- Home
- Learn
- SSL Basics
- SSL Certificate 199-Day Limit
SSL Certificate 199-Day Limit: What Changed in 2026 and What to Do Next
Starting March 13, 2026, every publicly-trusted Certificate Authority must cap SSL/TLS certificate validity at 199 days. This is just the first step — it drops to 47 days by 2029. Here's the full timeline, how it affects DV, OV, and EV certificates, and the practical steps you need to take.
The Reduction Timeline
CA/Browser Forum Ballot SC-081v3, passed in April 2025 with unanimous support from all four browser vendors (Apple, Google, Microsoft, Mozilla) and 25 Certificate Authorities, sets a phased reduction schedule. If you're coming from the previous 398-day era, the shift feels dramatic — and it is.
March 13, 2026
199 days
max certificate validity
SAN data reuse: 200 days
March 13, 2027
100 days
max certificate validity
SAN data reuse: 100 days
March 13, 2029
47 days
max certificate validity
SAN data reuse: 10 days
Previously, SSL certificates could be issued for up to 398 days (about 13 months). The 199-day limit effectively halves that, and the final 47-day target means certificates will need replacing roughly every 6 weeks. For a deeper look at how we got here, see our SSL Certificate Lifetime Changes in 2026 article.
Why Is This Happening?
The push for shorter certificate lifetimes isn't arbitrary — it's rooted in real security concerns that browsers and CAs have been debating for years. Here's the reasoning behind it:
Smaller window for compromised certificates
When a private key gets leaked or a certificate is mis-issued, it can take days or weeks for revocation to propagate — and many browsers don't even check revocation status reliably. A shorter validity period means any compromised certificate naturally "expires out" faster, limiting the damage window.
Faster adoption of stronger cryptography
The industry is moving toward post-quantum algorithms and stronger key sizes. With 398-day certificates, a full migration could take over a year. Shorter lifetimes mean the ecosystem rotates its cryptographic material more frequently, making transitions smoother. Our post-quantum cryptography guide covers why this matters.
Keeping validation data fresh
A certificate vouches for the identity of its holder. But organizations change — they get acquired, shut down domains, or lose control of infrastructure. Shorter certificates mean CAs re-verify domain ownership and organizational details more often, keeping that trust signal accurate.
Apple led the charge
Apple originally proposed reducing certificate lifetimes to as low as 45 days. The SC-081v3 ballot represents a compromise — a gradual phase-down that gives the industry time to adopt automation. Google and Mozilla backed the initiative, making browser consensus unanimous.
Bottom line: shorter lifetimes aren't a punishment for site operators — they're a structural improvement to how internet trust works. The tradeoff is more frequent renewals, which is why automation has become critical.
Impact by Certificate Type
The 199-day limit applies to every publicly-trusted SSL/TLS certificate, but the practical impact differs depending on what type you use:
DVDomain Validated Certificates
DV certificates are the easiest to automate because validation only requires proving domain control — no paperwork, no phone calls. If you're using ACME with Certbot, the transition is almost seamless. Most DV users won't notice a difference in their daily operations.
Browse DV SSL optionsOVOrganization Validated Certificates
OV certificates require organizational vetting, which has traditionally been a manual step. The good news: once your organization is validated, most CAs cache that verification for the duration of your subscription. Reissues within a multi-year product don't usually require re-vetting, though the data reuse period is tightening (see below).
Browse OV SSL optionsEVExtended Validation Certificates
EV certificates face the biggest operational challenge. Extended Validation involves legal entity verification, callback procedures, and document reviews. While reissues within an existing subscription may skip some steps, the shrinking data reuse periods mean periodic re-vetting is inevitable. Organizations running EV certificates should plan their renewal schedules carefully.
Browse EV SSL optionsWildcard & Multi-DomainWildcard and SAN Certificates
Wildcard certificates (*.example.com) and multi-domain SAN certificates follow the same 199-day limit. The added wrinkle is SAN data reuse — each domain on a multi-domain certificate has its own validation expiry. When you reissue, you may need to re-validate some SANs even if the certificate itself is just being renewed. We cover this in detail in the next section.
What About Multi-Year Products?
