The old "renew it once a year and forget it" model for public TLS certificates is going away.
On April 11, 2025, the CA/Browser Forum approved Ballot SC-081v3. The first deadline is March 15, 2026, when the maximum validity of publicly trusted TLS certificates drops from 398 days to 200 days. Then it drops again to 100 days in 2027 and 47 days in 2029.
The new timeline
- Until March 15, 2026: maximum validity is 398 days
- From March 15, 2026: 200 days
- From March 15, 2027: 100 days
- From March 15, 2029: 47 days
Domain validation reuse is shrinking too:
- Until March 15, 2026: 398 days
- From March 15, 2026: 200 days
- From March 15, 2027: 100 days
- From March 15, 2029: 10 days
This matters because the change affects both renewal frequency and how often certificate authorities can rely on older validation data.
Who pushed for this?
The proposal came from Apple and passed with support from the major browser vendors and most certificate authorities. That is a strong signal that this is a long-term ecosystem shift, not a temporary experiment.
Apple had already pushed the industry toward shorter lifetimes before, including the move to 398-day certificates in 2020. SC-081v3 continues the same direction: shorter trust windows, fresher validation data, and less reliance on slow manual certificate handling.
Why the industry is doing this
The logic behind the change is straightforward.
Certificate data gets stale
Certificates reflect a point in time. Over the course of a year, domains can change hands, teams can change ownership, and infrastructure can move.
Compromised keys should age out faster
If a private key is exposed, a shorter lifetime limits how long it remains useful. Revocation still matters, but shorter validity reduces the damage window.
Mis-issuance becomes less dangerous
When a certificate is issued based on outdated or incorrect information, shorter lifetimes reduce how long that mistake stays trusted.
Automation is no longer optional
The CA/B Forum is effectively telling the industry that certificate lifecycle management must become more automated, more observable, and easier to rotate.
What 200 days changes in practice
Two hundred days still sounds manageable, but it changes the rhythm of operations:
- renewals move from an occasional task to a recurring process
- weak spreadsheets and calendar reminders become riskier
- legacy systems with manual deployment start standing out
- failed automation hurts faster because recovery windows are shorter
For small teams, the problem is usually visibility. For larger teams, it is process drift: some certificates are automated, some are half-automated, and some still depend on one person remembering what to do.
What to do before March 2026
You do not need a huge PKI project. You do need a clean baseline.
- Inventory every public certificate and assign an owner.
- Split certificates into automated, partially automated, and manual.
- Verify deployment, not just issuance.
- Add alerts before expiry, such as 30, 14, 7, 3, and 1 day.
- Flag systems that will struggle at 100 days and 47 days.
The key insight is this: 200 days is not the end state. It is the transition phase. If your process still depends on memory, tickets, and luck in 2026, it will be painful by 2029.
Top comments (0)