
The groundwork of digital trust is shifting beneath our feet once again. For years, the industry standard for a public SSL/TLS certificate was a maximum validity of 398 days. However, as of March 15, 2026, that period has been officially slashed. The CA/Browser Forum, which serves as the governing body for digital certificates, has mandated a reduction in maximum validity to 200 days.
This change represents the first major milestone in a comprehensive, phased plan to move the entire internet toward much shorter certificate cycles. Major players like Apple and Google are driving this transition to improve the overall security of the web. By 2029, the industry expects to see certificate lifespans drop to just 47 days. At 101domain, we believe it is vital for our clients to understand the implications of this shift and how to prepare for a world where manual certificate management is no longer a viable option.
The roadmap to 47-day certificates
The transition to shorter certificate lifespans is not happening all at once. Instead, the CA/Browser Forum has established a clear timeline to allow organizations to adjust their internal processes and infrastructure.

The current 200-day limit takes effect.

The maximum validity will drop again to a 100-day limit.

The final milestone of the current plan moves the internet to 47-day certificate cycles.
While the official industry cap is set at 200 days, you might notice that many leading Certificate Authorities (CAs) like DigiCert and Sectigo are actually issuing certificates with a 199-day limit. This single-day reduction provides a necessary buffer to account for time zonte synchronization issues and processing errors. It ensures that a certificate is never accidentally issued with a validity period that exceeds the strict requirements of modern web browsers.
Why shorter certificate lifespans matter
The push for shorter certificate validity periods is rooted in two primary goals: security and cryptographic agility.
From a security perspective, every certificate represents a potential window of opportunity for an attacker. If a private key is compromised or a certificate is misissued, a shorter lifespan drastically limits the time that a malicious actor can exploit that credential. In the past, a compromised certificate could remain valid for over a year. Under the new rules, that risk is cut in half today and will eventually be reduced to less than seven weeks.
Shorter lifespans also force a concept known as cryptographic agility. As we move closer to the era of Post-Quantum Cryptography (PQC), the ability to rotate certificates quickly becomes a strategic necessity. When new security standards are released, they must be implemented across the global web in months rather than years. Short cycles ensure that the entire internet can pivot to more secure algorithms almost simultaneously, rather than waiting for legacy certificates to expire over the course of several years.
The operational challenge of 200 days
Transitioning from one renewal per year to two might seem manageable at first glance. However, the operational reality is that the margin for error has disappeared. When the limit drops to 100 days and then 47 days, the volume of renewal events will skyrocket. For an enterprise managing hundreds or thousands of certificates across various departments, manual tracking in spreadsheets becomes a recipe for disaster.
A single missed expiration date can lead to website outages, broken APIs, and trust warnings that drive customers away. This is why maintaining a careful watch over your entire certificate inventory is more critical than ever.
Moving toward automated monitoring
As these lifespans continue to shrink, organizations must transition from reactive management to proactive monitoring. Our Red Sift Certificate Monitoring managed by 101domain service is designed specifically to handle this new reality.
The service provides real-time discovery of every certificate associated with your brand. It monitors for upcoming expirations and potential revocations, ensuring that you never miss a deadline as the 200-day window approaches. By consolidating your telemetry and visibility into one platform, you can identify misconfigurations or “shadow” certificates that were issued outside of your standard IT protocols.
The era of the “set it and forget it” certificate is over. With the 200-day limit now in effect, the time to audit your renewal processes is today. Whether you are preparing for the next drop to 100 days in 2027 or just trying to keep your current sites online, 101domain is here to help you navigate these changes with confidence.