Free Trial
Contact Us

Knowledge Base

Knowledge BaseCertificates

Understanding TLS Certificate Lifespan Reductions and Their Impact on Re‑Issuance Cycles for Partner customers and Retail Customers 

Updated on February 8, 2026

Understanding TLS Certificate Lifespan Reductions and Their Impact on Re‑Issuance Cycles for Partner customers and Retail Customers 

1. Overview 

The CA/Browser Forum is shortening TLS certificate validity and DCV reuse period to a maximum of approximately 6 months per issued certificate. 

Sectigo will enforce this on March 12, 2026. This change will necessitate more frequent certificate reissuance within a purchased term and more regular repetition of Domain Control Validation. These updates are mandated across the industry and will affect all certificate issuance channels, including Partners, Retail customers, and EPKI customers 

2. What is Changing? 

Starting March 12, 2026,  

  •             All (re-)issued TLS certificates will be valid for no longer than 199 days. 

  •             No certificate may be issued on the basis of a DCV record older than approximately six months (in scenarios where reuse is permitted; no changes apply to these conditions). If the existing DCV record falls outside the allowable reuse window, the domain must be revalidated prior to issuance or reissuance 

 
             

Why It Matters 

  • More frequent reissuance: Customers will need to obtain and install certificates more often to maintain continuity and avoid outages. 

  • More frequent validation: With shorter certificate validity and DCV reuse limits, customers will encounter DCV requirements more often and should plan validation timing to prevent delays. 

  • Increased operational loadMore frequent validation and certificate renewal may result in a significant increase in operational workload if appropriate automation measures are not employed. 

 

Future Planned Reductions 

The industry has signaled continued movement toward shorter certificate and validation lifecycles beyond 2026. Sectigo will keep the latest phased timelines updated in the  

Compliance Update Hub. 

Existing certificates remain valid until they expire or until they are revoked. 

 

3. Impact on Partners & Customers 

3.1 Traditional Partner Channels 

Channels: 

  • Web Host Reseller 

  • Reseller 

 
  

The 1–5-year TLS subscriptions remain available, but each issued certificate is valid for up to 6 months (199 days). This means 1-year products will now require reissuance during the year, like multi-year terms, so customers can obtain additional certificates for the remaining time in their purchased term (example: 30 days remaining equates to a 30-day certificate). 

3.2 Retail Customers and E-PKI customers 
The most important operational changes to plan for are shorter TLS certificate duration 

TLS certificate validity will no longer exceed 199 days, even though product terms available for purchase remain unchanged (1–5 years remain available). 

 
 
For E-PKI customers: 
  Because Identity Authorities rely on DCV, their validity will align to the underlying DCV record. As a result, Identity Authorities may need to be renewed more frequently to avoid disruption. 

 

 

4. Reissuing Certificates Under the New Rules 

4.1 API‑Connected Partners 

  • Sectigo API (Web Host Reseller, Reseller): 
    Uses AutoReplaceSSL API call; supports DCV via CNAME, DNS TXT, HTTP/HTTPS, or email. 
      

  • Xolphin API: 
    Reissue via standard reissue call; supports CNAME, HTTP/HTTPS, or email. 
      

  • SSL247 API: 
    Reissue via reissue call; supports CNAME, HTTP/HTTPS, or email. 
      

4.2 Portal‑Only Users and Retail Customers 

Partners without API integration (Sectigo Reseller Portal, EPKI) perform reissues manually by: 

  • Navigating to the order 

  • Selecting Reissue  

  • Submitting a CSR 

  •  Supported DCV methods: CNAME, DNS TXT, HTTP/HTTPS, or email. 

4.3 Migration Option 

  • EPKI users may migrate to SCM (Sectigo Certificate Manager) to benefit from automated lifecycle management. 

5. Recommended Partner Actions 

5.1 Immediate Actions 

  • Update workflows and messaging: adjust any internal/external documentation, onboarding, and renewal reminders that assume annual certificate validity or longer DCV reuse. 

  • Confirm that ACME/automation workflows are ready for more frequent issuance and DCV checks. 

  • If you are a Partner, alert your customer-facing teams: prepare for increased reissuance cadence and common questions 
     

  

5.2 Automation Encouraged 
 

Prioritize automation: As certificate validity continues to shrink (with a further reduction to 47 days planned for 2029), automation becomes essential to reduce manual work and mitigate outage risks. Sectigo’s Certificate as a Service (CaaS) supports automated lifecycle management and reduces operational overhead. 

 
  

6. Support and Resources 

Sectigo offers support for planning transitions. Partners and customers may: 

  • Your partner account manager (if applicable) 
      

7. Summary 

TLS certificate duration, as well as DCV reuse (where permitted), will be limited to six months to align with global industry requirements. All partners, resellers, and customers must ensure their workflows, alerts, and automation processes are updated before March 12, 2026. This update affects reissues, lifecycle automation, API usage, and domain validation practices across all channels. 
 
 
 
Related Articles: 
Tags: 
 
 
 

 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources