The CA/Browser Forum has officially approved a sweeping update to the SSL (Secure Socket Layer)/TLS (Transport Layer Security) Baseline Requirements. The update sets a multi-year schedule to significantly shorten certificate lifetimes and the reusability window for validation data. The first round of changes will take effect in March 2026, with more impactful reductions continuing through 2029.
The move to reduce SSL/TLS certificate validity — ultimately to just 47 days — comes after years of industry discussion and collaboration. While the numbers may seem oddly precise, they were carefully designed to encourage better data hygiene and more frequent validation of certificates.
Timeline of Expected SSL/TLS Certificate Lifetime Changes
Here’s a quick breakdown of what to expect:
SSL/TLS Certificate Lifetimes
- Now–March 15, 2026: max validity is 398 days
- From March 15, 2026: max validity becomes 200 days
- From March 15, 2027: drops further to 100 days
- By March 15, 2029: max validity will be just 47 days
Domain Control Validation (DCV) Data Reuse
- Now–March 15, 2026: reuse allowed up to 398 days
- From March 15, 2026: reduced to 200 days
- From March 15, 2027: down to 100 days
- From March 15, 2029: sharply reduced to 10 days
Additionally, Subject Identity Information (SII) — used in Organization Validated (OV) and Extended Validation (EV) certificates — will be reusable for only 398 days starting in 2026 (down from 825). This change doesn’t affect Domain Validated (DV) certificates, which don’t include this level of organizational identity.
Domain Control Validation (DCV) is the process of verifying that the individual or organization requesting an SSL/TLS certificate actually owns the domain they are requesting protection for. “Reuse” in this context refers to how long a DCV method can be used to renew or reissue a certificate for the same domain without needing to revalidate. Currently, the CA/B Forum allows DCV methods to be reused for up to 398 days. This period is being reduced, with some organizations phasing out certain DCV methods like WHOIS-based email entirely.
Why SSL/TLS Certificate Lifetimes Changing Matters to Enterprise Brands
Shorter certificate lifetimes are meant to enhance security by ensuring that the information within each certificate remains current and trustworthy. The CA/Browser Forum also highlighted longstanding issues with certificate revocation systems like Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) — tools that are often ignored by browsers and don’t consistently protect users from revoked certificates.
By limiting the lifespan of certificates and the reuse period of validation data, these changes help decrease the risk of relying on outdated or potentially compromised information.
Prepare for SSL/TLS Certificate Lifetime Changes Ahead
With changes coming as soon as 2026 and continuing through the end of the decade, organizations that manage large or complex certificate portfolios will need to revisit their validation schedules, renewal practices, and overall certificate strategy. Manual revalidation will still be possible, but the shrinking windows for reuse could make it more burdensome over time.
There’s no change to how certificates are priced — cost remains based on an annual subscription, so replacing certificates more often won’t impact your bottom line. The key is being aware of what’s ahead and making timely adjustments.
Markmonitor Is Here to Support You
Whether you need help interpreting these changes, want advice on validation practices, or are looking to streamline certificate provisioning using our SSL Cert API, the Markmonitor team is here to guide you. Let us help you build a certificate strategy that supports your business, minimizes risk, and keeps your online presence secure.
