47 days
Max certificate validity by 2029
8x
Renewal frequency increase
10 days
Domain Control Validation (DCV) reuse period by 2029

The phased timeline

On Mar. 15, 2026, the CA/Browser Forum's reduced certificate validity mandate officially took effect. Public SSL/TLS certificates can no longer be issued with a lifespan of more than 200 days—and this is only the first phase. By March 2029, the maximum certificate lifespan will drop to just 47 days.

In effect
Phase 1 · 200 days

The first phase of the mandate is now live, maximum validity of public SSL/TLS certificates is now 200 days.

renewals/yr
1.8x
DCV reuse
200 days
Read the complete explainer

Manage your certificate life cycles with Key Manager Plus

The mandate effectively sets a minimum bar for certificate management. You need full visibility into every certificate in your environment, automatic renewal workflows that can handle a much higher frequency without manual effort, and deployment that gets the renewed certificate live at the target server along with the necessary post-deployment actions. Key Manager Plus covers all three of these facets.

Automatic discovery

Finds every certificate across your network, cloud environments, and CAs, giving you complete visibility without blind spots.

End-to-end renewal automation

Handles everything from CSR generation through issuance, so higher renewal frequencies don't translate to operational difficulties or service disruption.

Automated deployment

Pushes renewed certificates to your servers, load balancers, and cloud services, closing the gap between renewal and operational continuity.

Post-deployment actions

Automatically trigger the scripts, executables, and service restarts each server needs after deployment, making sure every renewal is complete and delivered end to end.

Learn how Key Manager Plus addresses each layer

Build your action plan

Whether you're just starting to prepare for the mandate or are midway through implementation, these resources will help you build a structured, phased approach that allows you to stay ahead of the timeline.

Guide: Preparing for the 47-day SSL/TLS certificate life span

A step-by-step action plan

Access our phased guide covering discovery, inventory building, prioritization, automation setup, and validation.

Download the guide
Webinar: Tackling the 47-day SSL/TLS certificate life span

The expert walkthrough

Explore our step-by-step webinar walkthrough of a 90-day action plan, complete with hands-on guidance on what to do first, where to prioritize, and how to set up automation workflows.

Watch the webinar

Get ahead of the mandate today

Phase one is already in effect. After the first wave of 200-day certificate expirations in October 2026, the renewal timeframe will only get shorter. The earlier you automate, the less you have to manage under pressure.

Act now