TLS Certificate Lifetimes Are Shrinking – Big Changes Start 2026
A critical industry-wide change has come into effect that will significantly impact how public TLS certificates are managed. The CA/Browser Forum has officially passed Apple’s proposal (Ballot SC-081v3) to reduce TLS certificate validity periods from 398 days to just 47 days by March 2029, with changes starting as early as March 15, 2026.
What’s Changing?
TLS Certificate Validity Timeline:
- March 15, 2026: Max TLS certificate lifetime MUST not exceed 200 days
- March 15, 2027: MUST not exceed 100 days
- March 15, 2029: MUST not exceed 47 days
Domain Validation (DCV) Reuse Timeline:
- March 15, 2026: DCV reuse MUST not exceed 200 days
- March 15, 2027: MUST not exceed 100 days
- March 15, 2029: MUST not exceed 10 days
Why This Matters
These changes will increase certificate renewal frequency by up to 8x, leading to:
- Increased operational overhead and risk of outages
- Greater complexity in managing validation workflows
- The need for automation and improved visibility across certificate infrastructure
What Customers Need To Do?
To stay ahead of these changes, organizations must:
- Implement automated issuance, renewal, and deployment
- Gain centralized visibility and governance over all certificates
- Prepare for frequent domain validations and shortened certificate reuse windows
- Consolidate to a single CA for stronger control and policy enforcement
Next Step for Customers
We strongly recommend inviting your impacted customers to the upcoming DigiCert webinar:
- TLS Certificate Changes Webinar
- Date: May 6th
- Time: 12 – 1 pm NZST
For more information, please contact us at sales@bluechipit.co.nz or call us at 0800 733 233 or 09 306 0450 for further details.