Internet security standards are evolving, and in the coming years the validity period of SSL/TLS certificates will be reduced. The goal of this change is to improve web security and reduce the risk that expired or compromised certificates can be used for too long.
Starting from March 2026, certificate authorities (CAs) will begin issuing SSL/TLS certificates with shorter validity periods. The change will be implemented gradually until 2029.
Why is the lifespan of SSL certificates decreasing?
The change results from a joint decision by web browser developers and certificate authorities, coordinated by the CA/Browser Forum.
The goal is to:
-
make web security more dynamic
-
reduce the risk of using compromised certificates
-
verify certificates and domain data more frequently
One early example of this approach is Let’s Encrypt, which has been using 90-day TLS certificates for years.
Changes to certificate validity periods
The maximum validity period of certificates will decrease according to the following schedule:
-
398 days (before March 2026) – about 1 renewal per year
-
200 days (from March 2026) – about 2 renewals per year
-
100 days (from March 15, 2027) – about 4 renewals per year
-
47 days (from March 15, 2029) – about 8 renewals per year
This means certificate renewal will become more frequent.
What does this mean for customers?
In practice, this means two main changes:
1. Certificates must be renewed more often
SSL/TLS certificates will need to be renewed more frequently to keep websites secure and trusted by browsers.
2. Automatic renewal becomes important
As certificate lifetimes shorten, it is most convenient to use solutions that renew certificates automatically.
In most cases, customers do not need to do anything themselves. For example, Let’s Encrypt certificates offered by Zone to its customers are already renewed automatically.
If you purchase an SSL certificate from Zone, we will send a notification before the 200-day certificate expires, including information and instructions for renewal.
Coming soon: automatic certificate renewal
We are also working on a solution that enables automatic renewal of paid SSL/TLS certificates using the ACME standard.
This means that in the future you will be able to:
-
use paid SSL certificates on Zone servers without manual renewal
-
configure an ACME URL on your server to renew certificates automatically
We will share more detailed information about Zone’s automatic certificate service soon.
Domain validation will be checked more frequently
In addition to certificate validity, the period during which the same domain validation (DCV) can be reused will also be shortened.
New periods are:
-
200 days – from 2026
-
100 days – from 2027
-
10 days – from 2029
This means that when renewing a certificate, the certificate authority will more frequently verify that the domain is still under your control.
Domain validation can be performed, for example, via:
-
DNS record verification
-
HTTP challenge method
-
ACME automated process
The change also affects OV and EV certificates — for these, organization validation will need to be performed every 398 days going forward.