Introduction
SSL/TLS certificates are the foundation of web security, enabling encrypted connections and verified identities across the internet. In a significant move to enhance this security, the CA/Browser Forum—the industry body that sets standards for publicly-trusted certificates—has approved Ballot SC-081, mandating a phased reduction in maximum certificate lifetimes.
By March 2029, the maximum validity period for SSL/TLS certificates will be just 47 days—down from the current 398 days. This represents one of the most significant changes to certificate management in years, requiring organizations to fundamentally rethink how they handle certificate lifecycle management.
Key Dates to Remember
March 15, 2026
200-day maximum
March 15, 2027
100-day maximum
March 15, 2029
47-day maximum
Alongside the certificate lifetime reduction, the domain validation (DV) reuse period will also shrink from 398 days to just 10 days by 2029. This means domain ownership must be re-verified much more frequently, making automation not just beneficial but essential.
Timeline & Phase-Down Schedule
The CA/Browser Forum has established a gradual transition period to give organizations time to adapt. Here's the complete timeline:
March 15, 2026
First reduction phase. Organizations should begin automation planning.
200 days
200 days
398 days
Change from previous: Certificate lifetime reduced from 398 days to 200 days, DV reuse period reduced from 398 days to 200 days
| Effective Date | Max Certificate Lifetime | Domain Validation Reuse | OV/EV Subject Info Reuse |
|---|---|---|---|
| Current (2025) | 398 days | 398 days | 398 days |
| March 15, 2026 | 200 days | 200 days | 398 days |
| March 15, 2027 | 100 days | 100 days | 398 days |
| March 15, 2029 | 47 days | 10 days | 398 days |
Source: CA/Browser Forum Ballot SC-081
Note: OV (Organization Validation) and EV (Extended Validation) subject information reuse remains at 398 days throughout all phases. Only domain validation reuse follows the accelerated reduction schedule.
Why Certificate Lifetimes Are Being Reduced
The decision to reduce certificate lifetimes wasn't made lightly. The CA/Browser Forum identified several critical security concerns that shorter lifetimes address:
Stale Certificate Information
Organizations change over time—companies merge, domains change ownership, and contact information becomes outdated. Longer certificate lifetimes mean this information can remain incorrect for extended periods, potentially misleading users and creating security gaps.
Revocation Mechanism Limitations
Current revocation mechanisms—Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP)—have known reliability issues. Browsers don't always check revocation status, and when they do, the checks can fail silently. Shorter certificate lifetimes reduce dependence on these imperfect systems by ensuring certificates naturally expire more quickly.
Compromised Key Exposure Window
When a private key is compromised, the attacker can impersonate the legitimate certificate holder until the certificate expires or is successfully revoked. A 47-day maximum lifetime significantly reduces this exposure window compared to nearly 400 days under current rules.
Encouraging Automation
The CA/Browser Forum explicitly aims to push the industry toward automated certificate management. According to industry analysis, automation not only reduces the risk of human error but also enables organizations to respond more quickly to security incidents and adopt new cryptographic standards.
"Shorter certificate lifetimes force organizations to adopt automation, which ultimately leads to better security hygiene and faster incident response capabilities."
Benefits of Shorter Certificate Lifetimes
While the transition requires effort, shorter certificate lifetimes bring substantial security improvements:
Enhanced Security Posture
Shorter validity windows reduce the time attackers can exploit compromised certificates.
Minimized Exploit Window
Even if a private key is compromised, the exposure window is significantly reduced.
Improved Crypto Agility
Faster certificate rotation enables quicker adoption of new cryptographic standards.
Better DevOps Alignment
Automated renewal fits naturally with modern CI/CD and infrastructure-as-code practices.
Challenges of Shorter Certificate Lifetimes
The transition to shorter lifetimes presents significant operational challenges, particularly for organizations still relying on manual certificate management:
More Frequent Renewals
Organizations will need to renew certificates up to 8x more often by 2029.
Increased Validation Workload
Domain validation must be repeated more frequently, especially with 10-day DCV reuse.
Risk of Outages
Without automation, the risk of certificate expiration and service disruption increases.
Infrastructure Requirements
Organizations need to invest in automation tools and update their processes.
