SSL certificate lifespans just dropped to 200 days: what this means for your website

Since March 15, 2026, no certificate authority can issue an SSL certificate valid for more than 200 days. By 2029, that drops to 47 days. Here's what changed, why, and what you should check right now.

Since March 15, 2026, no certificate authority in the world can issue a public SSL/TLS certificate valid for more than 200 days. That is down from 398, roughly 13 months. And this is just the first step: by March 2029, the maximum drops to 47 days.

If you're on managed hosting or use Let's Encrypt, this probably changes nothing for you. If you still manage certificates manually, this is your wake-up call.

TL;DR:

  • The CA/Browser Forum passed ballot SC-081v3 in April 2025, unanimously among voters
  • Maximum SSL certificate validity: 200 days now, 100 days from March 2027, 47 days from March 2029
  • Domain validation evidence expires on the same schedule, and by 2029 every renewal requires fresh proof of domain ownership
  • Managed hosting and ACME-based automation (like Let's Encrypt) handle this transparently
  • Manual certificate management becomes untenable within two years

What the CA/Browser Forum decided

The CA/Browser Forum is the industry body where certificate authorities (the organizations that issue SSL certificates) and browser vendors (Apple, Google, Microsoft, Mozilla) set the rules for how web encryption works. In April 2025, they voted on ballot SC-081v3, proposed by Apple and endorsed by Google Chrome, Mozilla, and Sectigo.

The result: 25 certificate authorities voted yes, zero voted no, five abstained. All four browser vendors voted yes.

The ballot introduces a phased reduction:

Date Maximum certificate validity
Before March 15, 2026 398 days
March 15, 2026 (now) 200 days
March 15, 2027 100 days
March 15, 2029 47 days

There's a second change that gets less attention: domain control validation (DCV) reuse drops on the same schedule. When a certificate authority verifies that you own a domain, they can currently reuse that evidence for up to 200 days. By 2029, that window shrinks to just 10 days. That means every certificate renewal will require fresh proof that you still control the domain.

Why shorter certificates?

This didn't happen overnight. Browser vendors have been pushing for shorter certificate lifespans for over a decade. Google proposed cutting validity to 398 days back in 2017, but certificate authorities voted it down. In 2020, Apple forced the issue by announcing Safari would stop trusting certificates longer than 398 days, regardless of what the Forum decided. Google and Mozilla followed within weeks.

The security arguments are straightforward.

Certificate revocation doesn't work in practice. The mechanisms for revoking a compromised certificate (OCSP and CRL) are unreliable. Browsers often ignore failures rather than blocking access, because doing otherwise would break too many websites. Let's Encrypt stopped supporting OCSP entirely in 2025, arguing that short-lived certificates make revocation largely irrelevant. If a certificate expires in weeks rather than months, the window for exploiting a stolen private key shrinks dramatically.

Certificate information goes stale. A certificate represents a verification performed at a specific moment. Organizations change ownership, domains change hands, but the certificate data persists. Google's research found that 7% of all certificates were issued for domains no longer controlled by the certificate holder.

Automation is the actual goal. Shorter lifespans force the ecosystem toward automated renewal. Manual processes are the leading cause of certificate outages. In 2023 alone, expired certificates took down Starlink's ground stations for hours, hit 20,000 Cisco SD-WAN customers, and disrupted parts of Microsoft's cloud services. When renewal is automated, certificates don't expire by accident.

What this means for your website

The impact depends entirely on how your SSL certificate is managed today.

If you're on managed hosting: you almost certainly don't need to do anything. Managed hosting providers handle SSL certificate provisioning and renewal automatically; it's part of the service. Whether they use Let's Encrypt, ZeroSSL, or another ACME-compatible CA, the renewal cycle is typically measured in days, not months. This is one of those invisible things that managed hosting handles for you.

If you use Let's Encrypt with automated renewal: you're already ahead of the game. Let's Encrypt has issued 90-day certificates since its launch in 2015. Their stated reasoning was exactly the same: limit compromise exposure and encourage automation. They're going further, moving to 45-day certificates by early 2028, and already offering opt-in 6-day certificates for fully automated environments.

If you buy certificates manually and install them by hand: this is where it gets uncomfortable. At 200 days, you're renewing roughly every six months. Manageable, but tedious. At 100 days (March 2027), it's every three months. At 47 days (March 2029), you're looking at renewal every six to seven weeks, each time with fresh domain validation. As DigiCert puts it: "Automation is essentially mandatory for effective certificate lifecycle management." This is also another point where the gap between budget hosting and managed hosting becomes visible: with budget hosts, you're often left figuring this out yourself.

What to check right now

  1. Find out how your SSL certificate is managed. Log into your hosting panel or ask your hosting provider. If they handle it automatically, you're done.
  2. Check if your host supports ACME/Let's Encrypt. Most modern hosting platforms include automatic SSL. If yours doesn't, that's a red flag. The article on what makes hosting fast and reliable covers why the TLS layer matters for performance too.
  3. If you manage certificates manually: set up Certbot or another ACME client now, while the deadlines are still comfortable. Don't wait until 100-day certificates force your hand in March 2027.
  4. If you use OV or EV certificates: organization identity revalidation timelines are also shrinking, from 825 days to 398 days as of March 2026. Budget time for that process.

Looking ahead

The direction is clear. Manual certificate management is being phased out, not by decree, but by making it so impractical that automation becomes the only viable path. For most website owners on modern hosting, this is a non-event. Your host already handles it.

But if you're still managing certificates by hand, the 200-day limit is a friendly nudge. The 47-day limit in 2029 will be a shove. Better to automate now, while there's time to do it calmly.

Want WordPress hosting that stays stable?

I handle updates, backups, and security, and keep performance steady—so outages and slowdowns don't keep coming back.

Explore WordPress maintenance

  1. Self-hosted email in 2026: harder than ever, more important than ever

    Gmail rejects non-compliant email at the protocol level. Microsoft does the same. Running your own mail server in 2026 means maintaining SPF, DKIM, DMARC, MTA-STS, TLS, DNSSEC, correct PTR records, and a pristine sender reputation. Here's how to decide whether it's worth it.

    1836 words
  2. Microsoft SMTP Basic Auth for Office 365 is going away: what WordPress site owners actually need to do

    If your WordPress site sends email through an Office 365 mailbox with a username and password, that setup has an expiration date. Here is what actually changed in 2026 and what to do about it.

    1780 words
  3. The end of cheap shared hosting: what the 2026 industry data means for your WordPress site

    The 2026 CloudLinux/WebPros industry report surveyed 446 hosting providers. The picture: 41% losing customers to SaaS platforms, rising costs squeezing margins, and an industry-wide shift away from cheap shared plans. Here's what that means if you run a WordPress site.

    1551 words

Start typing to search, or browse the knowledge base and blog.