Changes to Maximum Certificate Validity
Certificates issued before 15 March 2026 are not affected by this change. However if you reissue or purchase a new certificate after this date then it will have a shorter validity as per below
The CAB Forum has voted to update the maximum certificate lifetimes supported by browsers. This will impact all certificates that require to be trusted in browsers issued by any CA. The main push for these changes has come from Apple.
The advantage of shorter lifespans for certificates is the security improvements. It is likely to lead to the eventual removal of OCSP and much smaller CRLs both checks which can slow down browsers.
The proposed changes to publicly trusted certificate lifetimes are as follows
| Issued After | Maximum validity |
|---|---|
| 15 March 2026 | 200 days |
| 15 March 2027 | 100 days |
| 15 March 2029 | 47 days |
Ultimately this will lead to a major push to automate certificate issues. We already offer an API to allow for customers to automate the ordering and delivery of their HTTPS/TLS certificate. Some customers have integrated with the console to complete the automation process and can continue to use our existing API to request, download and install certificates.
We are developing in partnership with our providers a process using the ACME protocol and we will be making this available to customers and resellers. The ACME protocol will allow for the complete automation of certificate issuance. This will be provided via a CaaS (Certificate as a Service) subscription.
Some providers like digicert are also implementing their own automation system. We are in the process of reviewing the opportunity to provide this product to customers and resellers.
Any certificates you purchase now will still remain valid and can be reissued until the end of the order expiry date. We will offer long term certificates the opportunity to transition to the CaaS model.
DigiCert have announced that they will issue certificates from 15 February 2026 with a maximum lifetime of 199 days. As has always been the case you will be able to reissue your certificates at no extra charge an unlimited number of times up to the order expiry date. Each certificate issued will have a validity of 199 days or the order expiry date depending on how many days remain on the certificate.
Frequently Asked Questions
What if I buy a multi-year certificate?
If you buy a certificate with an order validity of 3 years you will be able to reissue the certificate multiple times at no additional cost throughout the order validity period. The certificate will be issued with a maximum lifetime of either 199 days from the date of issuance or with an expiry date matching the order expiry if there is less than 199 days remaining.
Will there be any price changes?
We have no plans to update the existing product prices beyond potential inflation rises later int eh year dependign on what our suppliers do. There iwll be no price changes for longer or shorter certificates. Customers can still purchase a one year certificate and reissue it at no additional costs.
What if I am unable to automate the installation of my certificates?
We understand some customers have legacy systems which can not be automated. The installation process will either need to be completed manually more often or if the certificate does not need to be publicly trusted we can provide alternative solutions such as Certificate Lifecycle Management products that allow the tracking and issuance of private certificates. Contact the sales team regarding these options.
I have certificates I install on thousands of IoT devices. How can I manage renewing these every 47 days?
This depends on if the devices require public trust. If they are part of your internal infrastructure then there are alternative solutions where longer validity certificates can be issued or full automation can be provided. Contact the sales team regarding these options.
Updated 10 days ago