Critical: According to security analysts, organizations will face an eightfold increase in renewal frequency by 2029. Manual certificate management processes that work today will become untenable under the new requirements.
Impact on Validation Data
Beyond certificate lifetimes, the new guidelines significantly impact how long validation data can be reused:
- Domain Control Validation (DCV): The period for reusing domain validation decreases from 398 days to 200, then 100, and finally just 10 days by 2029. This means organizations must re-prove domain ownership much more frequently.
- IP Address Validation: Similar to domain validation, IP validation reuse follows the same timeline reduction.
- OV/EV Subject Information: Organization and extended validation subject data (company name, address, etc.) can still be reused for 398 days, providing some relief for organizations requiring higher validation levels.
The 10-day DCV reuse period in 2029 is particularly impactful—it means domain ownership verification cannot be "banked" for long periods, requiring more frequent validation processes.
Automation & Best Practices
With manual certificate management becoming impractical, organizations must embrace automation. Here are the key areas to address:
Certificate Discovery & Inventory
Before automating, you need visibility. Conduct a comprehensive audit of all certificates across your organization:
- Identify all domains and subdomains with certificates
- Map certificate ownership to responsible teams
- Document expiration dates and renewal schedules
- Use our SSL Checker to verify current certificate status
Adopt ACME/API Automation
The ACME (Automatic Certificate Management Environment) protocol enables fully automated certificate issuance and renewal. Key considerations:
- Evaluate ACME client options (Certbot, acme.sh, commercial solutions)
- Test automation in staging environments before production
- Implement proper error handling and alerting
- Consider certificate lifecycle management (CLM) platforms for enterprise environments
Monitoring & Alerting
Even with automation, monitoring is essential to catch failures before they cause outages:
- Set up expiry reminders using our SSL Checker's reminder feature
- Monitor certificate transparency logs for your domains
- Implement automated health checks for HTTPS endpoints
- Create runbooks for responding to certificate-related incidents
Testing & Rollback Procedures
With more frequent changes comes higher risk of issues. Prepare accordingly:
- Test new certificates before deploying to production
- Maintain rollback procedures for certificate changes
- Schedule renewals during low-traffic periods when possible
- Document and practice incident response procedures
Post-Quantum Crypto Agility
Shorter certificate lifetimes align with the industry's preparation for post-quantum cryptography. Organizations should:
- Stay informed about post-quantum cryptography developments
- Ensure infrastructure can handle new certificate types
- Plan for algorithm agility in certificate deployment
Preparation Checklist
Use this checklist to ensure your organization is ready for the upcoming changes:
Preparation Checklist
- 1Inventory all certificates in your organization
- 2Identify certificates expiring after March 2026
- 3Evaluate automation tools (ACME, commercial CLM solutions)
- 4Test renewal processes in staging environments
- 5Set up monitoring and alerting for certificate expiration
- 6Document procedures and assign certificate ownership
- 7Plan for post-quantum cryptography transition
Frequently Asked Questions
Further Learning & Resources
Internal Resources
- SSL Certificate Pricing Guide – Understand certificate costs and find affordable options
- Certificate Management Guide – Learn to manage, renew, and monitor certificates
- SSL vs TLS vs HTTPS Explained – Understand the protocols behind secure connections
- DV, OV & EV Certificate Guide – Compare validation levels and choose the right certificate
- Post-Quantum Cryptography Guide – Prepare for quantum-safe TLS
- SSL Checker Tool – Verify your certificate installation and set up expiry reminders
External References
- CA/Browser Forum – Official ballot documentation and announcements
Take Action Now
The transition to shorter certificate lifetimes is not optional—it's an industry mandate. Organizations that prepare now will have a smoother transition and stronger security posture. Start by auditing your current certificates and evaluating automation solutions.
My-SSL Security Team
The My-SSL Security Team brings over 15 years of combined experience in SSL/TLS certificate management, web security, and PKI infrastructure. Our team regularly contributes to industry standards and provides guidance to thousands of businesses securing their online presence.
Editorial Standards: All content is reviewed by our security experts for technical accuracy. We follow industry best practices and reference official CA/Browser Forum guidelines.Learn more about SSL security.