The End of Annual TLS Certificates (And Why You Should Welcome It)
Starting March 15, 2026, TLS validity marches toward 47 days. Here's what's driving the change, what it means for your infrastructure, and the PQC connection.
On March 15, 2026, the maximum validity period for publicly trusted TLS certificates drops from 398 days to 200 days. That’s six days from now.
Most websites won’t break. Most admins won’t notice right away. But this is the first step in a scheduled reduction that ends with 47-day certificates by March 2029, and the reasoning behind that schedule ties directly into the post-quantum transition.
TL;DR: Annual TLS certificates are going away in stages, ending with 47-day certs by March 2029. Teams that automate renewals now will be in much better shape for both reliability and post-quantum crypto changes.
How we got here
For years, certificates could be valid for up to 825 days, roughly two years and three months. The CA/Browser Forum gradually tightened that to 398 days (just over one year).
Last year, the Forum passed Ballot SC-081, setting a schedule to keep reducing that ceiling:
| Date | Maximum validity | Domain validation reuse |
|---|---|---|
| March 15, 2026 | 200 days | 200 days |
| March 15, 2027 | 100 days | 100 days |
| March 15, 2029 | 47 days | 10 days |
The 47-day figure isn’t arbitrary. It’s roughly six weeks, chosen so organizations can renew monthly with a comfortable buffer while keeping the window short enough that compromised or mis-issued certificates expire quickly.
Why shorter is safer
A certificate is a promise: “this public key belongs to this domain.” But promises go stale. A certificate issued to a domain you once controlled stays valid until it expires, whether or not you still own that domain. Same goes for a certificate issued with a bug, or one tied to a private key that was quietly compromised.
Shorter validity periods limit the blast radius. If a certificate lives for 47 days instead of 398, a mis-issuance or compromise self-corrects much faster, without anyone having to revoke it and hope every browser notices.
There’s a subtler benefit too: shorter lifetimes force automation. When renewals happen every six weeks instead of once a year, nobody can manage them manually at scale. This is the industry’s way of pushing organizations toward certificate lifecycle management that doesn’t depend on someone remembering a calendar reminder.
The post-quantum connection
This is where shorter lifetimes intersect with quantum-resistant cryptography.
The current debate around post-quantum certificates, including Google’s Merkle Tree Certificate proposal, is partly about how often certificate infrastructure needs to update. Shorter-lived certificates mean more frequent issuance, but they also mean cryptographic agility: when better algorithms become available, the gap between “available” and “deployed everywhere” shrinks.
A world with 47-day certificates is structurally better at rotating cryptographic material. That matters enormously when the job is migrating the entire web’s PKI to post-quantum signature algorithms without breaking anything.
What this means for you
If you run a handful of websites and use a provider with ACME-based automation (Let’s Encrypt, ZeroSSL, most commercial CAs), you may not need to do anything. Your automation already handles renewals and will keep doing so.
If you manage certificates more manually, issuing through a CA portal, updating load balancers by hand, tracking things in a spreadsheet, then March 2026 is a good reason to start moving toward automation before the 100-day milestone in 2027 and the 47-day endpoint in 2029 make manual management genuinely impossible.
Either way, the first step is knowing what you have. It’s surprisingly common for organizations to have certificates they’ve lost track of, running on internal services, cloud load balancers, or legacy infrastructure. A tool like SSLboard can give you visibility into your TLS certificates across domains, and QCReady can show you which endpoints are already ready for the post-quantum transition.
The 47-day deadline is coming. The organizations that use this transition to build proper automation and visibility will be in a much stronger position when the bigger cryptographic changes arrive.
Sources: