In the coming years, the maximum validity period of SSL/TLS certificates will be shortened step by step across the entire industry. This change is driven by updated CA/Browser Forum rules and applies to all publicly trusted SSL certificates.
These changes are intended to improve security by limiting the impact of compromised keys and ensuring certificate data remains up to date.
What does this mean in practice?
SSL certificate validity periods will be reduced gradually as part of new CA/Browser Forum baseline requirements.
Certificates issued before each change date will remain valid for their original term. However, any certificate that is issued or reissued after a change date must comply with the new, shorter maximum validity, even if the original certificate was valid for longer.
In addition, validation reuse periods (such as domain and organization validation) will also be shortened over time, requiring more frequent re-validation.
Industry-wide validity reduction timeline (CA/Browser Forum)
- March 15, 2026: Maximum validity reduced to 200 days
- March 15, 2027: Maximum validity reduced to 100 days
- March 15, 2029: Maximum validity reduced to 47 days
DigiCert-specific implementation
DigiCert will implement the first step of this change slightly earlier.
From February 24, 2026, TLS/SSL certificates issued via DigiCert CertCentral will have a maximum validity of 199 days.
This applies to all public TLS certificates, including:
- OV
- EV
- EU Qualified Website Authentication Certificates (QWAC / PSD2)
Additional details:
- Certificates issued before February 24, 2026 remain valid until their original expiration date
- Any reissue on or after February 24, 2026 will be limited to 199 days, even if the original certificate was valid for longer
Validation reuse periods will also be shortened on the same date:
- OV organization validation reuse: from 825 days to 397 days
- Domain validation reuse: from 397 days to 199 days
More details from DigiCert are available here:
https://knowledge.digicert.com/alerts/public-tls-certificates-199-day-validity
Why automation becomes essential
Shorter certificate lifetimes improve security, but they also mean certificates must be issued and renewed more frequently. Manual handling quickly becomes inefficient and increases the risk of expired certificates and service disruption.
As a result, automation becomes increasingly important for both resellers and their end customers.
What happens to existing certificates and subscriptions
- Certificates issued before a change date remain valid for their full original period
- Existing subscriptions will continue, but the required reissue interval will shorten
- Any reissue after the effective date will follow the new maximum validity
Starting March 15, 2026, one-year SSL orders will automatically be handled as subscriptions, similar to how multi-year certificates are handled today.
Your automation options
There are several ways to prepare, depending on how you currently manage SSL certificates.
- Classic order flow
Our existing order and API flow already support full automation. If you have automation in place today, no immediate changes are required. If parts of your process are still manual, this is a good moment to review them.
- Immediate issuance with authKey DCV
For DigiCert, GeoTrust, Thawte, RapidSSL, and PerfectSSL certificates, you can streamline issuance using the authKey DCV method. This removes asynchronous steps and speeds up certificate delivery.
- ACME automation
ACME is the industry-standard protocol for fully automated certificate issuance and renewal.
- For Sectigo certificates, we plan to introduce a certificate-as-a-service model with ACME delivery in January 2026, supporting both DV and OV certificates
- For DigiCert and related brands, we are actively investigating similar options and will share updates as soon as more details are available
- Enterprise environments
For larger and more complex infrastructures, enterprise-grade certificate lifecycle management solutions are already available, including:
- Sectigo Certificate Manager
- DigiCert ONE
Both solutions are offered by Realtime Register as tailored enterprise implementations. If you’re considering either option, please contact us and we’ll help assess the best fit and guide you through getting started.
Next steps
This change does not require immediate action for everyone, but it is a good moment to assess how automated your SSL processes are today. As certificate lifetimes continue to shorten, automation will play an increasingly important role in maintaining efficiency and reducing operational risk.
In parallel, we are working towards introducing an ACME solution for our customers and will keep you informed about further developments.