On March 15, 2026, the SSL/TLS certificate landscape changes significantly: the maximum certificate lifespan drops from 398 days to just 200, with SSL to begin issuing 200-day certificates on March 11. This effectively doubles how frequently organizations must renew. Is your business prepared for the 200-day certificate deadline?
Prepare for Shorter Certificate Duration Lifecycle Management
What’s Changing?
Beginning March 15, 2026, any certificate issued on or after that date must comply with the new 200-day maximum validity period (SSL will begin issuing 200-day certificates on March 11). This turns what was already a demanding renewal process into something genuinely unmanageable without the right automation in place.
And this is not a one-time adjustment. The industry is moving toward even shorter lifespans, with 100-day and eventually 47-day certificates arriving by March 15, 2029. As certificate lifecycle reductions accelerate, organizations that adapt now to automation will be far better positioned for successful certificate management than organizations still relying on manual processes.
How SSL’s ACME Solution Prepares You for 200-Day Digital Certificates
SSL’s support for the ACME (Automated Certificate Management Environment) protocol is precisely the advantage organizations need right now. ACME automates the complete certificate lifecycle, including issuance, renewal, and installation. It eliminates manual intervention and keeps your certificates continuously up to date.
Here’s what automated certificate management through SSL.com delivers:
- Zero-touch renewals: Once configured, ACME manages the entire renewal cycle automatically, without manual CSR generation, validation steps, or installation. Your certificates renew on schedule, every time, without exception.
- Seamless integration: ACME works with widely used platforms, including cPanel, Plesk, Kubernetes, and cloud infrastructure, fitting directly into your existing workflows without requiring wholesale changes to your environment.
- Scalability: Whether you’re managing ten certificates or ten thousand, ACME scales effortlessly. As your infrastructure expands, certificate management stays simple.
- Reduced downtime risk: Automation removes the threat of surprise expirations. No more emergency renewals on weekends. No more security warnings that erode customer confidence.
- Future-proof approach: When the industry advances to 100-day or 47-day certificates, you’ll already have the infrastructure to handle even shorter lifespans without disruption.
Contact SSL today to start automating your certificate management.
Get Started with ACME-Enabled Solutions
Why Is This Happening?
This change is not the decision of any individual certificate authority, including SSL. It is an industry-wide requirement for all publicly trusted CAs established by the CA/Browser Forum (CABF), the governing body comprised of certificate authorities, browser vendors, and operating system providers, that sets the Baseline Requirements for publicly trusted SSL/TLS certificates.
The rationale behind shorter certificate lifespans is clear:
- Enhanced security: Limiting certificate validity reduces the exposure window if a certificate is compromised or misissued. Think of it like changing your locks more frequently: the less time a key is in circulation, the lower the overall risk.
- Improved cryptographic agility: Shorter lifespans make it easier to adopt new algorithms and updated security standards. As quantum computing threats develop, the ability to rotate certificates quickly becomes increasingly critical.
- Stronger validation practices: More frequent renewals mean more regular domain and organization validation, helping ensure certificate holders remain legitimate and authorized.
While these improvements strengthen the internet’s overall security position, they potentially create real operational challenges for businesses that have not yet implemented automation. The move to 200-day digital certificates doubles the number of renewal events, validation requirements, and opportunities for human error.
The Real Cost of Manual Certificate Management
Let’s be straightforward about what manual certificate management looks like in a 200-day world:
- Constant renewal cycles: You’ll be renewing more than twice as often, creating a relentless cycle of CSR generation, validation, installation, and testing.
- Higher risk of expired certificates: With shrinking renewal windows, the margin for error disappears. A single missed renewal can mean website outages, broken APIs, security warnings that drive customers away, and potential compliance violations.
- Team burnout: Your IT and DevOps staff will spend more time managing certificates and less time on strategic work. Certificate firefighting becomes routine rather than an exception, leading to more errors.
The solution isn’t adding headcount or extending working hours. It’s adopting automation tools that manage the full certificate lifecycle on your behalf.
Prepare Now: March 2027 Is Next
Prior to the deadline, SSL.com will automatically update our certificate profiles to ensure compliance with the upcoming changes to the certificate lifecycle. Additionally, current customers can request a replacement certificate to cover any remaining time on their annual purchases.
As stated before, the 200-day transition is only the beginning. On March 15, 2027, the maximum validity for digital certificates will drop again. Next time, the reduction will be to just 100 days. That means organizations that adapt to the 200-day requirement but still rely on manual processes will find themselves under even greater pressure in twelve months’ time.
Act now. Discover how SSL’s ACME solutions can automate your certificate management, protect your business, and keep you ahead of every upcoming lifecycle change.
Get Started with ACME-Enabled Solutions
Other key CABF Baseline Requirements changes effective March 15, 2026:
|
Compliance |
Section(s) |
Summary Description (See Full Text for Details) |
|
2026-03-15 |
3.2.2.4 |
DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with the validation of domain authorization or control by the Primary Network |
|
2026-03-15 |
3.2.2.4 |
CAs MUST NOT use local policy to disable DNSSEC validation on any DNS query associated with the validation of domain authorization or control. |
|
2026-03-15 |
3.2.2.8.1 |
DNSSEC validation back to the IANA DNSSEC root trust anchor MUST be performed on all DNS queries associated with CAA record lookups performed by the Primary Network Perspective. |
|
2026-03-15 |
3.2.2.8.1 |
CAs MUST NOT use local policy to disable DNSSEC validation on any DNS query associated CAA record lookups. |
|
2026-03-15 |
3.2.2.8.1 |
DNSSEC-validation errors observed by the Primary Network Perspective (e.g., SERVFAIL) MUST NOT be treated as permission to issue. |
|
2026-03-15 |
4.2.2 |
CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix. |
|
2026-03-15 |
4.2.1 |
Subject Identity Information validation maximum data reuse period is 398 days. |
|
2026-03-15 |
4.2.1 |
Domain Name and IP Address validation maximum data reuse period is 200 days. |
|
2026-03-15 |
6.3.2 |
Maximum validity period of Subscriber Certificates is 200 days. |
|
2026-03-15 |
7.1.2.4 |
CAs MUST NOT use Precertificate Signing CAs to issue Precertificates. CAs MUST NOT issue certificates using the Technically Constrained Precertificate Signing CA Certificate Profile specified in Section 7.1.2.4. |