The CA/Browser Forum (the industry body that sets SSL certificate standards) voted in April 2025 to progressively reduce maximum certificate validity from 398 days to 47 days by March 2029. This affects all Certificate Authorities — paid and free alike.
The timeline
| Effective date | Max validity | Max DCV reuse | Impact |
|---|---|---|---|
| Before March 2026 | 398 days (13 months) | 398 days | Current state |
| March 15, 2026 | 200 days | 200 days | Paid CAs must issue shorter certs |
| March 15, 2027 | 100 days | 100 days | Approaching Let’s Encrypt’s 90-day model |
| March 15, 2029 | 47 days | 10 days | All certs need frequent renewal |
DCV reuse = how long a domain validation result can be reused. By 2029, domain control must be re-verified every 10 days, even if the certificate is valid for 47.
Why this is happening
Short-lived certificates are more secure:
- Reduced exposure window — if a key is compromised, the damage is limited to the remaining validity period
- Faster revocation — revocation mechanisms (CRL, OCSP) are unreliable; short validity makes them less critical
- Forced automation — manual renewal doesn’t scale at 47 days, pushing the industry toward automated certificate management
- Fresh validation — frequent domain control validation catches stale DNS, sold domains, or changed ownership faster
Apple proposed this change, and all four major browser vendors (Apple, Google, Mozilla, Microsoft) voted in favor.
What this means for you
If you use Let’s Encrypt (90-day certs)
Not much changes immediately. You already renew every 60-90 days. By 2029, your renewal cadence will tighten from every 60 days to every ~30 days.
Action needed: Ensure you have reliable renewal automation (Certbot cron, acme.sh cron) or a reliable manual process (GetHTTPS with calendar reminders).
If you use paid certificates (1-year certs)
This is a bigger shift. By March 2026, your maximum validity drops to 200 days. By 2029, it drops to 47 days — identical to Let’s Encrypt’s model.
Action needed: Start planning for automation. The cost advantage of paid certificates (longer validity = fewer renewals) is disappearing. Many organizations will switch to free Let’s Encrypt certificates with automated renewal.
If you manage many certificates
47-day validity across hundreds of domains means thousands of renewals per year. Manual management becomes impossible.
Action needed: Implement ACME-based automation (Certbot, acme.sh, or a certificate management platform).
The end of “set it and forget it”
The biggest practical impact: you can no longer buy a 1-year certificate and forget about it. By 2029, every website needs an automated renewal pipeline or someone manually renewing every month.
This levels the playing field between free and paid CAs — when everyone renews every 47 days, the long-validity advantage of paid certificates disappears entirely.
DCV reuse changes (often overlooked)
The same CA/B Forum ballot also reduces Domain Control Validation (DCV) reuse periods:
| Date | Max DCV reuse |
|---|---|
| Current | 398 days |
| March 2026 | 200 days |
| March 2027 | 100 days |
| March 2029 | 10 days |
DCV reuse = how long a CA can reuse a previous domain validation result. By 2029, the CA must re-verify your domain control every 10 days — even though the certificate is valid for 47 days. This means validation can’t be a one-time event; it must be fully automated.
For ACME clients (GetHTTPS, Certbot, acme.sh), this is seamless — each renewal includes a fresh challenge. For manual workflows with commercial CAs, this adds significant operational overhead.
How to prepare now
If you already use Let’s Encrypt + Certbot/acme.sh
You’re already on 90-day certificates with automated renewal. No action needed. When validity drops to 47 days, your cron job handles it — it already checks twice daily.
If you use GetHTTPS (manual renewal)
Currently you renew every ~60 days. With 47-day certs, that becomes every ~30 days. Options:
- Continue manual — set reminders for every 30 days. Doable for 1-3 domains.
- Hybrid approach — use GetHTTPS for the first cert, then install Certbot for auto-renewal.
- Wait and see — the 47-day limit is March 2029. You have time.
If you use paid 1-year certificates
Start planning now:
- Evaluate Let’s Encrypt — by 2029, paid and free certs will have the same renewal frequency. Is the premium worth it?
- Implement ACME automation — even commercial CAs support ACME (DigiCert, Sectigo)
- Budget for automation tools — certificate lifecycle management platforms if you manage 100+ certs
Who voted for this?
The ballot (SC-081) was supported by all four major browser vendors:
- Apple — proposed the change
- Google — voted in favor
- Mozilla — voted in favor
- Microsoft — voted in favor
CA opposition was mixed, but browser vendors have veto power. The change is happening.
Frequently asked questions
Will Let’s Encrypt change its 90-day validity?
Let’s Encrypt may reduce to 47 days when the new rules take effect, or keep 90 days if that’s still within the maximum. Either way, the renewal process is unchanged — and most users already renew at day 60.
Does this affect existing certificates?
No. Certificates already issued remain valid until their stated expiration date. The new rules apply to certificates issued after the effective dates.
Should I switch to Let’s Encrypt now?
If you’re paying for 1-year certificates, the cost/benefit ratio is shifting fast. Let’s Encrypt’s 90-day model is already closer to the 47-day future, and the ecosystem (Certbot, acme.sh, GetHTTPS) is mature. Switching now means you’re ready when the change hits.
Will this break old devices or browsers?
No. The change is about maximum validity, not the certificate format or TLS version. Old devices that work with current certificates will work with shorter-lived ones. The device doesn’t know or care how long the certificate is valid — it just checks the expiry date.
What about internal/private certificates?
This change applies to publicly-trusted certificates only (those in browser trust stores). Internal CAs issuing certificates for corporate networks are not bound by CA/B Forum rules.