SSL/TLS Certificates Validity
Public SSL/TLS Certificates will no longer be issued for one year; they will now be valid for 199 days with shorter renewal periods.
DigiCert
DigiCert will implement the new validity changes in four phases. Certificates issued before February 24, 2026, will retain the current maximum validity of 397 days. Between February 24, 2026, and early 2027, the maximum validity will drop to 199 days. From early 2027 through early 2029, it will further reduce to 99 days. After early 2029, certificates will be capped at just 46 days.
Sectigo
Sectigo follows a similar but slightly different schedule. Certificates issued before March 15, 2026, will maintain the current 398-day maximum. Between March 15, 2026, and March 15, 2027, the maximum drops to 200 days. From March 15, 2027, through March 15, 2029, it reduces further to 100 days. After March 15, 2029, the maximum validity will be just 47 days.
Required Actions
To prepare for these changes, organizations should start by discovering all certificates currently in use across their infrastructure. Next, inventory every system that depends on those certificates and map out where automation can replace manual renewal processes. Build a phased rollout plan that aligns with the timeline above, and embrace automation as the foundation of your certificate management strategy going forward.
Domain Validation (DCV) Reuse Reduction
By not allowing DCV to be reused for a longer period of time, the verification process will occur more frequently.
DigiCert
DigiCert's domain validation reuse periods will mirror the certificate validity reduction timeline. Before February 24, 2026, DCV results can be reused for up to 397 days. Between February 24, 2026, and early 2027, the reuse window shortens to 199 days. From early 2027 through early 2029, it drops to 99 days. After early 2029, domain validation results will only remain valid for 9 days, meaning organizations will need to revalidate domain ownership almost weekly.
Sectigo
Sectigo's DCV reuse reduction follows its own schedule. Before March 15, 2026, validation results can be reused for up to 398 days. Between March 15, 2026, and March 15, 2027, the reuse period shrinks to 200 days. From March 15, 2027, through March 15, 2029, it reduces to 100 days. After March 15, 2029, DCV results will expire after just 10 days.
Required Actions to Take
Organizations should prepare for domain control validation to be checked far more frequently than current workflows allow. DNS-based validation methods should be prioritized because they provide the most reliable and automatable verification path. Most importantly, automate as much of the DCV process as possible, because manual revalidation every 9 or 10 days is simply not sustainable at scale.
Using MPIC for Domain Control & CAA Checks
Multi-Perspective Issuance Corroboration (MPIC) ensures that domain control and CAA checks are verified from multiple network locations to prevent BGP hijacking and other routing-based attacks.
CA/Browser Forum Timeline
The rollout happens in three phases. Phase One, effective March 2025, requires certificate authorities to perform domain validation checks from multiple network locations, though no specific minimum number of perspectives is mandated at this stage.
Phase Two takes effect in September 2025. CAs must check from at least 2 remote network locations, and one non-corroboration is allowed — meaning if one perspective fails to confirm domain control but the other succeeds, issuance can still proceed.
Phase Three begins in February 2026 and raises the bar further. CAs must check from at least 3 remote network locations spread across at least 2 different Regional Internet Registries (RIRs). One non-corroboration is still permitted.
Required Actions to Take
Organizations should ensure that their domain DNS records and HTTP validation paths are publicly accessible from networks around the world. Review firewall rules and geo-blocking configurations that might prevent validation requests from reaching your servers from different geographic regions. Additionally, closely monitor any validation failures, as MPIC introduces more potential failure points that could delay certificate issuance if not addressed promptly.
DNSSEC Enforcement
DNSSEC now plays an enhanced role in verifying domain ownership and validating the security of certificate issuance processes.
Timeline
DigiCert will begin enforcing DNSSEC validation on February 24, 2026. This means DNSSEC validation will be applied during both domain control validation and CAA record checks whenever DNSSEC is present in the domain's DNS configuration.
Sectigo's operational date follows shortly after on March 12, 2026. Sectigo's compliance hub highlights broader 2026 compliance changes, including DCV reuse shortening and reminders for proper DNSSEC signing configuration.
The CA/Browser Forum Baseline Requirements update takes effect on March 15, 2026, making DNSSEC validation mandatory for all relevant DNS lookups across the entire industry.
Required Actions to Take
Review your current DNS configurations to determine whether DNSSEC is enabled for your domains. If DNSSEC is active, ensure it is properly implemented and that all signing keys and delegation records are correctly configured. Misconfigured or broken DNSSEC records will cause certificate issuance to fail once enforcement begins, so identifying and fixing these issues before the deadlines is critical.
Sunsetting Client Authentication EKU from Public TLS Certificates
Public TLS certificates will no longer support Client Authentication Extended Key Usage (EKU). This change affects both the certificates themselves and the root hierarchies from which they are issued.
Extended Key Usage (EKU) Changes
Under Chrome's policy, both Server Authentication and Client Authentication EKUs can be included in TLS certificates prior to June 15, 2026. Starting June 15, 2026, only Server Authentication EKU will be permitted.
DigiCert's transition plan begins earlier. Starting October 1, 2025, DigiCert will begin issuing public TLS certificates with only Server Authentication EKU by default, though a temporary option to include both Server and Client Authentication EKUs will remain available during enrollment. By May 1, 2026, DigiCert will fully remove the Client Authentication EKU from all newly issued public TLS certificates, including new orders, renewals, reissues, and duplicates.
PKI Hierarchy Changes
Prior to June 15, 2026, TLS certificates may be issued from multipurpose root hierarchies. Starting June 15, 2026, TLS certificates must be issued from dedicated TLS-only root hierarchies. DigiCert will convert the following roots to dedicated TLS hierarchies:
- DigiCert Global Root G2
- DigiCert Global Root G3
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- QuoVadis Root CA2 G3
Required Actions to Take
Organizations must stop using public TLS certificates for client authentication purposes. Instead, switch to either a private PKI infrastructure or dedicated client-authentication certificates designed specifically for that purpose. Audit all applications across your environment that rely on Mutual TLS (mTLS) to identify where public TLS certificates are currently being used for client authentication, and plan the migration to alternative solutions before the June 2026 deadline.
Future Changes to Keep in Mind
Several additional changes are scheduled for the coming years that organizations should plan for now.
OnMarch 15, 2026, the Crossover validation method (3.2.2.4.8) will be phased out entirely. Phone and email verification methods will be officially discouraged at this point but will still remain temporarily available.
ByMarch 15, 2027, phone-based verification methods will be completely phased out. No new certificates will be issued using phone verification after this date.
Finally, onMarch 15, 2028, email-based verification methods will also be completely retired. From that point forward, all certificates will require DNS-based, HTTP-based, or IP-based verification methods exclusively.
Inspired by - Major SSL/TLS Certificate Changes 2026: Every Website Owner Must Know
Top comments (0)