New Certificate Validity Rules Now in Effect
What happened
New CA/Browser Forum requirements shortening the validity period for code signing certificates are now in effect. The changes, which began this month, are part of a broader industry push to enhance software and website security. Major Certificate Authorities like DigiCert and Sectigo are also implementing significant updates to SSL/TLS certificate standards in 2026.
Why it matters
- The move to shorten certificate validity is a long-term trend; prior to 2015, SSL/TLS certificates could be valid for as long as five years before being successively reduced to three years, then two, and then to 398 days in 2020. - A primary driver for this change is to reduce the window of opportunity for attackers. If a certificate's private key is compromised, a shorter lifespan limits the duration it can be used to impersonate sites or sign malicious code. - Shorter validity periods diminish the reliance on flawed certificate revocation mechanisms like CRLs and OCSP, which browsers often fail to check reliably. A compromised certificate will naturally expire much faster, limiting the potential damage. - The changes force "cryptographic agility," accelerating the industry's adoption of stronger encryption standards. The slow transition away from the deprecated SHA-1 algorithm, for example, was prolonged by long certificate lifespans. - For SSL/TLS certificates, the reduction is a phased process set by the CA/Browser Forum. The current 398-day maximum will drop to 200 days around March 2026, then to 100 days in 2027, and finally to just 47 days by March 2029. - The period for which Domain Control Validation (DCV) can be reused is also shrinking. By 2029, it will be reduced to just 10 days, ensuring that the entity using the certificate frequently proves it still controls the associated domain. - This industry-wide shift is a significant push towards automation. The increased frequency of renewals makes manual certificate management impractical and highly prone to error, which could lead to service outages.
Key numbers
- Major Certificate Authorities like DigiCert and Sectigo are also implementing significant updates to SSL/TLS certificate standards in 2026.
- - The move to shorten certificate validity is a long-term trend; prior to 2015, SSL/TLS certificates could be valid for as long as five years before being successively reduced to three years, then two, and then to 398 days in 2020.
- The slow transition away from the deprecated SHA-1 algorithm, for example, was prolonged by long certificate lifespans.
- The current 398-day maximum will drop to 200 days around March 2026, then to 100 days in 2027, and finally to just 47 days by March 2029.
What happens next
- The move to shorten certificate validity is a long-term trend; prior to 2015, SSL/TLS certificates could be valid for as long as five years before being successively reduced to three years, then two, and then to 398 days in 2020.
- A compromised certificate will naturally expire much faster, limiting the potential damage.
- The current 398-day maximum will drop to 200 days around March 2026, then to 100 days in 2027, and finally to just 47 days by March 2029.
Quick answers
What happened in New Certificate Validity Rules Now in Effect?
New CA/Browser Forum requirements shortening the validity period for code signing certificates are now in effect. The changes, which began this month, are part of a broader industry push to enhance software and website security. Major Certificate Authorities like DigiCert and Sectigo are also implementing significant updates to SSL/TLS certificate standards in 2026.
Why does New Certificate Validity Rules Now in Effect matter?
The move to shorten certificate validity is a long-term trend; prior to 2015, SSL/TLS certificates could be valid for as long as five years before being successively reduced to three years, then two, and then to 398 days in 2020. A primary driver for this change is to reduce the window of opportunity for attackers. If a certificate's private key is compromised, a shorter lifespan limits the duration it can be used to impersonate sites or sign malicious code. Shorter validity periods diminish the reliance on flawed certificate revocation mechanisms like CRLs and OCSP, which browsers often fail to check reliably. A compromised certificate will naturally expire much faster, limiting the potential damage. The changes force "cryptographic agility," accelerating the industry's adoption of stronger encryption standards. The slow transition away from the deprecated SHA-1 algorithm, for example, was prolonged by long certificate lifespans. For SSL/TLS certificates, the reduction is a phased process set by the CA/Browser Forum. The current 398-day maximum will drop to 200 days around March 2026, then to 100 days in 2027, and finally to just 47 days by March 2029. The period for which Domain Control Validation (DCV) can be reused is also shrinking. By 2029, it will be reduced to just 10 days, ensuring that the entity using the certificate frequently proves it still controls the associated domain. This industry-wide shift is a significant push towards automation. The increased frequency of renewals makes manual certificate management impractical and highly prone to error, which could lead to service outages.
