Big News: TLS Certificate validity moving to 199 Days

Online security standards have changed - as of February 24, 2026, Certificate Authorities (CAs) will issue public TLS/SSL certificates with a maximum validity of 199 days (previously 397 days). This is an industry-wide update driven by the latest CA/Browser Forum Baseline Requirements, and it’s all about strengthening security across the web.

Why the Shorter Validity?

Shorter certificate lifespans enhance security in a few key ways:

• Reduced risk exposure if a private key is compromised

• Faster cryptographic agility, allowing the industry to adapt more quickly to evolving threats and standards

• Lower long-term impact of mis-issuance or outdated configurations

In short: Smaller validity windows = tighter security controls and faster innovation.

Important CA Cutoff Dates

Here’s when the new 199-day maximum goes into effect:

• DigiCert: February 24, 2026

• Sectigo: March 12, 2026

Any certificates issued on or after these dates will follow the new maximum validity rule.

Two Ways to Navigate the Change

You’ve got options, choose the workflow that best fits your team.

Path 1: Manual Re-Issuance (Business as Usual)

You can continue purchasing certificates as you do today (e.g., 1-year or 2-year products). The difference? You’ll need to reissue and reinstall the certificate every ~6 months, until the order term is complete.

Best practice: Most SSL Management services offer renewal notifications, ensure these are enabled in your account so you never miss a reissuance window. This approach works well for teams already comfortable managing certificate lifecycle tasks manually.

Path 2: Embrace Automation 

Want to set it and forget it? Automation is your friend.

GoGetSSL currently offers ACME-based SSL certificates, enabling automated issuance and renewal. Once configured, your certificates can reissue seamlessly without manual intervention.

For enterprise-scale environments, consider DigiCert Trust Lifecycle Manager. It provides comprehensive certificate lifecycle management, including discovery, automation, policy enforcement, and centralized visibility.

Technical Considerations

Here’s what your development and operations teams should be aware of:

API Certificate Order Requests

After the cutoff dates:

• API requests specifying a validity greater than 199 days will still create an order for the requested duration.

• However, the issued certificate itself will be capped at 199 days.

This design prevents API errors and ensures your public TLS/SSL orders continue processing smoothly.

Pro tip: Use the getOrderStatus detail response parameters to monitor the difference between:

• The order validity term

• The actual certificate expiration date

Tracking both values will be important for lifecycle planning.

DigiCert Validation Reuse Changes

DigiCert customers should also note adjustments to validation reuse periods:

• Domain Validation (DV) reuse

  • Changing from 397 days → 199 days (effective February 24, 2026)

• Organization Validation (OV) reuse

  • Changing from 825 days → 397 days

These updates align validation lifecycles more closely with the new certificate validity standards and reinforce stronger identity assurance practices.

What this means for you

This isn’t just a policy change, it's a strategic shift toward a more secure and agile internet.

• Continue managing certificates manually (with more frequent reissuance), or

• Transition to automation and streamline your operations. Some MOps platforms already have features enabled to keep it all in one place. For example, Eloqua offers Automated Certificate Management at no additional cost.

Either way, planning ahead will ensure a smooth transition.

If you’d like help evaluating or implementing automation options for your SSL certificates or updating your certificate management strategy, we’re here to support you.