New Certificate Validity Rules Now in Effect

- The move to shorten certificate validity is a long-term trend; prior to 2015, SSL/TLS certificates could be valid for as long as five years before being successively reduced to three years, then two, and then to 398 days in 2020. - A primary driver for this change is to reduce the window of opportunity for attackers. If a certificate's private key is compromised, a shorter lifespan limits the duration it can be used to impersonate sites or sign malicious code. - Shorter validity periods diminish the reliance on flawed certificate revocation mechanisms like CRLs and OCSP, which browsers often fail to check reliably. A compromised certificate will naturally expire much faster, limiting the potential damage. - The changes force "cryptographic agility," accelerating the industry's adoption of stronger encryption standards. The slow transition away from the deprecated SHA-1 algorithm, for example, was prolonged by long certificate lifespans. - For SSL/TLS certificates, the reduction is a phased process set by the CA/Browser Forum. The current 398-day maximum will drop to 200 days around March 2026, then to 100 days in 2027, and finally to just 47 days by March 2029. - The period for which Domain Control Validation (DCV) can be reused is also shrinking. By 2029, it will be reduced to just 10 days, ensuring that the entity using the certificate frequently proves it still controls the associated domain. - This industry-wide shift is a significant push towards automation. The increased frequency of renewals makes manual certificate management impractical and highly prone to error, which could lead to service outages.