If you’ve been following hosting or security news lately, you may have heard that SSL certificate lifetimes are about to get a lot shorter. It’s a real change — and a significant one — but the headline is probably less alarming than it sounds. Here’s what’s happening, why, and what it actually means for you.
What’s changing?
The CA/Browser Forum — the industry body that sets the rules for SSL certificates and is made up of browser makers, certificate authorities, and other stakeholders — has voted to phase in much shorter certificate lifetimes over the next few years. The current maximum is around 398 days (just over 13 months). Under the agreed schedule:
- From March 2026: Maximum certificate validity drops to 200 days
- From March 2027: Maximum drops to 100 days
- From March 2029: Maximum drops to 47 days
At the same time, the period during which domain ownership validation data can be reused is also being shortened, which means your domain will need to be re-verified more frequently as part of the renewal process.
Why is this happening?
The reasoning is sound, even if the numbers sound dramatic. Shorter certificates improve security in a couple of important ways.
First, if a certificate is ever compromised — through a data breach at a CA, a stolen private key, or anything else — a shorter maximum lifetime limits how long that compromised certificate can be used before it naturally expires. With 47-day certificates, the window of exposure is dramatically smaller than with a 13-month one.
Second, more frequent domain re-validation means certificates stay tied to domains that are demonstrably still under the same control. Sites change hands, domains lapse, companies close — regular revalidation keeps the ecosystem cleaner and more trustworthy.
Apple was one of the early and loudest voices pushing for this change, and Google has supported it too. When the biggest browser makers are aligned, the rest of the industry tends to follow.
What does this mean for you?
For the vast majority of customers: nothing changes in your day-to-day experience.
The shift to shorter certificates is really a change in how the plumbing works under the bonnet, not something you need to manage manually. Certificate reissuance — the process of generating and installing a fresh certificate to replace an expiring one — happens automatically. You won’t need to log in, click anything, or set calendar reminders.
If you’re on one of our multi-year SSL plans, your plan stays exactly as it is. You still pay once and stay covered for your full term. What changes is that we’ll reissue the underlying certificate more often behind the scenes to stay within the new validity windows. That’s our problem to solve, not yours.
A word on manual certificate management
If you currently manage certificates manually — downloading, installing, and renewing them yourself — the move to shorter lifetimes is a strong reason to switch to an automated setup. Manually renewing a certificate every 47 days is a lot of work. The ACME protocol (which underpins tools like Certbot and is built into many control panels) was designed exactly for this — fully automated issuance and renewal with no human intervention needed.
If you’re unsure whether your current setup handles renewal automatically, get in touch and we’ll take a look. It’s better to sort this now than to find out you have a manual process when validity windows start shrinking next year.
The bottom line
Shorter SSL certificates are a genuine improvement to how the internet handles trust. The industry has been moving in this direction for years — validity windows have already come down from 5 years, to 2 years, to just over 1 year over the past decade. 47 days is the next step in that direction, and automation makes it viable.
For customers with us: you’re covered. We handle the renewal and reissuance. If you have questions about your specific certificate setup, drop us a message — happy to walk you through it.
