Back to Blog

200 Days Now. 47 Days by 2029. Your SSL Renewal Process Has a Deadline.

May 11, 2026 Justin 3 min read
SSL/TLS Certificates Browser Policy Automation

As of March 15, 2026, no public certificate authority can issue an SSL/TLS certificate valid for more than 200 days. This is the first step in a multi-year industry rollout that ends with 47-day certificates by March 2029. If your renewal process still involves a human, that is about to be a problem.

The change comes from the CA/Browser Forum, which sets the rules every major browser and operating system trusts. Google, Apple, Mozilla, and Microsoft have collectively been pushing certificate validity periods down for years — eight years ago a five-year certificate was normal, then two, then one. The new schedule continues that direction.

The Schedule

Three deadlines, all on March 15:

  • 2026: 200 days max (in effect now)
  • 2027: 100 days max
  • 2029: 47 days max

Why Shorter Is Safer

Two reasons drive the cap down. A compromised certificate has a shorter window where it can be misused before it expires and falls out of trust. And shorter validity forces operators to keep renewal automation healthy, which means revocation and key rotation stay healthy as a side effect.

It also forces hands on automation. The long-term direction is clear: short-lived certificates managed by ACME — the same protocol Let's Encrypt popularized. Forty-seven-day certs are not something you renew by clicking a button in a registrar dashboard once a year.

What to Do Now

  • Audit cert expiry across every domain you operate. Anything currently on a 397-day cert will renew at 200 days or less from now on.
  • If a domain is renewed manually, get it onto ACME (Let's Encrypt, ZeroSSL, Google Trust Services). Most modern web servers ship with clients that handle it automatically — certbot, acme.sh, Caddy, Traefik.
  • Make sure you are alerted before any certificate expires, not when. Renewal failures in automation are silent until they are not.

The five-year certificate was a different era. By 2029, an SSL certificate will live a shorter life than a dairy product. Automate the renewal, watch the expiry, and the math works fine. Skip either, and the schedule will catch up with you.

This is what InternetSecure tracks for you. Every domain in your account gets scanned daily, and we send alerts at 30, 14, 7, 3, and 1 days before any certificate expires — not every day, just the milestones that matter. The same scan catches invalid intermediate chains, missing SANs, broken HSTS, and HTTPS redirect issues that often break in production even when the cert itself looks fine.

Create a free account to start monitoring your domains, or run a one-off scan at internetsecure.org to check current cert status for any URL.