The digital security landscape is about to undergo one of its most significant shifts in coming years. The CA/Browser Forum—the international body that sets the rules for digital certificates—has passed a landmark decision to dramatically shorten the maximum validity period of publicly trusted SSL/TLS certificates. (refer to section 4.2.1)
By March 2029, the certificates that secure your websites, applications, and data will only be valid for 47 days, a sharp reduction from the current 398-day maximum . This change isn’t just a minor policy update; it’s a fundamental re-engineering of how we manage trust on the internet. Here’s what’s changing, why it’s happening, and how your organization can prepare.
To give the industry time to adapt, the reduction will occur in three clear phases :
Before March 13: Certificates can still be issued with a maximum validity of 398 days .
March 13, 2026: The maximum lifespan drops to 200 days. Renewal/Reissue required every 199 days.
March 15, 2027: The maximum is halved again to 100 days
March 15, 2029: The final target is with a maximum validity of 47 days.
Your Action Plan: How to Prepare
The end of the 398-day certificate is not a threat, but a catalyst for positive change. Although the validity period is shortened, the purchasing model remains a 1-Year Subscription under vendor’s operational policy (More info). Certificates will be issued multiple times during the subscription period.
1-Year Plan (starting from March 13)
- 1st Certificate: Issued immediately after purchase (valid for 199 days)
- Reissue is recommended starting 33 days before expiration. Reissue can be done earlier; each new certificate will still have 199-day validity. Multiple Reissues are allowed within the subscription period.
Important Notes
- Certificates must be reinstalled on servers and related systems after each issuance
- DCV (Domain Control Validation) is required each time a certificate is issued. If the same CSR is reused for Reissue within 199 days, DCV is not required.