The 200-Day SSL Change Is Here. What It Actually Means for Your Website.

On 15 March 2026, the maximum lifespan of an SSL certificate dropped from 398 days to 200. Not because of a security breach. Not because something went wrong. Because the people who set the rules for how the web works decided that shorter certificates, renewed more often, make the internet meaningfully safer – and every major browser backed them on it.

If you manage your own website, this is worth understanding. If we manage your hosting, you probably don’t need to do anything at all.

Shorter certificates, safer web

SSL certificates are how browsers decide whether to trust a website. When you visit a site and see the padlock in the address bar, that’s a certificate doing its job – confirming the site is who it says it is and that your connection to it is encrypted.

The problem with a certificate that lasts 398 days is that a lot can change in 398 days. Companies get acquired. Domains change hands. Private keys get compromised. Under the old rules, a certificate issued to a legitimate business in January could still be technically valid the following January, even if the situation on the ground had changed entirely. The certificate issuer had no obligation to check.

Shorter validity periods fix that. With a 200-day maximum, the verification that a domain is still controlled by the right organisation happens more than twice as often. By 2029, when the limit drops to 47 days, it becomes near-continuous.

The CA/Browser Forum, the body that sets these rules, made up of certificate authorities and browser vendors, put this to a vote in April 2025. Apple proposed it. Google, Mozilla, and Microsoft all voted yes. It passed unanimously.

This is the beginning, not the end

The March 2026 change is the first phase of a longer timeline:

• March 2026: Maximum validity drops to 200 days
• March 2027: Drops again to 100 days
• March 2029: Final reduction to 47 days, with domain validation reusable for only 10 days between checks

By 2029, anyone still managing SSL certificates by hand – logging in, downloading, uploading, configuring – is going to have a tough time. The industry is building toward a world where certificate renewal is fully automated and essentially invisible. Manual management isn’t just inconvenient at 47 days, it becomes unsustainable.

Your subscription isn’t changing

Your SSL certificate subscription stays annual. Renewal date, billing cycle, contract terms – none of that changes.

What changes is the process running in the background. Because a certificate can only be technically valid for 200 days, it needs to be reissued once during your annual subscription period. You’re still covered for the full year. There’s just an additional verification step mid-term that didn’t exist before.

What happens automatically

If we manage your SSL certificate and hosting environment, you don’t need to do anything.

The re-verification runs through the method of a DNS record added to your domain confirming you control it. This is automated. Your site stays secure throughout, your certificate stays active, and the whole process runs without you needing to know it happened.

You might occasionally get an automated email from the certificate issuer, sent to your domain’s admin contact address. It’s a routine confirmation that the process ran and almost never requires a response – but it’s worth checking that address is current and monitored, just in case.

If you manage your own SSL

If you handle your own certificates or DNS settings independently, now is a good time to check your setup rather than waiting until a reissuance window arrives.

Make sure you have access to add DNS records when needed, and check whether your certificate tooling supports automated renewal. Manual processes will work at 200 days. They’ll be harder at 100. By 47 days they’ll need replacing with something automated, and 2027 is closer than it sounds.