In April 2025, the CA/Browser Forum decided on a measure that reduces the maximum certificate lifetime from 398 days to just 47 days by March 2029. For companies managing digital infrastructures, this represents a significant change in certificate management.

Certificate validity periods

  • Since March 2026: reduced to 200 days
  • March 2027: reduced to 100 days
  • March 2029: reduced to 47 days

Parallel to the certificate lifetime, the validity period is reduced, during which domain validation (DCV) can be reused:

  • Since March 2026: 200 days
  • March 2027: 100 days
  • March 2029: 10 days

The reduction in validity periods affects all types of SSL/TLS certificates, i.e., domain-validated (DV) certificates, organization-validated (OV) certificates, and Extended Validation (EV) certificates. S/MIME certificates and code-signing certificates are not affected.

Specific changes since March:

Certificates that were renewed before the first shortening date (different implementation by the various certification bodies) remain valid for 1 year.

Certificates issued or renewed since the expiration date have a validity period of one year, but are initially issued for a period of 199 days. An automatic renewal will occur before the expiration date. Managed IP will provide you with the newly issued certificate for installation via the usual method. The new certificate is valid for the remaining 166 days of the original term (199 days + 166 days = 365 days).

Implications for companies

The shortened validity periods of certificates have various impacts on companies. Certificates must be renewed much more frequently, which, in manual processes, increases the risk of certificate failures due to missed renewal deadlines or installation problems. Additionally, IT teams face a significantly higher workload for certificate management.

Practical preparation for your company

The first reduction has already begun. Companies should see this as an opportunity to take the right measures now:

Conducting a certificate inventory

Before you can effectively manage your certificates, you need to know which ones you have. This means identifying every certificate across your entire infrastructure: production websites, staging environments, APIs, mail servers, internal tools, and all third-party services. A thorough audit should capture not only the certificates themselves, but also where they are installed, who is responsible for them, when they expire, and what level of validation they use.

Prioritize automation

Automated certificate lifecycle management handles the entire process from issuance and renewal to installation, reducing the need for manual intervention in routine tasks. This eliminates the risk of someone forgetting a renewal deadline and simultaneously reduces the likelihood of configuration errors during installation. If you are not yet using automation, the phased timeline provides ample opportunity to implement it correctly. Certificates with a validity period of 200 days in 2026 are still manageable with good manual processes, while certificates with a validity period of only 47 days in 2029 will no longer be.

ACME offers a solution for automation. ACME is a protocol for the automated management of SSL certificates (the complete certificate lifecycle, from initial issuance to installation). managed IP will offer an ACME implementation in its SSL portal. You can use this to set up ACME instances on your server endpoints, enabling you to automate the entire process from issuance to installation. We recommend discussing the possibilities of ACME implementation now with the internal and external SSL certificate owners you identified during your certificate inventory.