Key Manager Plus

Important timelines to remember

The Public SSL/TLS certificate validity periods are being reduced in a phased manner, as listed below. Most importantly, this affects the domain control validation (DCV) reuse period as well.

Read about the mandate
Maximum certificate lifespanDCV reuse periodChange in effect from

398 days

398 days

Before Mar. 15, 2026

200 days

200 days

Current (From Mar. 15, 2026)

100 days

100 days

Mar. 15, 2027

47 days

10 days

Mar. 15, 2029

What does this mean for you?

Even if you manually manage 100 certificates today, you're looking at approximately 1,200 renewals per year by 2029. That's roughly five certificate renewals every business day. Manual processes that work fine for yearly renewals become unsustainable when you're renewing the same certificates every six weeks.

SSL/TLS Guide

How can this guide help?

This guide will be a great evaluation kit for all organizations, regardless of their current certificate life cycle automation maturity. By the time you finish this guide, you'll have:

  • A solid framework to build complete visibility across your entire certificate portfolio (public, private, cloud, on-premises, containerized) and turn raw discovery data into a clean, actionable inventory
  • A clear understanding of which certificates need attention first and which ones can wait
  • A phased implementation plan that gets automation running in the next 90 days
  • Contingency strategies for mission-critical certificates that buy you time if needed
  • The foundation for crypto-agility that extends beyond this mandate

Create your realistic action plan

The guide includes a practical, phased approach broken down into manageable sprints:

Discovery and inventory building (Day 1-30)

Learn how to find every certificate in your environment, including the ones you forgot about. This section covers network scanning, cloud integration, CA imports, and how to turn raw discovery data into a clean, actionable inventory.

Prioritize and automate (Day 31-75)

Learn how to build your priority matrix to identify quick wins and high-priority work items. Learn how to work on automation workflows, alert configuration for shorter life cycles, and playbook creation for systems that can't be automated yet.

Final preparations and validation (Day 76-90)

Deadline validation checklist, emergency procedures, stakeholder briefings, and the strategic decision guide on which certificates to renew early under current rules vs. which to let roll into the new validity periods.

Note: Each phase includes specific tools, checklists, and decision frameworks you can implement immediately.

GET YOUR FREE COPY

Frequently asked questions

Start now if you haven't already. The first phase is now in effect, the 100-day cap lands in March 2027, and infrastructure changes, automation testing, and team training all take time. Organizations that get moving now clear the upcoming deadlines with confidence rather than scrambling at the last minute.

No. Certificates issued before March 15, 2026 remain valid until their original expiration date. A certificate issued in early 2026 under the old 398-day rules, for example, stays valid well into 2027. Only certificates issued on or after March 15, 2026 carry the 200-day maximum validity.

Yes, this mandate specifically targets public SSL/TLS server certificates. Internal certificates issued by private CAs are not affected. The guide includes guidance on evaluating whether some of your current public certificates could be moved to private CAs, removing them from scope entirely.

The guide includes contingency strategies for exactly this scenario. You'll learn which certificates to prioritize, how to use preemptive renewals to buy yourself additional time, and how to create manual renewal playbooks for systems that can't be automated yet.