We spoke about it last year: the rules governing SSL certificate lifecycles are changing. But in case you don’t, the news is that, in April 2025, the CA/Browser Forum unanimously approved Ballot SC-081v3, a measure that is reducing maximum certificate lifetimes from today’s 398 days down to just 47 days by March 2029. For businesses managing digital infrastructure, this represents one of the most significant shifts in certificate management in over a decade. 

The changes are rolling out in phases, with the first deadline arriving on 15 March 2026. And while the security benefits are substantial, the operational implications are equally significant. Organisations that rely on manual certificate management will need to rethink their approach, and those already using automation will want to ensure their systems are ready for the increased renewal frequency. 

In this guide, we’ll break down what’s changing, why it matters, and how your business can prepare without disruption. 

What’s Changing in SSL Certificate Lifetimes 

The CA/Browser Forum’s Ballot SC-081v3 introduces a phased reduction in both certificate validity periods and Domain Control Validation (DCV) reuse periods. Here’s the timeline: 

Certificate Validity Periods: 

Now until March 14, 2026: Maximum 398 days 

March 15, 2026: Maximum reduced to 200 days* 

March 15, 2027: Maximum reduced to 100 days 

March 15, 2029: Maximum reduced to 47 days 

*Please note: DigiCert will reduce lifetimes to 199 days from February 24, while Sectigo will go to 199 days on March 12. 

Domain Control Validation (DCV) Reuse Periods: 

Alongside certificate lifetimes, the period during which domain validation can be reused is also shrinking: 

Now until March 14, 2026: 398 days 

March 15, 2026: 200 days 

March 15, 2027: 100 days 

March 15, 2029: 10 days 

*Please note: DigiCert will reduce this validity period to 199 days from February 24, while Sectigo will go to 199 days on March 12. 

This second change carries significant operational weight. By 2029, organisations will need to re-verify domain ownership approximately every ten days, not just when certificates are renewed. If your business manages large certificate portfolios, this creates an additional layer of validation activity that must be factored into planning. 

Subject Identity Information (SII) for OV and EV Certificates: 

There’s an additional change for Organisation Validated (OV) and Extended Validation (EV) certificates. Starting 15 March 2026, the reuse period for Subject Identity Information, which includes company name and other organisational details, drops from 825 days to 398 days. This means more frequent re-verification of business credentials, adding administrative overhead for organisations using higher-assurance certificates. 

Why These Changes Are Happening 

The CA/Browser Forum didn’t make this decision out of the blue. The motion, that was voted on, included all their security and operational justifications that have been building for years. The key points were: 

Reducing the Window of Exposure 

When a certificate’s private key is compromised, the damage potential is directly tied to how long that certificate remains valid. A certificate with a 398-day lifespan gives attackers up to 13 months to exploit a breach. With 47-day certificates, that window shrinks dramatically. They said that shorter lifetimes decrease “the period of time in which inaccurate information would remain in a valid certificate, independent of any additional action by any involved stakeholder.” Meaning that when a breach happens, the amount of damage will be limited, even with nothing extra being done. 

Addressing the Limitations of Certificate Revocation 

In theory, compromised certificates can be revoked before they expire. In practice, revocation systems have significant limitations. The arguments were blunt on this point, stating that certificate status services such as CRLs and OCSP “are technologies which do not adequately protect relying parties at the current scale of the internet”.  

Many browsers have moved away from checking revocation status in real-time because it slows down connections and doesn’t always work reliably. Shorter certificate lifetimes sidestep this problem entirely by ensuring certificates expire before revocation becomes necessary in most cases. 

Improving Crypto Agility 

The security landscape is an ever-moving arms race. The cryptographic algorithms that are considered secure today may be broken tomorrow. And replacing the older algorithms with new ones is a complicated process. But shorter certificate lifetimes make it easier to roll out new cryptographic standards quickly across the entire web ecosystem, rather than waiting for long-lived certificates to expire naturally. 

This is particularly relevant as the industry prepares for post-quantum cryptography. Quantum computers pose a theoretical threat to current encryption methods, and organisations with mature certificate automation will be better positioned to transition to quantum-resistant algorithms when the time comes. 

Encouraging Better Practices 

There’s also a practical element: shorter lifetimes force organisations to implement proper certificate management systems. The CA/Browser Forum recognises that requiring more frequent renewals will drive adoption of automation, which typically leads to better security hygiene overall. 

How This Differs from Previous Lifespan Reductions 

This isn’t the first time the industry has shortened certificate lifetimes. 

SSL certificates originally had a maximum lifespan of eight years. Over time, that was progressively reduced to five years, then three years, then two years. In 2020, Apple forced the industry’s hand by announcing that Safari would no longer trust certificates valid for more than 398 days, and other browsers quickly followed. That change, while significant, still allowed for annual renewal cycles that most organisations could manage manually. 

The move to 47-day certificates is different in scale. Previous reductions roughly halved certificate lifetimes; this change ultimately reduces them by more than 88% from the current standard. The shift from annual renewals to near-monthly renewals represents a fundamental change in how certificates must be managed, not just an incremental adjustment. 

Operational and Security Impacts 

The shift to shorter certificate lifetimes will affect your business differently depending on your current infrastructure and management practices. Here’s what to expect. 

Increased Renewal Frequency 

Today, certificate renewals are likely something your team handles occasionally. They sit alongside other annual or semi-annual IT maintenance tasks, dealt with in batches when the time comes. The 47-day model changes that dynamic entirely. 

Rather than thinking in terms of renewal events per year, it helps to think about cadence. Currently, you renew a certificate and then largely forget about it for 12 months. By 2029, that same certificate demands attention roughly every 30 days to stay ahead of expiration. Certificate management stops being a scheduled task and starts being a background process that never really pauses. 

For smaller businesses with a handful of certificates, this might feel manageable. For organisations with dozens or hundreds of certificates, the shift is more significant. It’s not just more work; it’s a different kind of work. The question must change from “who handles renewals when they come up” and to “what system ensures renewals happen continuously without anyone needing to think about them.” 

Heightened Risk of Outages 

You might not notice when your certificate expires, but your users immediately will.
There’ll be warning screens popping up on your website warning visitors away. Your APIs will stop functioning, payment integrations will fail, and internal services break. The reputational and financial costs of an outage can be substantial, and with shorter certificate lifetimes, you’re the chances. 

When renewals happened annually, a missed deadline might go unnoticed for weeks before becoming critical. With 47-day certificates, that grace period disappears. You need systems that not only track expiration dates but act on them automatically and reliably. 

Domain Validation Complexity 

The reduction in DCV reuse periods adds another layer of operational complexity. By 2029, domain ownership must be re-verified every ten days. If your DNS setup is straightforward, this may be manageable with proper automation. But if you’re operating complex infrastructure, working with distributed teams, or relying on third-party hosting arrangements, frequent revalidation creates more coordination challenges. 

This is particularly relevant if your business has grown through acquisition or operates across multiple regions with different technical teams managing different parts of your domain portfolio. 

Impact on Different Certificate Types 

All public SSL/TLS certificates are affected regardless of validation level, whether Domain Validated (DV), Organisation Validated (OV), or Extended Validation (EV). However, if you’re using OV or EV certificates, you’ll face additional overhead because of the Subject Identity Information changes. The reduced SII reuse period means more frequent verification of your business credentials (see above) which typically involves manual steps that can’t be fully automated. 

One important distinction: private PKI certificates used within your corporate network are not subject to CA/Browser Forum rules. You can continue to issue longer-term certificates for internal services if you choose, though you may want to align internal practices with public certificate standards for consistency. 

Practical Preparation for Your Business 

The March 2026 deadline is approaching, but there’s still time to prepare properly. Here’s a practical roadmap for getting your organisation ready. 

Conduct a Certificate Inventory 

Before you can manage your certificates effectively, you need to know what you have. This means identifying every certificate across your infrastructure: production websites, staging environments, APIs, mail servers, internal tools, and any third-party services that rely on certificates you control. 

This is harder than it sounds. Certificates often accumulate over time, issued by different team members, managed through different providers, and installed on systems that may have changed hands. Shadow IT and legacy infrastructure can hide certificates that nobody actively remembers but that will still cause problems if they expire. 

A thorough audit should capture not just the certificates themselves, but also where they’re installed, who’s responsible for them, when they expire, and what validation level they use. 

Assess Your Current Management Approach 

Be honest about how your organisation handles certificate renewals today. If you’re tracking expiration dates in spreadsheets, relying on calendar reminders, or depending on individuals to remember when renewals are due, that approach won’t scale to the new requirements. 

Ask yourself: if the person currently responsible for certificate renewals left tomorrow, would renewals still happen? If the answer is uncertain, that’s a sign your process needs to be more systematic. 

