<p>Organizations that rely on manual TLS certificate lifecycle management are racing against the clock. The 200-day certificate timeline, which took effect in March 2026, means the first wave of certificate renewals will arrive within a matter of months.</p>
<p>”People will feel the realities when they start to renew those first sets of certificates,” said Sarah Almond, an analyst at Gartner. Nick France, CTO at Sectigo, a certificate authority (<a href=”https://www.techtarget.com/searchsecurity/definition/certificate-authority”>CA</a>) and certificate lifecycle management (CLM) provider, agreed, calling September and October a “wake-up call” for organizations that aren’t ready.</p>
<p>The March 2026 change is just the first in a series of updates to certificate lifetimes. The phased approach set by the CA/Browser Forum, a consortium of CAs and browser vendors that sets standards for digital certificates, will further reduce the period to 100 days in March 2027 and ultimately to 47 days in March 2029.</p>
<p>The changing lifetimes are being done in the name of security, and experts and CAs warn that the transition requires immediate action to prevent costly outages or breaches that erode customer trust and disrupt operations.</p>
<section class=”section main-article-chapter” data-menu-title=”About TLS certificates and expiration”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>About TLS certificates and expiration</h2>
<p>TLS certificates — digital credentials that verify the identity of a website, server or application — enable encrypted, authenticated connections that protect data from interception. These certificates carry expiration dates to limit the impact of compromised, stolen or improperly issued certificates, enforce cryptographic upgrades and ensure compliance with policies and regulations.</p>
<p>If a TLS certificate expires, it is no longer trusted to establish TLS connections. Websites using the expired certificate are flagged as insecure by browsers, resulting in businesses losing credibility, trust and revenue. According to CyberArk’s 2025 “State of Machine Identity Security” <a target=”_blank” href=”https://www.cyberark.com/state-of-machine-identity-security-report/” rel=”noopener”>report</a>, 72% of organizations experienced at least one certificate-related outage in the previous year — before the shortened TLS certificate timeline took effect.</p>
<p>”Every service owner knows that rotation of a certificate must happen before expiration. Otherwise, end users will see scary or confusing error messages and lose trust in the service,” said Ken Beer, director of cryptography at AWS.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”Why the change?”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Why the change?</h2>
<p>Improved security is the driver of quicker expiration timelines. The CA/Browser Forum <a target=”_blank” href=”https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/” rel=”noopener”>listed</a> six benefits of reducing TLS certificate validity periods:</p>
<ol class=”default-list”>
<li><b>Certificates represent a snapshot in time.</b> A TLS certificate reflects accurate ownership and validation information when it is issued. In time, that information could become outdated, making shorter certificate lifetimes more reliable.</li>
<li><b>Outdated certificates create security risks.</b> Changes such as domain expiration, ownership transfers or compromised keys can leave a certificate valid even though the information it contains is no longer accurate, enabling misuse.</li>
<li><b>Shorter lifetimes reduce the impact of improperly issued certificates.</b> If a CA improperly validates information or issues a certificate incorrectly, shorter validity periods limit how long the bad certificate remains trusted.</li>
<li><b>Shorter lifetimes drive automation adoption.</b> More frequent renewals push organizations to adopt automated certificate issuance and renewal processes, improving the resilience and reliability of CLM systems.</li>
<li><b>Certificate expiration provides protection when revocation mechanisms fall short. </b>Revocation technologies, such as certificate revocation lists and <a href=”https://www.techtarget.com/searchsecurity/definition/OCSP”>OCSP</a>, are not always timely or effective at scale. Shorter certificate lifetimes reduce reliance on those technologies.</li>
<li><b>Shorter lifetimes improve cryptographic agility.</b> If a cryptographic algorithm becomes vulnerable or o
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: