Originally published at https://monstermegs.com/blog/ssl-certificate-validity/
Every SSL certificate running on a one-year renewal cycle is already out of step with the industry. Since March 15, 2026, the rules around SSL certificate validity changed permanently – the maximum allowed lifetime dropped from 398 days to 200 days. That is only the first cut in a four-phase plan that ends with 47-day certificates by 2029. The CA/Browser Forum, the body that governs publicly trusted TLS certificates, passed Ballot SC-081 with unanimous support from Apple, Google, and Mozilla. The vote is now reshaping how every website manages HTTPS.
What the SSL Certificate Validity Cut Actually Means
For most site owners, a one-year SSL certificate felt like a reasonable renewal cycle. Set a calendar reminder, generate a new cert, move on. That workflow is finished. The SSL certificate validity window is now capped at 200 days, meaning manual renewal teams must revisit the process nearly twice a year. By March 2027, the window drops to 100 days. By March 2029, it falls to just 47 days – roughly six and a half weeks per certificate. At that point, a missed renewal means a browser warning that drives visitors away instantly.
The scope of this change is hard to overstate. According to Infosecurity Magazine, the transition from 398 days to 47 days by 2029 represents a reduction of more than 88% in maximum allowed certificate lifespan, affecting hundreds of millions of active certificates worldwide. The SSL certificate validity reduction applies equally to a solo blogger and a Fortune 500 company. The only difference is that larger organisations typically already have certificate lifecycle management tools in place. Smaller site owners who renew manually face the steepest adjustment.
The Four-Phase Reduction Timeline
The CA/Browser Forum did not drop to 47-day certificates overnight. The ballot established a deliberate step-down schedule designed to give the industry time to adapt. Understanding each phase is essential for anyone planning hosting infrastructure through the late 2020s. Phase one arrived March 15, 2026: the SSL certificate validity cap fell to 200 days. Phase two lands March 15, 2027: the cap drops to 100 days. Phase three lands March 15, 2029: certificates expire after just 47 days. Alongside these lifetime cuts, the reuse period for Domain Control Validation data also shrinks at each step, with CAs eventually required to re-verify domain ownership every 10 days rather than every 398.
What Already Changed in March 2026
The first deadline has already passed, and the industry moved fast. Certificate Authorities did not wait for stragglers – phase one is in force, and any certificate issued after March 15, 2026 carries a maximum SSL certificate validity of 200 days. Certificates issued before that date retain their original lifespan, so there is no retroactive change to existing certs. But every renewal from this point on reflects the new limits, and the 200-day clock starts from the moment of issuance.
GlobalSign Moves First
GlobalSign, one of the world's largest public Certificate Authorities, announced it would enforce a 199-day maximum on newly issued certificates starting March 2026 – one day under the 200-day cap, ensuring full compliance with the updated Baseline Requirements. GlobalSign described the shift as a deliberate push toward certificate automation, framing shorter SSL certificate validity not just as a policy constraint but as a forcing function designed to make manual renewal operationally untenable at scale.
Domain Control Validation Also Tightens
Alongside the lifespan cuts, Phase Three requirements that began in February 2026 raised the bar on domain ownership verification. Certificate Authorities must now confirm domain control from at least three remote network locations spread across at least two different Regional Internet Registries. Previously a single-point check was sufficient. This multi-perspective validation closes a class of BGP hijacking attack where a malicious actor could reroute verification traffic to obtain a fraudulent certificate for a domain they do not control.
SSL Certificate Validity and the Push for Automation
The CA/Browser Forum is not subtle about its intent. The inconvenience of shorter SSL certificate validity is deliberate. Every CA and browser vendor that voted yes on Ballot SC-081 understood that shrinking validity windows would make manual renewal operationally untenable. The forum's published position is that for the long-term security of the internet, automated certificate management is no longer optional – it is the only realistic path forward.
The solution the industry has converged on is the ACME protocol, which powers services like Let's Encrypt. ACME automates the full certificate lifecycle – domain validation, issuance, installation, and renewal – without human intervention. Hosting providers that support ACME-compatible certificate management can handle the current 200-day SSL certificate validity window, and eventually the 47-day window, without adding any manual workload per customer. Those relying on manual processes face renewal tasks roughly every six weeks once 2029 arrives.
For site owners evaluating hosting plans, SSL certificate validity management should now sit on the checklist alongside uptime guarantees and storage specs. MonsterMegs includes automated SSL renewal across all hosting plans, so the 200-day limit – and every tighter phase that follows – is handled without any manual action required. If your current host requires manual certificate renewal, the new timeline is a clear signal to reassess before the 100-day window arrives in March 2027. Our recent coverage of account security improvements covers related changes in how SSL is managed at the infrastructure level.
How the CA Browser Forum Ballot Passed
The CA/Browser Forum is an industry consortium of Certificate Authorities and browser vendors whose Baseline Requirements carry binding weight across the web. A CA that fails to comply risks having its root certificate distrusted by browsers – which effectively removes it from the internet. Ballot SC-081 passed because every major browser backed the SSL certificate validity reduction. Apple, Google Chrome, Mozilla, and Microsoft all voted yes. No browser cast a dissenting vote. The unanimous browser support made the outcome inevitable regardless of CA sentiment.
The underlying security case is strong. Shorter SSL certificate validity limits the exposure window when a private key is compromised. With a 47-day certificate, an attacker who somehow obtains a key has less than seven weeks before the certificate expires naturally. With a 398-day certificate, that same exposure window stretches to over a year. The forum's position is that the security benefit outweighs the operational inconvenience – especially given that ACME-based automation tools already exist to handle rapid renewal cycles without adding human workload.
There is also a domain ownership integrity angle. Tightening the Domain Control Validation reuse period means a certificate can only be issued against ownership data that was recently verified, reducing the risk that a change in domain control goes undetected between renewals. Both mechanisms – shorter lifetimes and faster re-validation – reinforce each other.
What the 2026 Deadline Revealed About Readiness
The March 2026 transition exposed a readiness gap across the hosting industry. Providers that had already invested in ACME infrastructure handled the shift without disruption. For platforms running large numbers of customer domains, the ability to rotate certificates on a sub-200-day cycle without manual involvement is now a core infrastructure requirement, not a product differentiator. The SSL certificate validity deadline did not introduce new technology – it exposed which providers had built on it and which had not.
Smaller providers without automated tooling faced a harder picture. Any customer on a manually managed plan who missed a renewal within the new window risked hitting a browser certificate warning. Given that HTTPS has been a Google ranking signal since 2014, an expired certificate does not just affect visitor trust – it affects search visibility. The SSL certificate validity window is now short enough that a single missed renewal email carries real SEO consequences alongside the obvious security risk.
Developers managing their own server stacks are also feeling the pressure. Tools like Certbot, which interfaces with Let's Encrypt via ACME, handle automated renewal at any interval – but only if the server environment is correctly configured and the renewal cron job is working reliably. A silently failing cron job on a 398-day cert gave nearly 13 months of margin for recovery. On a 47-day cert, the same silent failure means a site goes dark in under seven weeks with no warning until visitors hit the browser error screen.
What Website Owners Should Do Right Now
The immediate priority is confirming that certificate renewal on your site is fully automated. Log into your hosting control panel and check whether SSL is set to auto-renew. If your host relies on a manual process, start the migration conversation now – before the 100-day SSL certificate validity window arrives in March 2027. Switching to a host with ACME-integrated certificate management is the cleanest long-term fix.
For developers managing certificates outside a managed hosting environment, verify that your ACME client – whether Certbot, acme.sh, or a hosting provider's native tool – is configured with a renewal threshold well inside the current validity window. A 30-day pre-expiry trigger works well today, but tighten that to 10-15 days before 47-day certs arrive in 2029. Set up a monitoring alert around certificate expiry so a failed renewal does not go unnoticed until a visitor hits the warning page.
Also review whether your setup uses wildcard or multi-domain certificates across multiple subdomains. Each is subject to the same SSL certificate validity limits and must be renewed on the same shortened schedule. If you are managing them manually across multiple servers, the operational case for consolidating under a managed certificate provider grows stronger with every phase of this timeline. The 2029 deadline may feel distant today, but organisations that delay adapting often find the transition more disruptive when it arrives.
The Bottom Line
The CA/Browser Forum's SSL certificate validity cuts are not a proposal – phase one is already live, and phases two and three are locked to published dates. The 200-day limit is in force now. The 100-day limit arrives March 2027. The 47-day limit lands March 2029. Sites that treat certificate management as a once-a-year task are already behind, and the window to adapt before things break is narrower with each passing renewal cycle.
The practical response is straightforward: confirm your SSL renewal is automated, verify your hosting provider handles the full certificate lifecycle without requiring manual steps, and treat expiry monitoring as a standing operational task rather than something you check after a problem surfaces. Shorter SSL certificate validity is the new industry baseline – the browsers have voted, the CAs are enforcing it, and there is no rollback.
If you want certificates that renew automatically without manual intervention, MonsterMegs SSL hosting plans handle the full certificate lifecycle across all accounts – so you stay protected through every phase of the timeline ahead.
Top comments (0)