Prioritise Automation 

If it you’ve read everything up till here and are thinking that it feels like the CA/Browser Forum are trying to force automatic certificate management on everyone, then you’ve the right impression. The inconvenience is a deliberate, because the industry consensus is that for the security of the internet, automation is no longer optional. 

Automated certificate lifecycle management handles the entire process from issuance through renewal and installation, removing human intervention from routine operations. This eliminates the risk of someone forgetting a renewal deadline and reduces the chance of configuration errors during installation. 

If you’re not already using automation yet, the phased timeline gives you room to implement it properly. The 200-day certificates in 2026 are manageable with good manual processes; the 47-day certificates in 2029 are not. 

Review Your Hosting and DNS Configuration 

Your ability to automate certificate renewals depends partly on your infrastructure setup. Some hosting providers support automated certificate protocols like ACME out of the box. Others require manual intervention or have limitations on how certificates can be installed. 

Similarly, your DNS configuration affects how quickly and easily domain validation can occur. If your DNS is managed by a third party or requires approval workflows for changes, that can create bottlenecks during renewal. And any bottlenecks will be amplified if you’re doing it ever 47 days. 

Understanding these dependencies now gives you time to address them before the deadlines hit. 

Plan for OV and EV Certificate Overheads 

If your business uses Organisation Validated or Extended Validation certificates, factor in the additional administrative work. The verification of your business credentials will happen more frequently, and some of that process requires human involvement. 

Consider whether all the certificates currently using OV or EV validation actually need that level of assurance, or whether some could be migrated to DV certificates with less administrative overhead. 

How BrandShelter Can Help 

Navigating the shift to shorter SSL certificate lifetimes doesn’t have to be complicated. BrandShelter provides the tools and expertise to help your organisation manage this transition smoothly. 

Our platform offers unified certificate management through a single dashboard, giving you visibility across your entire certificate portfolio. Combined with upcoming automated renewal workflows and proactive expiration monitoring, you can ensure that certificates are renewed on time, every time, without relying on manual tracking or calendar reminders. 

We support all certificate types, including DV, OV, and EV, from leading certificate authorities including DigiCert, Sectigo, GeoTrust, Thawte, PositiveSSL, InstantSSL and RapidSSL. Whether you’re managing a handful of certificates or hundreds across multiple domains, our team can help you build a certificate management approach that scales with the new requirements. 

Your domains are business-critical assets. Your SSL certificates deserve the same level of expert care. 

Ready to discuss your certificate management needs? Get in touch with our team via our Contact Us page or email us directly at [email protected].

Frequently Asked Questions 

Is this mandatory? 

For publicly trusted certificates, yes. The CA/Browser Forum sets the baseline requirements that all public certificate authorities must follow. If a CA issues certificates that don’t comply, browsers will stop trusting them, which effectively means those certificates won’t work. Private PKI certificates used solely within your internal network aren’t subject to these rules; you can continue issuing longer-term certificates for internal use if you prefer. 

Will SSL certificate pricing change? 

Generally, no. The cost of individual certificates isn’t expected to increase as a direct result of shorter lifetimes. Many providers offer multi-year subscription plans where you pay once and reissue certificates as needed throughout the plan period. The reissuance itself is typically free. However, if you’re currently managing certificates manually, you may face increased costs in terms of staff time and operational overhead. 

Does this apply to all certificate types? 

All public SSL/TLS certificates are affected, including Domain Validated (DV), Organisation Validated (OV), and Extended Validation (EV) certificates. The changes apply regardless of whether you’re securing a single domain, multiple domains, or using wildcard certificates. Code signing certificates and S/MIME email certificates operate under different rules and aren’t affected by this particular ballot. 

What happens if I don’t prepare? 

The most immediate risk is service outages. When a certificate expires, browsers display warning messages that prevent visitors from accessing your site. APIs reject connections. Payment systems fail. Beyond the operational disruption, there’s reputational damage; customers encountering security warnings may lose trust in your brand. As renewal frequency increases, the probability of a missed deadline grows if you’re relying on manual processes. 

Can I still use manual processes? 

Technically, yes, but it becomes increasingly impractical. The 200-day certificates in 2026 are manageable with disciplined manual processes. The 100-day certificates in 2027 will strain most manual workflows. By 2029, when certificates last just 47 days and domain validation must be repeated every 10 days, manual management becomes a recipe for outages. DigiCert’s assessment is blunt: manual revalidation at that stage would be “a recipe for failure.” 

Share article