Knowledge Base
What is the impact of shorter certificate lifespans on Domain Control Validation (DCV) reuse and Sectigo Certificate Manager (SCM) domain pre‑validation?
Overview
The CA/Browser Forum is shortening the DCV reuse window. After Sectigo enforces this, domain validations can only be reused for approximately six months (when reuse is applicable) impacting all certificate issuance channels including Partners, Retail customers, and EPKI customers.
To learn more, see the official Baseline Requirements posted on Cabforum.org and linked below:
https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.1.6.pdf
Who is impacted?
- SCM Enterprise customers using Domain pre‑validation
- Partner‑managed end customers performing DCV
- Retail SSL customers
If you are a partner or retail customer, you will find more detailed information about the impacts of certificate lifespan reduction in the following article.
Understanding TLS Certificate Lifespan Reductions and Their Impact on Re‑Issuance Cycles for Partner customers and Retail Customers | Sectigo® Official
If you are an Enterprise customer using Secitgo Certificate Manager (SCM), please continue reading to understand the impacts of certification lifespan reduction.
What is the impact to Enterprise SCM users?
This change directly impacts how long Domain Control Validation exists, and future DCV records remain valid for certificate issuance. Many DCV records currently visible in Sectigo Certificate Manager (SCM) will expire earlier than displayed and may require immediate revalidation to avoid issuance failures. Sectigo is actively updating SCM to reflect the correct expiration logic and will provide additional tooling and guidance as the transition approaches.
What Is Changing?
DCV Reuse Reduction
- Maximum DCV reuse is reduced to 198 days from the date of validation.
- All existing DCV records regardless of original validation date will be capped at 198 days.
- Any DCV record older than 198 days will no longer be eligible for certificate issuance or re-issuance.
Impact to SCM
- Current SCM expiration dates for domain pre‑validation may appear inaccurate until updates are completed.
- Some domains will expire earlier than indicated in the interface.
- Sectigo will synchronize SCM to reflect this and provide improved reporting on affected domains.
Why This Matters
Customers with large DCV inventories may encounter:
- Potential production impact on certificate issuance.
- Disruption to manual issuance workflows, automated pipelines, ACME, and integration‑based issuance.
- Increased operational overhead without early remediation
To avoid service impacts, domains validated before September 2025 should be reviewed and renewed proactively.
Note: Existing certificates remain valid until their natural expiration dates.
Sectigo Mitigation Actions
Sectigo is implementing the following measures:
Early Renewal Support
SCM already allows early DCV renewal to support ahead‑of‑deadline remediation.
SCM Enhancements
- Synchronization of displayed expiration dates with the mandated 199‑day window
- Evaluation of bulk update options
- Additional DCV reporting to identify at‑risk domains
- Release of updated communications, guidance, and documentation
Required Customer Actions
Customers should complete the following:
Review and Renew DCV Records
- Prioritize domains validated before September 2025
- Revalidate any domain approaching or exceeding 198 days of age
Validate Certificate Workflows
- Review automation, ACME, and any issuance systems that rely on pre‑validated domains
- Confirm issuance processes will not fail due to shortened DCV validity
Improve Monitoring
- Ensure DCV expiration alerting is enabled in SCM
- Verify notification recipients are up‑to‑date and monitored
Future Timeline for Certificate and DCV Validity
The industry has signaled continued movement toward shorter certificate and validation lifecycles beyond 2026. Sectigo will keep the latest phased timelines updated in the Compliance Update Hub. Bookmark this page and check back for compliance related updates.
Additional Guidance
How to create a report in SCM to filter DCV for revalidation process within days?
How to Identify Domains Requiring DCV Revalidation Using the SCM API?
Assistance and Support
- Identifying impacted DCV records
- Planning remediation
- Implementing persistent TXT records
- Preparing for 2026/2027/2029 lifecycle changes
Initiate communication by submitting a ticket to Sectigo Support . Customers enrolled in Premier Support should also contact their Technical Account Manager (TAM) for personalized guidance, domain impact assessment, and assistance planning for the 198-day DCV and certificate lifecycle changes. If you are not enrolled in Premier Support, you can still work directly with Sectigo Support to help identify affected domains and prepare for the shortened lifecycle requirements. If you would benefit from dedicated advisory support or want access to a Technical Account Manager, consider upgrading to Premier Support to receive enhanced, proactive, certificate lifecycle management assistance.
Sectigo will continue providing updates, tooling improvements, and educational resources as enforcement dates approach.
Frequently Asked Questions:
Q1: Can you please clarify how the 199-day term change will affect current certificate profiles and currently valid certificates?
Answer: When SCM version 26.1 was released in January 2026, all existing public SSL certificate profiles were automatically updated to reflect a 199‑day maximum term.
Q2: How is the current certificate renewal impacted since most certificates are issued for 365+ days.
Answer: The updated validity period applies only to newly issued certificates after the policy goes into effect. Any certificates that were issued previously with longer lifespans will continue functioning normally and will not require early renewal or replacement.
Q3: Do profiles have to be updated manually, or will Sectigo apply the changes automatically when the 199-day term becomes effective?
Answer: All profile terms exceeding 199 days were automatically removed in March 2026 as part of the policy enforcement.
Related Articles:
How to create a report in SCM to filter DCV for revalidation process within days?
How to Identify Domains Requiring DCV Revalidation Using the SCM API?
Need assistance?
Contact our team for help with your purchase or issuing your certificate.