Skip to main content
    Effective March 13, 2026

    SSL Certificate 199-Day Limit: What Changed in 2026 and What to Do Next

    Starting March 13, 2026, every publicly-trusted Certificate Authority must cap SSL/TLS certificate validity at 199 days. This is just the first step — it drops to 47 days by 2029. Here's the full timeline, how it affects DV, OV, and EV certificates, and the practical steps you need to take.

    My-SSL Team
    March 15, 2026
    (Updated: April 9, 2026)
    12 min read

    The Reduction Timeline

    CA/Browser Forum Ballot SC-081v3, passed in April 2025 with unanimous support from all four browser vendors (Apple, Google, Microsoft, Mozilla) and 25 Certificate Authorities, sets a phased reduction schedule. If you're coming from the previous 398-day era, the shift feels dramatic — and it is.

    March 13, 2026

    199 days

    max certificate validity

    SAN data reuse: 200 days

    Now Active

    March 13, 2027

    100 days

    max certificate validity

    SAN data reuse: 100 days

    March 13, 2029

    47 days

    max certificate validity

    SAN data reuse: 10 days

    Previously, SSL certificates could be issued for up to 398 days (about 13 months). The 199-day limit effectively halves that, and the final 47-day target means certificates will need replacing roughly every 6 weeks. For a deeper look at how we got here, see our SSL Certificate Lifetime Changes in 2026 article.

    Why Is This Happening?

    The push for shorter certificate lifetimes isn't arbitrary — it's rooted in real security concerns that browsers and CAs have been debating for years. Here's the reasoning behind it:

    Smaller window for compromised certificates

    When a private key gets leaked or a certificate is mis-issued, it can take days or weeks for revocation to propagate — and many browsers don't even check revocation status reliably. A shorter validity period means any compromised certificate naturally "expires out" faster, limiting the damage window.

    Faster adoption of stronger cryptography

    The industry is moving toward post-quantum algorithms and stronger key sizes. With 398-day certificates, a full migration could take over a year. Shorter lifetimes mean the ecosystem rotates its cryptographic material more frequently, making transitions smoother. Our post-quantum cryptography guide covers why this matters.

    Keeping validation data fresh

    A certificate vouches for the identity of its holder. But organizations change — they get acquired, shut down domains, or lose control of infrastructure. Shorter certificates mean CAs re-verify domain ownership and organizational details more often, keeping that trust signal accurate.

    Apple led the charge

    Apple originally proposed reducing certificate lifetimes to as low as 45 days. The SC-081v3 ballot represents a compromise — a gradual phase-down that gives the industry time to adopt automation. Google and Mozilla backed the initiative, making browser consensus unanimous.

    Bottom line: shorter lifetimes aren't a punishment for site operators — they're a structural improvement to how internet trust works. The tradeoff is more frequent renewals, which is why automation has become critical.

    Impact by Certificate Type

    The 199-day limit applies to every publicly-trusted SSL/TLS certificate, but the practical impact differs depending on what type you use:

    DV
    Domain Validated Certificates

    DV certificates are the easiest to automate because validation only requires proving domain control — no paperwork, no phone calls. If you're using ACME with Certbot, the transition is almost seamless. Most DV users won't notice a difference in their daily operations.

    Browse DV SSL options

    OV
    Organization Validated Certificates

    OV certificates require organizational vetting, which has traditionally been a manual step. The good news: once your organization is validated, most CAs cache that verification for the duration of your subscription. Reissues within a multi-year product don't usually require re-vetting, though the data reuse period is tightening (see below).

    Browse OV SSL options

    EV
    Extended Validation Certificates

    EV certificates face the biggest operational challenge. Extended Validation involves legal entity verification, callback procedures, and document reviews. While reissues within an existing subscription may skip some steps, the shrinking data reuse periods mean periodic re-vetting is inevitable. Organizations running EV certificates should plan their renewal schedules carefully.

    Browse EV SSL options

    Wildcard & Multi-Domain
    Wildcard and SAN Certificates

    Wildcard certificates (*.example.com) and multi-domain SAN certificates follow the same 199-day limit. The added wrinkle is SAN data reuse — each domain on a multi-domain certificate has its own validation expiry. When you reissue, you may need to re-validate some SANs even if the certificate itself is just being renewed. We cover this in detail in the next section.

    SAN Revalidation: The Hidden Change

    Most coverage of SC-081v3 focuses on the certificate validity reduction, but there's a second timeline buried in the ballot that's arguably just as impactful: domain validation data reuse periods are shrinking too.

    What does "data reuse" mean?

