Free Trial
Contact Us
Sectigo Blog

Understanding the Risk Scale: 6-month SSL/TLS Validity Starts March 15, 2026

RSS Feed

The reduction of public SSL/TLS certificate validity to 200 days (199-day renewals) starting March 15, 2026 marks the first major step toward much shorter lifespans. This shift will dramatically increase renewal frequency and expose the limits of manual certificate management. Organizations that lack automation risk outages, compliance failures, and rising operational costs as the industry moves toward 100-day and ultimately 47-day certificates. Adopting automated certificate lifecycle management (CLM) now is critical to maintaining visibility, scalability, and digital trust resilience.

Jason Soroko
By Jason Soroko, Fellow
February 19, 20267 min read

Table of Contents

Digital certificate lifespans are shrinking and this is no longer a distant threat. The first big shift arrives on March 15, 2026, when public SSL/TLS certificate validity periods will be reduced to just 200 days. This represents a steep drop from the previous 398-day validity period. These limits apply to newly issued certificates under the enforcement schedule.

This shift will accelerate renewal cycles and further complicate manual certificate management. As certificate lifespans shorten, renewal workloads essentially double as the new limits take effect, and organizations that lack automated solutions will struggle to keep up. Without changes to how certificates are managed, the risk of missed renewals and certificate expiration rises, which can lead to compliance failures and loss of customer trust.

These challenges intensify as the industry approaches the next milestone of 100-day validity periods in 2027, with further reductions ultimately reaching a 47-day maximum. Actions taken today can alleviate certificate management challenges as certificate lifespans continue to shrink. The most urgent and impactful measure to address growing risks? Adopting automated certificate lifecycle management (CLM).

What's changing and why

In April, 2025, the Certification Authority Browser Forum (CA/Browser Forum) approved Ballot SC-081v3. This proposal established a detailed schedule for reducing public SSL certificate validity periods. Encompassing phased certificate lifespan reductions, this measure followed a motion proposed by Apple and endorsed by major browser vendors and certificate authorities (CAs), including Google/Chrome, Mozilla, and Sectigo.

This shift reflects the growing recognition that extended certificate lifespans introduce elevated security risks. Longer lifespans increase risk exposure by extending vulnerability windows.These concerns are further compounded by the impending shift to post-quantum cryptography, which will require greater cryptographic agility across certificate environments. Shorter lifespans force organizations to shift from manual certificate management to automated solutions that enable quick key rotations and algorithm updates. 

The upcoming SSL certificate validity timeline

The shift from 398-day lifespans to 47-day certificate renewals will not occur all at once. Instead, a phased rollout has been established, allowing organizations to adapt gradually as new phases introduce shorter validity periods.

Enforcement dates established by Ballot SC-081v3 include:

  • March 15, 2026 - 200-day maximum validity period: This represents the first major adjustment, cutting certificate lifespans in half. Renewals will now be required every 199 days, which we suggest you think of as 6 month certificates which would pragmatically mean renewing at the 180 day mark, allowing for recovery time. At this point, enterprises that fail to implement automation will begin to feel the pressure. This phase still functions as a transition window, however, providing just enough time to improve certificate visibility and workflows before the next big shift arrives.
  • March 15, 2027 - 100-day maximum validity periods: With lifespans once again cut in half, manual certificate management will become unsustainable. Enterprises that failed to respond to the initial phase-down will likely face renewal backlogs and service reductions at this point. There will still be time to transition to automated certificate management and streamlined renewals, but delayed adoption will leave little room for error, making this transition feel operationally urgent or even rushed.
  • March 15, 2029 - 47-day maximum validity periods: The big deadline arrives in 2029, when certificates with a maximum validity of 47 days take effect. Ideally, enterprises will be well-prepared, having already seamlessly adjusted to 200 and then 100-day lifespans. Supported by certificate authorities and centralized, automated certificate management, fully-prepared organizations can expect a seamless transition. Those that continue to rely on manual processes will face relentless operational pressure, inevitable human error, and urgent security threats.

With each new phase comes an increase in renewal frequencies. This reduces the margin for delay, rendering manual oversight less effective as we reach new stages in this rollout. 

How does risk increase as validity shrinks?

Shorter certificate lifespans do not inherently create risk; unprepared systems and manual processes do.

As validity periods shrink, enterprises that rely on manual certificate management, fragmented workflows, or aging PKI processes will face heightened risks. Previously predictable renewal rhythms will progressively tighten. These shifts prompt increased operational pressure and could further expose existing security or compliance weaknesses. Relevant concerns include:

  • Renewal volume: Certificate volumes are already rising due to expanding endpoints, machine identities, and the adoption of Zero Trust architectures. Shorter lifespans exacerbate these challenges by prompting frequent certificate renewals.
  • Operational pressure: Manual certificate processes cannot properly scale alongside shorter certificate renewal periods. Each new phase in the incremental validity period reduction adds to the already significant operational load, further increasing IT overhead.
  • Business impact: With IT teams stretched thin, monitoring becomes haphazard and renewals begin to slip. This leads to outages, causing not only service disruptions, but also compliance failures: In the long term, this can damage customer trust. 

Operational and cost implications

Manual certificate management is costly and time consuming. Beyond day-to-day labor, it increases the likelihood of outages due to human error and the need for emergency remediation, driving unplanned work, incident response, and service recovery efforts.

It’s not only certificate validity that shrinks. Domain Control Validation (DCV) reuse periods also compress, ultimately down to 10 days, which can become a hidden bottleneck for high-frequency issuance.

Analysis of the Total Cost of Ownership (TCO) for automated CLM consistently shows that, across purchase, maintenance, and labor, automation introduces significant cost savings. These savings scale with factors such as higher certificate volume and shortening validity periods.

As SSL/TLS lifespans shrink, the ROI of CLM automation will increase, turning a strategic advantage into an operational necessity. Shorter lifespans will amplify existing inefficiencies. What seemed possible at 398 days or even 200 days will present significant challenges at 100 days and will become unsustainable at 47 days

What do organizations need to do before March 15?

It's not too late to prepare for the first major shift on the path to shorter lifespans. A few proactive measures can improve readiness while setting the stage for further adjustments as we shift our focus to the 100-day milestone.

  1. Begin by prioritizing certificate discovery. This means inventorying all digital certificates to confirm ownership, usage, and expiration dates. While the validity reductions apply to publicly trusted SSL/TLS certificates, visibility across all digital certificates provides clearer ownership, stronger governance, and earlier identification of renewal risk.
  2. Visibility also encompasses current certificate lifecycle processes. Map these out to determine where manual processes still exist and how they can be updated. Begin to evaluate automation opportunities, exploring, for example, how issuance and renewals can be streamlined via protocols such as the Automated Certificate Management Environment (ACME).
  3. Align security, IT, and DevOps ownership by establishing clear roles and determining where accountability lies. A lack of clear ownership could compromise policy enforcement or undermine integration with CI/CD pipelines.

With these key steps tackled, enterprises should be ready to integrate automated solutions before certificate validity periods compress. 

What does the data show about CLM automation?

Forrester Consulting conducted a Total Economic Impact™ (TEI) study on behalf of Sectigo, with findings revealing a 243 percent return on investment for organizations that automate certificate lifecycle management using the Sectigo Certificate Manager (SCM) platform.

This study demonstrates measurable value across the certificate ecosystem, including significant declines in operational risk and downtime. For example, reductions in provisioning labor amounted to $1.3 million over three years, while reductions in renewal expenses totaled $965,000 over three years. Although not quantified in financial terms, the study also identified meaningful reductions in security and outage risk.

200 days serves as an adjustment window for many

The impending shift to 200-day lifespans may function as an early warning, but it can also be framed as a powerful opportunity. This transitional period offers organizations the chance to validate automation strategies, refine workflows, and address gaps before the increased pressures of the 100 and 47-day phases arrive.

The first big milestone of 200-day certificate lifespans will test existing workflows while also providing tangible evidence of the need to adapt. Teams that prepare now will navigate future reductions with relative ease, supported by processes that can withstand tight renewal cycles. Delays, however, will increase pressure at every subsequent phase. Each step down in validity will increase operational strain, making outages more likely. 

Adapt to quicker certificate expiration cycles with SCM 

This shift moves certificate management from periodic renewal events to continuous, always-on operations. Addressing this change now helps to stay ahead of compounding risk. As validity periods compress, renewal frequency rises, leaving a limited margin for error. Moving forward, manual processes will be difficult to sustain. Look to automated solutions to streamline this shift and set the stage for easier adjustments as we approach the quantum era.

Organizations can navigate this transition with Sectigo Certificate Manager (SCM). By automating the entire digital certificate lifecycle from discovery and issuance to renewal, monitoring, and revocation, SCM provides centralized visibility and a unified platform to manage digital certificates efficiently at scale. Schedule a demo and discover the benefits of automated CLM.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

What is the purpose of post-quantum cryptography?

Total cost of ownership for an SSL/TLS certificate manager platform

The benefits of automating certificate management for the 47-day lifecycle