Skip to content

Shortening of TLS Certificate Validity

Starting in March 2026, the validity period of publicly trusted SSL/TLS certificates will be reduced from the current maximum of roughly 13 months first to 200 days, and later down to 47 days in 2029. In the initial phase, when the maximum validity is reduced to 200 days, you will not need to make any operational changes on your side – the certificate lifecycle (issuance, renewal, and deployment) will continue to be handled for you as it is today.

What is changing and why

  • From 15 March 2026, new public SSL/TLS certificates (DV/OV/EV) will be issued with a maximum validity of 200 days instead of the current 398 days.
  • In the following years, the maximum validity will be reduced to 100 days (from 2027) and then to 47 days in 2029.
  • The main driver is improved security: shorter lifetimes reduce the window in which compromised or mistakenly issued certificates can be abused and accelerate the adoption of new security standards.

In practice, certificates will be renewed more often, but your environment will be more secure in the long term.

What this means for you

  • The move to 200‑day validity will be handled internally on our side and will not change how you use our services – we will continue to deploy and renew your certificates as before.
  • For Let’s Encrypt certificates, we already use fully automated issuance and renewals, and we are preparing for the new DNS‑PERSIST‑01 mechanism that Let’s Encrypt is introducing for long‑term, stable domain validation without repeated DNS changes. DNS‑PERSIST‑01 works by adding a single persistent DNS validation record that is bound to a specific certificate authority and ACME account, allowing that CA to issue certificates for the domain repeatedly without further DNS modifications. This method is expected to become available in the second half of 2026. Among other benefits, it should simplify issuing wildcard Let’s Encrypt certificates, which currently require repeated DNS updates for each renewal.
  • For commercial (paid) certificates, we are preparing similar automation so that renewals remain smooth and do not cause service interruptions even as certificate lifetimes get shorter.

What we are doing

  • We closely follow the official CA/Browser Forum timeline and the announcements of major certificate authorities, and we continuously adapt our internal processes to these changes.
  • We are extending automation to commercial certificates as well, so that domain validation, certificate issuance, and deployment are handled in a highly automated way.
  • We will inform you in advance about any significant future changes (for example, the transition to the shorter 100‑day and 47‑day validity periods).

Our goal is to keep your services protected with modern TLS certificates while ensuring you do not have to worry about managing their lifecycle.