Over the last few years, there's been a lot of chat about certificate expiry, certificate validity periods potentially being changed to 90 or 45 day, and the dire consequences to organizational security and reputation when an SSL/TLS certificate expires. Recently, the CA/Browser Forum unanimously voted to gradually bring down the certificate lifespan from 398 days to 47 days by 2029, with significant changes beginning in March 2026. Before going into the nitty gritties, let's start from the basics.
SSL/TLS certificates (sometimes known as digital certificates) are a vital cog in an organization's IT security. They help encrypt and authenticate digital communications and ensure digital interactions are secure. Every SSL/TLS certificate comes with a validity period. When a certificate eclipses its validity period without being renewed, it results in certificate expiry.
Certificates—issued by a trusted third-party entity, a public certificate authority (CA), or a private CA—each come with a predetermined certificate lifetime. This time restriction (or lifetime) is put in place for security reasons. The longer a certificate remains valid, the greater the risk that its encryption could be cracked, either through advances in computing or the discovery and exploitation of new vulnerabilities.
Usually, certificate lifetime or validity varies based on the type of certificate and category. As of 2020, the certificate lifetimes issued by public CAs is currently 398 days. However, as per new mandates, this validity maximum is set to reduce gradually, requiring organizations to stay on their feet and renew certificates at a much elevated frequency. Beginning in March 2026, certificate lifetimes will be reduced to 200 days and will eventually settle at 47-day maximums by 2029.
Different types of certificates have different validity periods depending on their use cases and risk level. Below are the current validity periods of some frequently utilized certificate types.
Public CA issued SSL/TLS certificate
398 days (due to change to 200 days in Mach 2026, and will eventually settle at 47 days by 2029)
Private CA/self-signed certificates
Is set by the organization (meaning it can even be 10 years or more for root certificates)
Code-signing certificates
460 days, starting on June 15, 2025 (down from 39 months)
S/MIME certificates
One to three years, depending on the issuing CA, with some CAs mandating validity at 398 days
Root CA certificates
10-30 years
Digital certificates, as mentioned in the above section, are responsible for establishing secure digital communications. They also help authenticate the certificate holder and verify that they are who they claim to be, ensuring trust in digital interactions.
When a certificate expires, it no longer performs its intended function; that is, the TLS handshake between the two certificates trying to establish contact will fail as a result of the expired certificate failing the validity check. Hence, a digital communication utilizing that certificate cannot establish encrypted communication, causing service outages and opening the door to theft of sensitive data (such as credentials, credit card) information, security vulnerabilities, and manipulator-in-the-middle (MitM, commonly known as man-in-the-middle) attacks.
Web certificates, if expired, will cause browsers to display the "Your connection is not private" message to visitors to the website, not only failing to establish secure communications but also resulting in reputational damage to the brand, loss of customer trust, and more.
There are different ways to check the expiry date or validity of digital certificates depending on the type of certificate. Let's look at some of the most commonly used methods to check for a certificate's validity period or certificate lifetime.
For web certificates, the easiest way to check for the expiry date is through your browser.
The best way to check for the validity of local certificates or certificates used in an organization's intranet is through command line tools. Below are the commands to be used in the respective command line tools.
openssl x509 -enddate -noout -in certificate.crt
Note: You can also use OpenSSL to check the validity of a web certificate using the command:
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -dates
Get-ChildItem -Path Cert:\LocalServer\My | Format-List FriendlyName,Subject,NotAfter
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Maintaining certificate validity is a crucial undertaking for any organization. The first steps towards achieving this is to ensure that their certificates are renewed on time and remain valid and functional throughout their entire lifecycle. To do this, follow these steps.
Organizations usually manage thousands of digital certificates across their enterprise. As a result, it becomes extremely difficult to stay on top of the expiry dates of every single certificate.
Therefore, it is important to set up periodic alerts to occur when a certificate is about to expire. This could be something along the lines of a notification each month, starting three months prior to a certificate's validity coming to an end. Alerts such as these ensure administrators are aware of upcoming expiries and can renew the certificate on time.
Once the administrator gets notified about an upcoming certificate expiry, they need to renew the certificate on time—that is before the certificate expiries—to ensure undisrupted service and secure communications.
To renew a certificate, administrators first raise a certificate signing request (CSR) to their chosen CA. This could be either a trusted public CA or a private CA for internal certificates. Once the CSR is validated and the renewed certificate is issued, the administrator can install the renewed certificate in the certificate path required.
Although timely renewals can be checked and carried out manually, it becomes difficult to stay on top of renewals for a large volume of certificates. To make this easier, organizations can provide administrators with the ability to view and manage all digital certificates in one place and get timely alerts by adopting a certificate management tool. The right certificate management tool can help manage both public and internal certificates.
With public CA certificate validity due to change starting March 2026, the frequency in which organizations have to renew certificates and stay on top of certificate expiry will be significantly increased in the coming years, making it a continuous operation. Enterprises typically maintain thousands of certificates across complex infrastructures, making manual tracking and renewal processes not just inefficient but practically impossible. Implementing automated certificate lifecycle management solutions has therefore become a critical business imperative.
ManageEngine Key Manager Plus is a comprehensive certificate management solution that helps organizations stay on top of certificates throughout their lifetimes. From discovery and creation to deployment, renewals, real-time expiry alerts, and vulnerability scans, Key Manager Plus does it all. Key Manager Plus’ comprehensive controls facilitate custom certificate management workflows that automate the entire process.
Further, with Key Manager Plus, organizations can manage all of their certificates, both public (irrespective of issuing CA) and private CA certificates from a central console, making it easy and efficient for administrators to stay on top of all certificate management needs.
Certificate validity (or validity period) of a certificate refers to the time (from and to) that the certificate is valid for.
Yes, certificates need to be renewed before their expiration date.
Certificate validity periods depend on the type of certificate. However, the latest certificate mandates are moving from a 398 days validity period in 2025 to 200 days starting March 2026, to 100 days in March 2027, and 47 days starting March 2029.
You can set up automation workflows for certificate renewals using a comprehensive certificate lifecycle management solution.
When a certificate expires, the organization needs to renew the expired certificate or replace it with a new one. To do this, the organization needs to raise a CSR and obtain a new certificate from the CA and deploy/install it where necessary.