    When a CA validates that you control a domain (through DNS records, HTTP challenges, or email verification), they can "reuse" that proof for a limited period. Previously, domain validation data could be reused for up to 398 days. Under the new rules:

    • March 2026: Domain validation data reuse drops to 200 days
    • March 2027: Drops to 100 days
    • March 2029: Drops to just 10 days

    This matters most for multi-domain (SAN) certificates. If you have a certificate covering 10 domains and each one was validated at a different time, some SANs may expire their validation before your next reissue. That means during a reissue, you might need to re-prove control of specific domains — a process that can delay issuance if you're not prepared.

    The practical takeaway: validate all your domains at the same time whenever possible, and keep DNS records or HTTP challenge files readily deployable. If you manage many domains, a DNS-01 based ACME setup can automate revalidation entirely.

    What About Multi-Year Products?

    You can still purchase 1-year, 2-year, or even 3-year SSL products — the subscription period hasn't changed. What changes is how the certificate itself is issued within that period. Think of it like a magazine subscription: you pay upfront for the full term, but you receive individual issues throughout.

    Example: One-Year SSL Product (After March 13, 2026)

    1. 1You buy a 1-year SSL certificate and activate it on Day 0.
    2. 2The CA issues a certificate valid for 199 days (the new maximum).
    3. 3Before it expires (~Day 170), you reissue for free — most CAs offer unlimited reissues within your subscription.
    4. 4The second certificate covers the remaining ~166 days of your 1-year product.

    The key difference: previously, a 1-year product = 1 certificate. Now, a 1-year product = at least 2 certificates. A 2-year product will require 4+ reissues. A 3-year product could mean 6 or more reissues before the subscription ends.

    Multi-year products still offer cost savings — you lock in today's price and avoid annual renewals. But you'll need a process (ideally automated) for handling the periodic reissues. Check our SSL Certificate Pricing Guide for a cost comparison of multi-year vs. annual plans.

    Automation Is No Longer Optional

    Let's be honest: manually tracking and renewing certificates every 199 days is manageable for a site or two. But if you run a dozen services, manage client infrastructure, or operate in any kind of DevOps environment, manual renewal is a ticking time bomb. And with the 47-day target coming in 2029, it becomes genuinely unsustainable.

    ACME protocol (RFC 8555)

    The Automatic Certificate Management Environment protocol handles the entire lifecycle — validation, issuance, installation, and renewal — without human intervention. Originally built for Let's Encrypt, ACME is now supported by commercial CAs like DigiCert, Sectigo, and Certum.

    Read our Certbot & ACME production guide

    Kubernetes & cloud-native

    If you're running Kubernetes, cert-manager handles certificate lifecycle natively. It integrates with ACME issuers, supports DNS-01 challenges for wildcard certificates, and auto-renews before expiry. For cloud environments (AWS, GCP, Azure), managed certificate services handle renewal transparently.

    Monitoring as a safety net

    Even with automation, things break — DNS changes, credential rotation, firewall rules. Set up independent monitoring that alerts you if a certificate is within 14 days of expiry. Our SSL Reminder tool does exactly this, for free.

    The organizations that already use Let's Encrypt with ACME won't feel much impact — they've been operating with 90-day lifetimes for years. For everyone else, now is the time to set up automation. Our SSL Tools Guide walks through the free tools available to help.

    What You Should Do Now

    Set up expiration monitoring

    Track all your certificates and get alerts before they expire. Our free SSL Reminder tool sends you email notifications at 30, 14, and 7 days before expiry.

    Set up SSL Reminders →

    Enable ACME automation

    If your CA and hosting provider support it, set up ACME to handle renewals and reissues automatically. Certbot is the most popular client, and it works with Apache, Nginx, and standalone setups.

    Read the Certbot guide →

    Plan your reissue workflow

    For multi-year products, mark reissue dates in your calendar. Most CAs allow reissuing 30 days before expiry at no extra cost. Document the process so anyone on your team can handle it.

    Audit your certificate inventory

    Know exactly how many certificates you manage and when each one expires. Use our SSL Checker to verify current validity and expiration dates across all your domains.

    Check your SSL →

    Frequently Asked Questions

    Sources & References

    Official documentation and industry standards cited in this article

    My-SSL Security Team

    SSL Experts

    The My-SSL Security Team brings over 15 years of combined experience in SSL/TLS certificate management, web security, and PKI infrastructure. Our team regularly contributes to industry standards and provides guidance to thousands of businesses securing their online presence.

    SSL/TLS Certificates
    CA/Browser Forum Policy
    Certificate Lifecycle
    ACME Automation
    Published: 2026-03-15
    About Our Team

    Editorial Standards: All content is reviewed by our security experts for technical accuracy. We follow industry best practices and reference official CA/Browser Forum guidelines.Learn more about SSL security.