You can still purchase 1-year, 2-year, or even 3-year SSL products — the subscription period hasn't changed. What changes is how the certificate itself is issued within that period. Think of it like a magazine subscription: you pay upfront for the full term, but you receive individual issues throughout.
Example: One-Year SSL Product (After March 13, 2026)
- 1You buy a 1-year SSL certificate and activate it on Day 0.
- 2The CA issues a certificate valid for 199 days (the new maximum).
- 3Before it expires (~Day 170), you reissue for free — most CAs offer unlimited reissues within your subscription.
- 4The second certificate covers the remaining ~166 days of your 1-year product.
The key difference: previously, a 1-year product = 1 certificate. Now, a 1-year product = at least 2 certificates. A 2-year product will require 4+ reissues. A 3-year product could mean 6 or more reissues before the subscription ends.
Multi-year products still offer cost savings — you lock in today's price and avoid annual renewals. But you'll need a process (ideally automated) for handling the periodic reissues. Check our SSL Certificate Pricing Guide for a cost comparison of multi-year vs. annual plans.
Automation Is No Longer Optional
Let's be honest: manually tracking and renewing certificates every 199 days is manageable for a site or two. But if you run a dozen services, manage client infrastructure, or operate in any kind of DevOps environment, manual renewal is a ticking time bomb. And with the 47-day target coming in 2029, it becomes genuinely unsustainable.
ACME protocol (RFC 8555)
The Automatic Certificate Management Environment protocol handles the entire lifecycle — validation, issuance, installation, and renewal — without human intervention. Originally built for Let's Encrypt, ACME is now supported by commercial CAs like DigiCert, Sectigo, and Certum.
Read our Certbot & ACME production guideKubernetes & cloud-native
If you're running Kubernetes, cert-manager handles certificate lifecycle natively. It integrates with ACME issuers, supports DNS-01 challenges for wildcard certificates, and auto-renews before expiry. For cloud environments (AWS, GCP, Azure), managed certificate services handle renewal transparently.
Monitoring as a safety net
Even with automation, things break — DNS changes, credential rotation, firewall rules. Set up independent monitoring that alerts you if a certificate is within 14 days of expiry. Our SSL Reminder tool does exactly this, for free.
The organizations that already use Let's Encrypt with ACME won't feel much impact — they've been operating with 90-day lifetimes for years. For everyone else, now is the time to set up automation. Our SSL Tools Guide walks through the free tools available to help.
What You Should Do Now
Set up expiration monitoring
Track all your certificates and get alerts before they expire. Our free SSL Reminder tool sends you email notifications at 30, 14, and 7 days before expiry.
Set up SSL Reminders →Enable ACME automation
If your CA and hosting provider support it, set up ACME to handle renewals and reissues automatically. Certbot is the most popular client, and it works with Apache, Nginx, and standalone setups.
Read the Certbot guide →Plan your reissue workflow
For multi-year products, mark reissue dates in your calendar. Most CAs allow reissuing 30 days before expiry at no extra cost. Document the process so anyone on your team can handle it.
Audit your certificate inventory
Know exactly how many certificates you manage and when each one expires. Use our SSL Checker to verify current validity and expiration dates across all your domains.
Check your SSL →Frequently Asked Questions
Sources & References
Official documentation and industry standards cited in this article
- Ballot SC-081v3 — Introduce Schedule of Reducing Validity and Data Reuse PeriodsCA/Browser Forum·Official·Accessed March 2026
- Commercial SSL Certificate — CertumCertum (Asseco)·Documentation·Accessed March 2026
- ACME Protocol (RFC 8555)IETF·RFC·Accessed March 2026
- Apple's Moving Certificate Lifetimes ProposalApple·Documentation·Accessed April 2026
My-SSL Security Team
The My-SSL Security Team brings over 15 years of combined experience in SSL/TLS certificate management, web security, and PKI infrastructure. Our team regularly contributes to industry standards and provides guidance to thousands of businesses securing their online presence.
Editorial Standards: All content is reviewed by our security experts for technical accuracy. We follow industry best practices and reference official CA/Browser Forum guidelines.Learn more about SSL security.