The era of “once-a-year” TLS certificate renewal is officially ending. Starting March 15, your manual renewal workload is about to double—and by 2029, it will increase nearly 8x.
The Certification Authority Browser Forum (CA/Browser Forum) has voted to shorten both the lifetime of TLS certificates (also known as SSL certificates) and the reusability of CA-validated information in certificates. A schedule incrementally shortens the lifespan beginning in March 2026.
The CA/B Forum is a voluntary group of certificate authorities (CAs), vendors of internet browser software, and suppliers of other applications that use X.509 digital certificates for TLS/SSL and code signing. Since its creation in 2005, the Forum has defined standards for the CA industry based on industry best practices.
The ballot argues that shorter lifetimes are necessary for many reasons, the most prominent being that the information in certificates is steadily becoming less trustworthy over time, a problem that can only be mitigated by frequent revalidation.
The ballot also argues that the revocation system using CRLs and OCSP is unreliable. Indeed, browsers often ignore these features. The ballot has a long section on the failings of the certificate revocation system. Shorter lifetimes mitigate the effects of using potentially revoked certificates.
The schedule is as follows:
| Date | Max Certificate Lifetime | Renewals Per Year (Manual) |
| Today | 398 Days | 1 |
| March 15, 2026 | 200 Days | 2 |
| March 15, 2027 | 100 Days | 4 |
| March 15, 2029 | 47 Days | ~8 |
Automatic Certificate Management Environment (ACME) was introduced in 2016 with Let’s Encrypt, a free, automated, and open Certificate Authority (CA) run by the non-profit Internet Security Research Group (ISRG). Before that, and still to this day, system administrators commonly renewed SSL/TLS certificates about once a year through providers such as GoDaddy, Comodo, Thawte, and more. This was a manual process that ultimately took up to an hour and could span over a few days, just depending on what you ran into. These one-year certs all cost, usually around $100.
With certificates moving to a 47-day lifespan, the window for error vanishes. A single missed email or a staff member on vacation could mean an immediate site-wide outage.
These days, you can run a certificate management program that automatically renews the certificate about every 60 days through a service such as Let’s Encrypt. Some are free, but the better ones cost. There are other certificate providers now such as Digicert/CertCentral, Sectigo/Comodo, GlobalSign, and ZeroSSL.
While free options like Let’s Encrypt are great for basic needs, enterprise-grade automation (via DigiCert or Sectigo) provides the OV/EV validation and warranty coverage that businesses actually need to stay compliant and insured.
If you are still manually purchasing and installing TLS certificates, we recommend switching to an ACME provider and automating your requests. For the most part, it’s a “set and forget” implementation. Doing so will make transitioning to short renewal periods a breeze!
Don’t wait for March 15 to find out your manual process is broken. Transitioning to an ACME-based automated solution now means your team never has to worry about a “Your Connection is Not Private” error again. Contact CF Webtools today for a free audit of your current certificate lifecycle.
Chris Tierney 