Knowledge Base

Understanding TLS Certificate Lifespan Reductions and Their Impact on Re‑Issuance Cycles for Partner customers and Retail Customers

Updated on May 29, 2026

Understanding TLS Certificate Lifespan Reductions and Their Impact on Re‑Issuance Cycles for Partner customers and Retail Customers

1. Overview

The CA/Browser Forum is shortening TLS certificate validity and DCV reuse period to a maximum of approximately 6 months per issued certificate.

Sectigo will enforce this on March 12, 2026. This change will necessitate more frequent certificate reissuance within a purchased term and more regular repetition of Domain Control Validation. These updates are mandated across the industry and will affect all certificate issuance channels, including Partners, Retail customers, and EPKI customers

2. What is Changing?

Starting March 12, 2026,

All (re-)issued TLS certificates will be valid for no longer than 199 days.

No certificate may be issued on the basis of a DCV record older than approximately six months (in scenarios where reuse is permitted; no changes apply to these conditions). If the existing DCV record falls outside the allowable reuse window, the domain must be revalidated prior to issuance or reissuance

Why It Matters

More frequent reissuance: Customers will need to obtain and install certificates more often to maintain continuity and avoid outages.

More frequent validation: With shorter certificate validity and DCV reuse limits, customers will encounter DCV requirements more often and should plan validation timing to prevent delays.

Increased operational load: More frequent validation and certificate renewal may result in a significant increase in operational workload if appropriate automation measures are not employed.

Future Planned Reductions

The industry has signaled continued movement toward shorter certificate and validation lifecycles beyond 2026. Sectigo will keep the latest phased timelines updated in the

Compliance Update Hub.

Existing certificates remain valid until they expire or until they are revoked.

3. Impact on Partners & Customers

3.1 Traditional Partner Channels

Channels:

Web Host Reseller

Reseller

The 1–5-year TLS subscriptions remain available, but each issued certificate is valid for up to 6 months (199 days). This means 1-year products will now require reissuance during the year, like multi-year terms, so customers can obtain additional certificates for the remaining time in their purchased term (example: 30 days remaining equates to a 30-day certificate).

3.2 Retail Customers and E-PKI customers
The most important operational changes to plan for are shorter TLS certificate duration

TLS certificate validity will no longer exceed 199 days, even though product terms available for purchase remain unchanged (1–5 years remain available).

For E-PKI customers:
Because Identity Authorities rely on DCV, their validity will align to the underlying DCV record. As a result, Identity Authorities may need to be renewed more frequently to avoid disruption.

4. Reissuing Certificates Under the New Rules

4.1 API‑Connected Partners

Sectigo API (Web Host Reseller, Reseller):
Uses AutoReplaceSSL API call; supports DCV via CNAME, DNS TXT, HTTP/HTTPS, or email.

Xolphin API:
Reissue via standard reissue call; supports CNAME, HTTP/HTTPS, or email.

SSL247 API:
Reissue via reissue call; supports CNAME, HTTP/HTTPS, or email.

4.2 Portal‑Only Users and Retail Customers

Partners without API integration (Sectigo Reseller Portal, EPKI) perform reissues manually by:

Navigating to the order

Selecting Reissue

Submitting a CSR

Supported DCV methods: CNAME, DNS TXT, HTTP/HTTPS, or email.

Click here for full instructions: How to Reissue or Replace SSL Certificates? | Sectigo® Official

4.3 Migration Option

EPKI users may migrate to SCM (Sectigo Certificate Manager) to benefit from automated lifecycle management.

Retail customers can opt for SCM pro.
For further details on SCM, click on the below link:
https://www.sectigo.com/resource-library/sectigo-certificate-manager-product-brochure

5. Recommended Partner Actions

5.1 Immediate Actions

Update workflows and messaging: adjust any internal/external documentation, onboarding, and renewal reminders that assume annual certificate validity or longer DCV reuse.

Confirm that ACME/automation workflows are ready for more frequent issuance and DCV checks.

If you are a Partner, alert your customer-facing teams: prepare for increased reissuance cadence and common questions

5.2 Automation Encouraged

Prioritize automation: As certificate validity continues to shrink (with a further reduction to 47 days planned for 2029), automation becomes essential to reduce manual work and mitigate outage risks. Sectigo’s Certificate as a Service (CaaS) supports automated lifecycle management and reduces operational overhead.

6. Support and Resources

Sectigo offers support for planning transitions. Partners and customers may:

Open a support ticket for further assistance

Your partner account manager (if applicable)

7. Summary

TLS certificate duration, as well as DCV reuse (where permitted), will be limited to six months to align with global industry requirements. All partners, resellers, and customers must ensure their workflows, alerts, and automation processes are updated before March 12, 2026. This update affects reissues, lifecycle automation, API usage, and domain validation practices across all channels.

Related Articles: https://www.sectigo.com/knowledge-base/detail/impact-of-shorter-certificate-lifespans-on-DCV-reuse-and-SCM-domain-pre-validation