The CA/Browser Forum (a consortium of browser makers and Certificate Authorities including DigiCert, Sectigo, Google, Apple, Mozilla, and others) has approved a phased reduction of SSL/TLS certificate lifespans and domain validation reuse periods. These changes are being adopted by all major public CAs to improve internet security and accelerate certificate lifecycle management automation.
Here’s the exact implementation timeline :
| CA | Exact Date | Maximum SSL/TLS Certificate Validity |
|---|---|---|
|
DigiCert |
February 24, 2026 |
199 days |
|
Sectigo |
March 12, 2026 |
199 days |
|
GlobalSign |
March 14, 2026 |
199 days |
|
CA/B Forum Baseline (all CAs) |
March 15, 2026 |
200 days |
|
Future Reductions |
March 15, 2027 March 15, 2029 |
100 days 47 days |
Certificates issued before these CA-specific cutoffs may still have longer validity (up to ~397–398 days). After these dates, all newly issued certificates must adhere to the 199-day maximum for that CA.
Why This Matters
- Increased Renewal Frequency
With shorter certificate lifespans, companies will need to renew or re-issue certificates more often, potentially every 1–2 months by 2029. Manual renewal becomes impractical without automation.
- Automation Becomes Critical
Invest in certificate lifecycle management tools and automation (e.g., ACME-based services, CLM platforms) to ensure certificates are issued and deployed before expiry.
- Validation Workflow Changes
Domain validation reuse windows are shrinking, so IT teams must ensure DNS records, email validation endpoints, and API access are ready to support more frequent validation without service disruption.
- API & Platform Adjustments
Organizations using APIs to request certificates should update parameters to reflect reduced validity limits. Some CAs (like DigiCert) will proactively cap validity in API responses starting in late February 2026.
Preparation Checklist
1. Review Current Certificate Inventory
Audit all active certificates to check expiry dates and plan renewals before DigiCert (Feb 24, 2026), Sectigo (Mar 12, 2026), and GlobalSign (Mar 14, 2026) cutoffs.
2. Implement Automated Renewal Workflows
- Adopt CLM (Certificate Lifecycle Management) tools
- Use ACME-compatible solutions where supported
- Integrate automation into CI/CD pipelines
3. Update Validation Processes
- Ensure DNS01, HTTP01, or email validation endpoints are ready to support frequent validation
- Track domain validation reuse expiration dates proactively
4. Prepare IT & Security Teams
Ensure internal teams are aware of the new timelines and can proactively monitor certificate expiration and re-issuance workflows.
Benefits of Shorter SSL/TLS Validity
1.Enhanced Security
Shorter validity limits reduce the time window in which a stolen or compromised certificate can be misused.
2.Faster Key & Crypto Updates
More frequent reissue cycles allow enterprises to adopt newer cryptographic standards faster.
3.Better Automation & Modern Practices
Shorter validity encourages adoption of modern certificate automation, reducing human error and outages.
Conclusion
The SSL/TLS certificate validity reduction starting in 2026 is a major shift in how enterprises manage public certificates. Companies must audit certificates, implement automation, update validation workflows, and prepare IT teams for the increased renewal frequency. While challenging, these changes strengthen digital trust and reduce security risk across enterprise networks.