The security and IT operations world has experienced a major shift this year – the maximum validity period for public TLS/SSL certificates has been cut from around 398 days to just 200 days.
If you rely on digital certificates to secure your applications, load balancers, or APIs, this change will affect you directly, starting from now.
Here’s a Q&A explaining what’s changing, why it’s happening, and how you can prepare- including how platforms like AppViewX can help you stay ahead.
What exactly is happening?
As of 15 March 2026, the maximum lifetime for publicly trusted TLS/SSL certificates has now dropped to 200 days.
Further reductions are already on the roadmap – to 100 days in 2027 and just 47 days by 2029 – as part of the industry’s move towards faster certificate lifecycles and stronger automation.
This means you will have to renew and deploy certificates at least twice as often as you’ve done up until now. Manual management will quickly become unmanageable.
Why is this happening?
The change is being driven by the CA/Browser Forum to improve trust, agility, and resilience across the internet. As well as this, the NCSC’s timeline for Post-Quantum Cryptography (PQC) readiness is a key driving factor for organisations to ensure their certificate estate is fully in line with PQC standards.
Here’s why:
- Reduced exposure to risk – Shorter lifetimes mean less chance for compromised or mis-issued certificates to be exploited.
- Push towards automation – Frequent renewals encourage organisations to automate certificate management.
- Improved crypto agility – Easier adoption of stronger algorithms and post-quantum standards when needed.
- Greater industry consistency – Aligning certificate policies across browsers, CAs, and public trust frameworks.
If your certificate was issued before the 15th March 2026 deadline, it may still have a validity of up to 398 days. However, any certificate issued on or after 15 March must follow the new 200-day rule – even if the renewal process started earlier.
What if I renewed before 15 March 2026?
If your certificate was issued before the deadline, it could still have the current maximum validity (around 398 days). However, any certificate issued on or after 15 March 2026 must follow the new 200-day rule – even if the renewal process started earlier.
In other words, it’s the issue date, not the renewal request date, that determines compliance.
What do I need to do to manage 200-day TLS certificates?
Manual management is becoming harder. Here’s the first key steps to follow:
- Audit your certificate estate – Identify all TLS/SSL certificates across your infrastructure, devices, and applications.
- Map your renewal processes – Which certificates are automated? Which are still manually renewed or deployed?
- Adopt automation – Move to a Certificate Lifecycle Management (CLM) platform such as AppViewX AVX ONE, which integrates with CAs, DNS, load balancers, and app servers to handle renewals automatically.
- Establish visibility and alerts – Use dashboards to monitor expiry dates, validation status, and compliance.
- Test and tune workflows – Run mock renewals, test integrations, and ensure zero-downtime deployment of new certificates.
- Educate teams and stakeholders – Everyone involved in DevOps, security, and compliance should understand what’s changing and why.
With AppViewX much of this can be centralised, providing full visibility of certificates, automated renewals via ACME or API integration, and policy-driven compliance across hybrid or multi-cloud environments.
Will this increase costs?
Not necessarily in licensing terms – most CAs price by certificate, not duration. However, the operational cost of managing renewals manually will rise sharply. Automating through a platform like AVX ONE offsets that by eliminating human error, reducing outages, and freeing up team capacity.
Internal or private PKI certificates aren’t bound by the same rules, but aligning them to similar lifecycles is considered best practice.
Has this affected all certificates?
This change applies to publicly trusted certificates – those used for websites and internet-facing services. Internal or private PKI certificates aren’t bound by the same rules, but aligning them to similar lifecycles is considered best practice. It simplifies management and ensures consistency across environments.
What about validation reuse for OV/EV certificates?
For Organisation Validation (OV) and Extended Validation (EV) certificates, the reuse periods for domain and organisation validation are also shortening in line with the certificate lifetimes.
That means even your validation data (like proof of domain control) must be refreshed more frequently, reinforcing the need for automation.
What happens if we don’t review the way we manage our certificates?
The risks are significant:
- Service outages from expired certificates.
- Security and compliance issues due to missed renewals or outdated policies.
- Brand damage and SLA breaches if customer-facing applications go down.
- Operational chaos from increased renewal frequency without proper tooling.
- Potential security breaches from weak trust handling.
In short, doing nothing isn’t an option, and automation will become unavoidable.
How can AppViewX help?
AppViewX ‘s AVX ONE platform simplifies and automates the entire certificate lifecycle:
- Discovery and inventory – Automatically locate every certificate in your environment.
- Automation – Use ACME or API-based integrations to renew and deploy certificates without manual steps.
- Policy enforcement – Ensure compliance with the new 200-day limits and internal governance policies.
- Integration – Seamlessly connects with F5 BIG-IP, Azure Key Vault, AWS ACM, and leading CAs.
- Reporting and analytics – Real-time visibility into expiry risks and certificate health.
With these capabilities, AppViewX customers can adapt to the new shorter lifecycles without adding administrative overhead or risking downtime.
What’s next?
This year’s 200-day certificate limit marks a turning point in digital trust.
It’s a push towards automation, agility, and proactive security that needs to be taken into account for organisations across the globe. If you haven’t yet moved to automated certificate lifecycle management, now is the time.
Platforms like AppViewX’s AVX ONE CLM ensure you’re ready for further lifecycle reductions, and our expert consultants here at FullProxy are on hand to implement and onboard the platform for you.
