The End of Annual TLS Certificates (And Why You Should Welcome It)
Starting March 15, 2026, TLS validity marches toward 47 days. Here's what's driving the change, what it means for your infrastructure, and the PQC connection.
This week, something changes in the world of TLS certificates. On March 15, 2026, the maximum validity period for publicly trusted TLS certificates drops from 398 days to 200 days. If that date sounds familiar, it is because it is happening in six days from the time this article is published.
Most websites will not break. Most administrators will not notice anything immediately. But this is the first step in a carefully scheduled reduction that ends with 47-day certificates by March 2029 — and the reasons behind that schedule connect directly to where web security is heading in a post-quantum world.
TL;DR: Annual TLS certificates are going away in stages, ending with 47-day certs by March 2029. Teams that automate renewals now will be in much better shape for both reliability and post-quantum crypto changes.
How We Got Here
For years, certificates could be valid for up to 825 days — roughly two years and three months. The CA/Browser Forum, the industry body that governs how certificate authorities and browser vendors cooperate on TLS trust, gradually tightened that to 398 days (just over one year).
Last year, the Forum passed Ballot SC-081, setting a schedule to keep reducing that ceiling:
| Date | Maximum validity | Domain validation reuse |
|---|---|---|
| March 15, 2026 | 200 days | 200 days |
| March 15, 2027 | 100 days | 100 days |
| March 15, 2029 | 47 days | 10 days |
The 47-day figure is not arbitrary — it is roughly six weeks, chosen to allow organizations to renew monthly with a comfortable buffer, while keeping the window short enough that compromised or mis-issued certificates expire quickly.
Why Shorter Is Safer
A certificate is a promise: “this public key belongs to this domain.” But promises can go stale. A certificate issued to a domain you once controlled stays valid until it expires, whether or not you still control that domain. The same is true of a certificate issued with a bug, or one belonging to a private key that was quietly compromised.
Shorter validity periods limit the blast radius of all of those scenarios. If a certificate is valid for 47 days rather than 398 days, then a mis-issuance or compromise is self-correcting much faster — without anyone having to revoke it and hope every browser notices the revocation.
There is also a more subtle benefit: shorter certificate lifetimes force automation. When renewals happen every six weeks instead of once a year, nobody can manage them manually at scale. This is the industry’s way of pushing organizations toward certificate lifecycle management that does not depend on an engineer remembering a calendar reminder.
The Post-Quantum Connection
Here is where this intersects with the broader shift toward quantum-resistant cryptography.
The current debate around post-quantum certificates — including Google’s recently announced Merkle Tree Certificate proposal — is partly a debate about how often certificate infrastructure needs to update. Shorter-lived certificates mean more frequent issuance, but they also mean cryptographic agility: when better algorithms are available, the window between “available” and “deployed everywhere” shrinks.
A world with 47-day certificates is a world that is structurally better at rotating cryptographic material. That matters a great deal when the task at hand is migrating the entire web’s PKI to post-quantum signature algorithms without breaking anything.
What This Means for You
If you run a handful of websites and use a certificate provider with ACME-based automation (Let’s Encrypt, ZeroSSL, and many commercial CAs), you may need to do nothing at all. Your automation already handles renewals and will continue to do so.
If you manage certificates more manually — issuing them through a CA portal, updating them in load balancers by hand, or tracking them in a spreadsheet — March 2026 is a useful nudge to start moving toward automation before the 100-day milestone in 2027 and the 47-day endpoint in 2029 make manual management genuinely untenable.
Either way, the first step is knowing what you have. It is surprisingly common for organizations to have certificates they have lost track of — running on internal services, cloud load balancers, or legacy infrastructure. A tool like SSLboard can give you a picture of your TLS certificate landscape across your domains, and QCReady can tell you which of those endpoints are already prepared for the post-quantum transition.
The clock toward 47 days is ticking. The organizations that use this transition to build proper automation and visibility will be much better positioned when the bigger cryptographic changes of the post-quantum era arrive.
Sources: