Keeping an eye on the TLS clock: Key certificate lifecycle dates you need to know
The shift to 6-month (199-day) SSL/TLS certificate validity starting March 15, 2026 marks the beginning of a rapid acceleration toward shorter lifecycles, ultimately reaching 46 days by 2029. As renewal volumes multiply, manual processes will fail under pressure, exposing gaps in visibility, ownership, and automation. Organizations must adopt certificate lifecycle management (CLM) to automate discovery, issuance, and renewal at scale, ensuring resilience, preventing outages, and preparing for a future shaped by continuous certificate operations and post-quantum demands.
Why your team needs to prepare today
Certificate replacement at scale is no longer a "post-quantum someday" scenario. As the industry shifts from annual renewals to cycles measured in months, then weeks, every organization will be pushed toward more frequent issuance, validation, and deployment. That means the ability to replace certificates en masse (quickly, safely, and without outages) becomes a baseline requirement.
Shorter lifespans compress everything: inventory accuracy, approvals, domain control validation (DCV), change windows, and deployment workflows. When lifetimes drop to 199 days, then 99 days, and then 46 days, renewal volume effectively doubles (2x), then doubles again (4x), then triples (12x). Any gaps in discovery, ownership, or process automation show up immediately as failed renewals, expired endpoints, and emergency work.
Certificate lifecycle management (CLM) solves the "mass replacement" problem by turning certificate work into a controlled, repeatable system. With CLM in place, teams can continuously discover certificates, standardize policies, automate issuance/renewal, orchestrate deployments, and prove compliance, so when lifespans shorten further (or when an urgent rekey/algorithm change is required), you can rotate certificates across environments in hours or days instead of scrambling for weeks.
Below is a timeline of the most important dates you need to have on your radar, why they matter, and what kind of impact to expect.
2026: The end of the one-year certificate era
March 12, 2026: The Sectigo cut-off
March 12 marks the final day Sectigo will issue public TLS certificates. The date was intentionally chosen to land on a weekday, giving organizations a small buffer before the broader industry changes take effect.
On this day:
- Sectigo stops issuing 1-year/398-day public TLS certificates
- DCV reuse is reduced from one year to 198 days
March 14, 2026: The last day of “Business as Usual” for the entire industry
This is the final day any certificate authority can operate with the 398-day/1-year certificate lifespan model.
On this day:
- Last day any CA can issue a 398-day certificate
- Last day to reuse DCV for more than 198 days
- Last day to reuse OV for more than 366 days
If you need one last long-lived certificate or extended validation reuse, this is your deadline.
March 15, 2026: Policy change goes live
March 15 is when the new rules officially take effect.
On this day:
- Maximum TLS certificate lifetime drops to 199 days
- Maximum DCV reuse drops to 199 days
- OV reuse is capped at 366 days
Our experts expect a major DCV revalidation spike. This is the first moment when automation gaps start to hurt. Teams still relying on manual DCV or infrequent renewal workflows will feel it quickly.
September 30, 2026: The “Day of Reckoning”
Six months later, reality will set in. The first 199-day certificates begin expiring, and we will start to see the effects of these shorter certificate lifespans in real-time for any unprepared businesses.
On this day:
- Renewal volume effectively doubles
This becomes the first major operational stress test of the new lifecycle. If you weren't prepared before, you'll definitely notice now.
2027: Acceleration and the Final Death of One-Year Certs
March 14, 2027: The last 199-day certificates
On this day:
- This is the final day a CA can:
- Issue a 199-day certificate
- Reuse DCV for more than 99 days
This day also marks the beginning of the final expiration window for legacy one-year certificates.
March 15, 2027: Welcome to 99-day certificates
One year after 199-day certificate lifespans are implemented, we see another drop as mandated by the CA/Browser Forum.
On this day:
- Maximum certificate lifetime drops to 99 days
- DCV reuse drops to 99 days
Another (smaller) DCV revalidation spike is expected. At this point, quarterly certificate operations become mandatory rather than optional.
April 16, 2027: One-year certificates are fully gone
This is the last possible day a grandfathered 398-day certificate can still be active. After April 16:
- One-year public TLS certificates no longer exist anywhere on the internet
June 27, 2027: The 99-day expiration wave
The first 99-day certificates (issued March 15) begin expiring, and renewal volume doubles again. By mid-2027, renewal traffic is already several times higher than what most organizations experience today.
September 29, 2027: The end of 6-month certificates
At the end of September, we will see the same repercussions we say with 199-day certificates. Expirations everywhere for those who are not automated.
On this day:
- Last possible day a 199-day certificate can exist
- Six-month TLS certificates fully disappear
From here on out, everything is three months or less.
2029: Certificates Become a Monthly Event
March 14, 2029: The final 99-day certificates
March 14 is the final day of multi-month certificates. This is the last day a CA can:
- Issue a 99-day certificate
- Reuse DCV for more than roughly 8 days
This is also the point where DCV cadence shifts from quarterly… to weekly.
March 15, 2029: The 46-day world
On this day:
- Maximum certificate lifetime drops to 46 days
- Monthly certificate renewal becomes the norm
- DCV reuse is effectively weekly
Any remaining manual process at this stage will be a breaking point.
April 30, 2029: Renewal load explodes
At this point, certificates are no longer a background task, they're a constant operational motion.
On this day:
- The first 46-day certificates begin expiring
- Renewal workload reaches roughly 12× today's levels
2030 and beyond: Short lifespans, quantum pressure, and what comes next
By 2030, the industry will be operating on hyper-short certificate lifecycles by default. Not only is this promoting security hygiene, it’s also promoting resilience in a world that’s changing faster than cryptography historically has.
Quantum computing looms large here. While practical, large-scale quantum attacks against public-key cryptography may still be years away, the response timeline matters. Shorter certificate lifetimes dramatically reduce the blast radius of cryptographic breakthroughs, compromised keys, or emergency algorithm transitions.
In a post-quantum future:
- Certificates may need to be replaced en masse on very short notice
- Crypto-agility is only achievable through automation
- Weekly or even on-demand issuance may become normal
The work being forced on organizations now (automation, inventory visibility, DCV efficiency, and renewal orchestration) is laying the groundwork for that future.
So what do I need to do today?
Certificate lifespans are fundamentally changing how teams operate. What used to be an annual or quarterly task is becoming a continuous system that needs to scale, recover quickly, and adapt fast.
The above dates are just as much milestones in the industry as they are warning signals of the changes to come.
The path forward is simple. If you haven't already:
- Automate issuance and renewal end-to-end
- Eliminate manual DCV wherever possible
- Treat certificates as infrastructure, not paperwork
The clock is ticking, and it's only going to move faster from here.