The countdown to automate is on: 200-day SSL/TLS certificate lifespans are less than a year away
SSL/TLS certificate lifespans will be reduced from 398 to 200 days starting March 15, 2026, with future reductions planned to just 47 days. This shift aims to enhance digital security and prepare for post-quantum cryptography. Manual certificate management will no longer scale, making automation essential. Organizations must act now to audit their certificates, implement lifecycle automation, and ensure resilience in the face of evolving threats.
Table of Contents
In the rapidly evolving landscape of digital security, certificate lifespans are about to take another historic step down. The first major milestone on this journey arrives on March 15, 2026, when the maximum allowable term for SSL/TLS certificates will be reduced from 398 days to 200 days. This marks the first formal step in the industry’s path toward 47-day certificate validity, a future that demands immediate preparation and automation.
The countdown has begun
The urgency of the upcoming 200-day certificate lifespan, taking effect on March 15, 2026, cannot be overstated. It’s now less than a year away. That means organizations have only a narrow window to assess their current certificate inventories, identify automation gaps, and roll out solutions before this major shift is enforced. Waiting until the last-minute risks introducing serious vulnerabilities into your digital infrastructure. If you're still manually managing certificates, you're already behind. The move to 200 days is a rapidly approaching reality, and the systems you put in place today will determine whether your business faces smooth continuity or costly outages and trust-eroding disruptions.
On March 15, 2026, businesses relying on manual certificate management will begin to feel the pressure. By this date, all public SSL/TLS certificates must conform to a 200-day validity limit. That’s nearly half the time organizations are currently used to, and it’s only the beginning.
Further reduction dates are already in place, as proposed by Apple and voted into effect by the CA/Browser Forum:
- March 15, 2027: Validity drops to 100 days
- March 15, 2029: The final target of 47 days
This phased approach, which was endorsed as a ballot by Chrome, Mozilla, and Sectigo, is designed to enhance digital trust, improve security, and lay the groundwork for postquantum cryptography.
Why this matters
Long-lived certificates have long been a silent vulnerability. A lot can happen in 398 days when your certificate systems are manually managed: companies go out of business, employees leave, domains change hands, and cyber threats evolve. A compromised certificate left active for over a year is a ticking time bomb.
Shorter lifespans:
- Minimize the risk of long-standing compromises
- Force more frequent validation of security practices
- Encourage the adoption of automation and cryptographic agility
This transition is more than a policy change. It’s a paradigm shift. Manual management simply won’t scale when certificates need replacing every 47 days.
Automation: the only viable strategy
Under a 47-day renewal cycle, organizations will need to issue, validate, and deploy certificates at least 7-8 times a year per endpoint. Without automation, this becomes unmanageable.
Manual processes = higher risk of:
● Certificate expiration and downtime
● Service disruptions
● Browser warnings eroding customer trust
● Compliance violations and financial penalties
Automation, on the other hand, enables:
● Timely and error-free renewals
● Centralized visibility into certificate lifecycles
● Reduced operational burden
● Integration with CI/CD, DevOps, and ITSM tools
● Future-ready cryptographic agility
Why automation = postquantum readiness
One of the most forward-looking advantages of automated certificate lifecycle management (CLM) is crypto agility: the ability to swiftly transition to quantum-safe algorithms when they become necessary.
Apple and the CA/Browser Forum have made it clear: the move toward shorter certificates is not just about today’s threats, but about building resilience for tomorrow’s. Automation enables this agility by:
- Simplifying key rotation and algorithm swaps
- Eliminating reliance on legacy cryptographic protocols
- Ensuring rapid deployment of new standards across the infrastructure
Organizations embracing automation now are setting themselves up to seamlessly adapt to the post-quantum future.
How to prepare before March 15, 2026
1. Discover all certificates
Use tools like Sectigo Certificate Manager (SCM) or crt.sh to find every certificate in your environment.
2. Inventory all certificate-dependent systems
Know where certificates are used: load balancers, VPNs, containers, microservices.
3. Map automation opportunities
Leverage ACME clients and other protocols (SCEP, EST) to automate issuance and renewal.
4. Build a rollout plan
Assign roles, timelines, and resources. Start with high-priority systems.
5. Embrace automation
Adopt a managed solution like Sectigo Certificate Manager to automate every part of the lifecycle from one, single-pane-of-glass dashboard.
Final thoughts
The shift to 47-day certificates is coming, and March 15, 2026 is your wake-up call. What was once a best practice is now a necessity: Automation is the only path forward.
With the right tools, strategy, and mindset, your organization won’t just survive the shift, it will thrive in a future that values agility, resilience, and digital trust.
Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!
Related posts:
The future of digital security: 47-day certificate lifecycles are happening
What is crypto-agility and how can organizations achieve it?
The benefits of automating certificate management for the 47-day lifecycle