DevOps

Why Your SSL Certificate Is Only 6 Months Now (2026)

Asep Alazhari

SSL certificate validity just dropped to 200 days. Here's why CA/B Forum made the change and how to stay ahead using Sectigo or DigiCert.

Why Your SSL Certificate Is Only 6 Months Now (2026)

Last week I went to renew an SSL certificate for one of my domains. I use Sectigo, paid tier, same as always. But something felt off. The certificate was valid only until September — roughly 6 months from now. Not 12 months like before. Not 13 months. Around 200 days.

I thought it was a billing error. Maybe I selected the wrong plan by accident. So I checked again, recalculated the dates, and looked it up. Turns out nothing was wrong. The certificate industry just quietly changed the rules, and most people running their own domains have no idea yet.

This article explains what changed, why it changed, and what you should do about it — especially if you rely on paid CAs like Sectigo or DigiCert.

What Just Changed

Starting in March 2026, the maximum validity period for publicly trusted TLS certificates is 200 days. This is down from the previous limit of 397 days (roughly 13 months), which had been in place since September 2020.

This change comes from Ballot SC-081, passed by the CA/Browser Forum in early 2025. The CA/B Forum is the industry body that sets rules for certificate authorities (CAs) like Sectigo, DigiCert, GlobalSign, and others. All major browsers — Chrome, Firefox, Safari, Edge — rely on this forum to define what certificates they trust.

The full schedule looks like this:

  • March 2026: max validity drops to 200 days
  • March 2027: max validity drops to 100 days
  • March 2029: max validity drops to 47 days

That last number, 47 days, was originally proposed by Apple. Google backed a similar push toward 90 days. The combined pressure from browser vendors eventually moved the entire industry.

Why They Are Doing This

The short answer is security. The long answer involves a few factors that have been building for years.

Stolen Certificates Stay Valid Too Long

When an SSL certificate is compromised — either through a CA breach, a private key leak, or a misconfiguration — the only real remedy is revocation. But certificate revocation has always been unreliable. OCSP stapling helps, but many clients still do not check revocation properly.

A certificate valid for a full year means a stolen cert can be misused for up to 12 months if the revocation does not reach every client. Shortening validity limits the blast radius of any compromise.

Domain Ownership Validation Goes Stale

When a CA issues a certificate, it validates that you actually control the domain. But that proof has an expiry window too. Under the old rules, a CA could reuse a domain validation result for up to 825 days. That meant the “proof of ownership” behind your certificate could be nearly 2 years old.

Shorter certificate lifetimes force more frequent revalidation, keeping the trust chain fresher and harder to spoof.

Pushing the Industry Toward Automation

This is arguably the biggest reason. Regulators and browser vendors have been watching Let’s Encrypt quietly prove for years that 90-day certificates work perfectly fine at scale — because they are automated. No manual renewal, no calendar reminders, no forgotten expiry dates.

Short certificate lifetimes are deliberate pressure to get the industry off manual renewal workflows. The expectation is that if you are renewing by hand, the shorter window will eventually force you to automate.

The Practical Impact for Sectigo and DigiCert Users

If you use Let’s Encrypt, you probably did not notice this change. Certbot and similar tools handle renewal automatically every 60-90 days. You set it up once and forget about it.

Sectigo and DigiCert are different. These are commercial CAs, and their traditional workflow is built around manual purchasing, manual downloading, and manual installation. That workflow was designed for 1-year or 2-year certificates. Now it has to work twice as often per year.

Here is what this means in practice:

  • You now need to renew twice a year instead of once
  • Each renewal involves purchasing, downloading, and deploying the new certificate
  • If you have multiple domains or subdomains, the multiplier compounds fast
  • Missed renewals still cause the same HTTPS errors and browser warnings

Best Practices for Managing This

You have a few options depending on how much infrastructure you manage and how much time you want to spend on it.

Option 1: Set Up Calendar Reminders (Minimum Viable)

This is the simplest approach if you manage one or two domains. Set two calendar reminders — one at 30 days before expiry and another at 14 days before expiry. When the first reminder fires, start the renewal process through your registrar or hosting panel.

With a 200-day certificate, you will see this reminder cycle twice a year. It is not elegant, but it works.

The catch is that this approach does not scale. If you manage 10 domains, you now have 20 calendar events per year just for SSL. It gets messy quickly.

Option 2: Use Uptime Monitoring with SSL Checks

A better approach is to stop relying on calendar reminders and start monitoring your certificates the same way you monitor your services. Tools like Uptime Kuma, Checkly, or Better Uptime can alert you when a certificate is within a certain number of days of expiry.

