaches, I suspect we will make changes to make this process easier.

Lets see...there might be another official statement about it.