TLS is going through some of the biggest changes ever, and as your trusted PKI partner, we are here to help you through each and every change.
The CA/Browser Forum has now finalized a new Ballot SC-081 severely shortening valid lifetimes for TLS certificates and reducing the time that certificate authorities can reuse domain and organizational validation data. What several IT managers see starting March 2026 will define how companies view and administer their digital certificates.
So What Might Change-And When?
A brief overview of the amended certificate lifetime schedule:
✅ TLS certificate validity period is being cut:
- March 15, 2026: 398 days (current standard)
- From March 15, 2026: 200 days
- From March 15, 2027: 100 days
- From March 15, 2029: 47 days
✅ Domain/IP validation reuse period shrinking:
- March 15, 2026: 398 days
- From March 15, 2026: 200 days
- From March 15, 2027: 100 days
- From March 15, 2029: 10 days
✅ Subject Identity Information (SII) reuse going down:
- Currently: 825 days
- Starting March 15, 2026: 398 days
The timelines apply to all major Certificate Authorities: DigiCert, RapidSSL, GeoTrust, Thawte, Sectigo.
💡 Note: These changes do not impact DV (Domain Validated) certificates in terms of identity reuse, as they lack organization-specific information found in OV and EV certificates.
Why the 47 Days?
Forty-seven days seems like a nice number, at least in a nonarbitrary fashion. That number gives one full calendar month, plus half of a standard 30-day month, and one extra day for safekeeping.
But the need arises for security reasons and for modern web demands:
- RE-VALIDATING the certificates often helps assure the trustworthiness of the certificate information.
- Shorter lives for altered or compromised certificates mean less chance of misuse or undetected compromise.
- Legacy revocation systems (CRLs and OCSP) are often ignored by browsers or are unreliable. The short lifetime acts as a fallback.
The changes are in line with a broader shift in tech, heavily backed by the likes of Apple and Google pushing for fast-tracked automation and tighter certificate controls.
What Does It Mean for Your Business?
Still managing your TLS manually? Time to embrace automation tools and simplify the process. These upcoming changes will make manual renewals extremely difficult—if not impossible. Imagine having to remind yourself to renew your certificate every 47 days… manually. That’s nearly eight renewals a year, per domain!
Here is the upswing: with automation, it is not just manageable -- it is easy.
As a Platinum Partner of DigiCert, we’ll set you up with DigiCert’s automation-first offerings, such as:
- DigiCert CertCentral — A powerful platform to manage certificates at scale
- Trust Lifecycle Manager — Enterprise grade automating for the issuing, tracking, and renewal of certificates
- ACME Support — Enables automated issuance and renewal for DV, OV, and EV certificates (yes, even for complex enterprise configurations!)
Running a global online store or managing multiple in-house servers? Automation reduces downtime, prevents human error, and saves time.
Will This Affect Certificates Costs?
This happens to be one of the questions that top the list for customers, and the answer provides a relief: No, your cost remains the same.
Certificates are priced annually or by multi-year subscription. Pricing is based on renewal, not per issuance. No extra charges apply for frequent renewals. Security posture improves.
Final Thoughts: Prepare Now, Avoid Future Disruption
We recommend taking action before 2026 to stay ahead. Start with a demo of the certificate lifecycle automation tool with us.
We help customers build scalable, compliant, and secure certificate automation systems — and we can help you, too.
Need Help Shifting?
Let's talk. Unsure where to begin or need guidance on full automation setup? Our team is ready to assist.
Note: From changing mandates to platform launches, we'll notify you in real-time — future-proofing your SSL/TLS plan
