2026 updates that affect certificate issuance, validation, and renewals
Industry standards are moving to shorter certificate terms and more frequent validation. This hub is the single place to track what’s changing in 2026, key milestones, and what to do to avoid issuance disruptions.
What's driving these changes
Across the industry, standards bodies and browser vendors are responding to:
• Increasing automation and scale of certificate issuance
• Greater reliance on certificates for identity, access, and software trust
• The risk posed by long-lived validations and credentials
• The need for stronger, verifiable domain and organizational controls
The result is a shift toward:
• Shorter certificate term
• More frequent validation
• Stronger, auditable verification
• Automation-first operational models
Overview of key compliance changes
Multi-year TLS subscriptions still work the same
Essentially you can still purchase a 1-5 year TLS subscription.
Your subscription has an end date, and you need to re-issue certificates as needed up to that date.
What's changing is ithe issued certificate term. After March 12, 2026, each issued certificate is valid for up to 199 days, so what is changing is that you'll be required to re-issue those certificates within your subscription more frequently.
The updates
What's changing
Beginning March 12, 2026, Domain Control Validation reuse will be limited to approximately 6 months (198 days).
DCV records older than this limit must be revalidated before certificate issuance
Applies to both existing and newly created DCV records
Although the Certification Authority Browser Forum (CA/Browser Forum) has set this mandate for March 15, 2026, Sectigo’s operational enforcement begins March 12, 2026
Why this change is happening
DCV confirms that a requester controls a domain. Historically, DCV could be reused for longer periods, which increased risk if domain ownership or control changed over time.
Reducing DCV reuse:
- Limits the impact of stale validations
- Reduces attack windows by limiting how long a “one-time” validation could be reused and therefore, reducing the chance of ongoing misuse
- Improves overall trust in the certificate ecosystem
What customers should know
- Existing certificates remain valid until expiration
- No new certificate may be issued after March 12th relying on the DCV that was completed more than 198 days ago
- Validation will need to happen more frequently going forward
The updates
What's changing
Beginning March 12, 2026, Domain Control Validation reuse will be limited to approximately 6 months (198 days).
DCV records older than this limit must be revalidated before certificate issuance
Applies to both existing and newly created DCV records
Although the Certification Authority Browser Forum (CA/Browser Forum) has set this mandate for March 15, 2026, Sectigo’s operational enforcement begins March 12, 2026
Why this change is happening
DCV confirms that a requester controls a domain. Historically, DCV could be reused for longer periods, which increased risk if domain ownership or control changed over time.
Reducing DCV reuse:
- Limits the impact of stale validations
- Reduces attack windows by limiting how long a “one-time” validation could be reused and therefore, reducing the chance of ongoing misuse
- Improves overall trust in the certificate ecosystem
What customers should know
- Existing certificates remain valid until expiration
- No new certificate may be issued after March 12th relying on the DCV that was completed more than 198 days ago
- Validation will need to happen more frequently going forward
What's changing
Public TLS/SSL certificates are moving toward progressively shorter maximum term, beginning with a 6-month (199-day) limit starting March 12, 2026 and decreasing further in future phases.
Why this change is happening
Shorter certificate terms:
- Reduce exposure from compromised keys
- Limit the impact of mis-issuance
- Encourage automation and rapid remediation
- Enhance crypto agility
What customers should know
- Manual certificate management becomes increasingly difficult
- Automation is no longer optional at scale
- Renewal frequency will continue to increase over time
What's changing
Starting February 15, 2026, Sectigo will stop accepting new orders for multi-year Code Signing certificates and new orders are subject to:
- Shorter validity periods – 15 months (459 days)
- More frequent identity revalidation
These changes are being phased in to improve software supply chain security.
Why this change is happening
Code signing certificates are used to establish trust in software, applications, and updates. Long-lived credentials increase the risk of:
- Malware signing
- Credential abuse
- Undetected compromise
Shorter lifetimes reduce these risks.
What customers should know
- Software publishers should prepare for more frequent certificate renewals
- Signing workflows should be evaluated for automation readiness
- Planning early helps avoid CI/CD disruption
- March 15, 2026 is the industry effective date the Certification Authority Browser Forum (CA/Browser) has set. To help avoid last-minute issuance delays, Sectigo will begin applying the new term limits in our systems on March 12, 2026, meaning DCV older than the allowed window will require revalidation for new issuance or reissuance.
What's changing
Domain Name System Security Extensions (DNSSEC) is increasingly relied upon as a secure foundation for domain validation and certificate authority authorization (CAA).
It enables CAs to verify DNS responses using DNSSEC signatures, rather than relying on unsigned DNS data.
Sectigo plans to begin validating Domain Name System Security Extensions (DNSSEC) responses during Domain Control Validation (DCV) and CAA checks starting March 11, 2026.
Why this matters
DNSSEC:
- Protects against DNS tampering
- Strengthens domain ownership verification and CAA lookups
- Improves trust in automated validation workflows
What customers should know
- DCV and CAA checks start on March 11, 2026
- DNSSEC remains optional, but if enabled, CAs must soon validate it and stop issuance if validation fails
- This affects both DCV and CAA, so a CAA lookup that returns a SERVFAIL error, for instance, will likely result in issuance delays
- DNSSEC improves security but it requires careful management, especially as issuance automation becomes more widespread
How Sectigo helps customers stay ahead
Sectigo’s platform and services are designed for continuous compliance. Not one-off changes.
Key principles:
- Early adoption of standards
- Automation-first design
- Clear visibility into validation and lifecycle status
- Continuous alignment with browser and industry requirements
As standards continue to evolve, Sectigo customers benefit from a platform built to adapt.
What you should do now
The most important thing is to assess your needs and start planning by leveraging automation.
We recommend:
Identify how you are currently managing your certificate inventory. If you rely on manual renewals, plan for more frequent certificate replacement in 2026.
Remain vigilant on the ever-evolving mandates and changes. While reselling partners, must keep their customers educated.
- TLS certificates can still be purchased in multi-year products, but issuance is up to 199 days per certificate.
- DCV reuse is up to 198 days, older validations must be redone.
- Sectigo-provisioned Code Signing certificates can only be purchased as a 1-year product after February 15th.
- Ensure DNSSEC signing is correctly configured (if enabled), as CAs will no longer be permitted to proceed when DNSSEC validation fails.
With certificate durations shrinking, automation becomes essential to reduce operational overhead and outage risk.