Also Read: Uptime Kuma: Monitor Websites, Alert via Telegram

Set the alert threshold to 30 days. That gives you a comfortable window to renew before anything breaks, and you are getting alerted based on the actual certificate state — not a guessed date on your calendar.

Option 3: Use ACME with Your Paid CA

Here is where things get interesting for commercial CA users. Both Sectigo and DigiCert support the ACME protocol — the same protocol that Let’s Encrypt uses for automated issuance.

ACME lets you automate the full certificate lifecycle: validation, issuance, installation, and renewal. You configure your server once, and the client handles everything.

To use ACME with Sectigo, you need an account on their ACME-enabled endpoint. Sectigo provides this through their Sectigo Certificate Manager (SCM) platform, which is typically available under enterprise or reseller agreements.

For DigiCert, the CertCentral platform offers ACME support as well. You generate an ACME URL specific to your account, and clients like Certbot or acme.sh can point to that URL instead of the Let’s Encrypt endpoints.

Here is an example using acme.sh with a custom ACME server:

# Register with your CA's ACME endpoint
acme.sh --register-account \
  --server https://acme.sectigo.com/v2/OV \
  -m your@email.com

# Issue a certificate
acme.sh --issue \
  --server https://acme.sectigo.com/v2/OV \
  -d yourdomain.com \
  --webroot /var/www/html

# Auto-install and auto-renew is handled by acme.sh's cron job

The exact ACME URL varies by certificate type (DV, OV, EV) and your account tier. Check your CA’s documentation for the exact endpoint.

Option 4: Centralize with a Certificate Manager

If you manage certificates across multiple servers, the right long-term solution is a certificate management platform. Tools like:

  • Cert-manager (for Kubernetes environments)
  • Caddy (built-in automatic HTTPS for web servers)
  • Traefik (proxy with automatic certificate management)
  • DigiCert CertCentral with API integration

These tools abstract away the renewal cycle entirely. You define your desired state — “this domain should have a valid certificate” — and the tool keeps it that way.

Also Read: How to Reduce Server CPU Usage by 60% with Nginx Caching for Next.js

For teams already running Nginx or Apache with manual certificate deployment, switching to Caddy or Traefik as a reverse proxy is often the lowest-friction path to full automation.

Automate the Deployment Step

One thing that surprises people is that even if you automate certificate issuance, the deployment step can still be manual. Getting the new certificate onto your server, updating the Nginx or Apache config, and reloading the service is a separate problem.

Here is a basic post-renewal hook you can add to acme.sh:

# Create a deploy hook at ~/.acme.sh/deploy/nginx_reload.sh
#!/bin/bash
cp "$CERT_PATH" /etc/nginx/ssl/yourdomain.crt
cp "$KEY_PATH" /etc/nginx/ssl/yourdomain.key
nginx -s reload
echo "Certificate deployed and Nginx reloaded"

Then reference it in your acme.sh config:

acme.sh --deploy \
  -d yourdomain.com \
  --deploy-hook nginx_reload

Pair this with a cron job and you have a fully automated pipeline from issuance to deployment.

What About EV and OV Certificates?

Extended Validation (EV) and Organization Validated (OV) certificates are affected by the same timeline, but there is a nuance. The ACME automation path is generally easier for DV (Domain Validated) certificates, which only require proof of domain control.

OV and EV certificates require additional vetting of your organization details. This vetting process does not lend itself to full automation the same way. However, once your organization is pre-vetted in the CA’s system, renewals can still be streamlined significantly.

Both Sectigo and DigiCert offer organization pre-vetting programs. If you renew OV or EV certificates regularly, it is worth contacting your CA account rep to understand what automation options are available to you.

The Timeline Ahead

To be clear about what is coming:

  • If you are renewing now (March 2026), you are getting 200-day certificates.
  • By March 2027, that drops to 100 days — roughly quarterly renewal.
  • By 2029, the target is 47 days — meaning fully automated renewal is no longer optional, it is required for practical operations.

The industry is heading toward a world where certificate automation is the baseline assumption, not a nice-to-have. The commercial CA market will adapt — both Sectigo and DigiCert have ACME support and are expanding it. But the tooling and knowledge have to catch up on the ops side too.

Summary

The short version: your SSL certificates are now only 6 months because the CA/B Forum lowered the maximum validity to 200 days effective March 2026. This is the first step in a multi-year plan to reach 47-day certificates by 2029.

For Sectigo and DigiCert users, the best immediate action is to set up expiry monitoring so you never miss a renewal. The best long-term action is to evaluate the ACME automation options your CA provides and start moving away from manual renewal workflows.

The change is not optional, but the headache is.

Share:
Back to Blog

Related Posts

View All Posts »