Contact Us
Contact Us

Are You Ready for the 200-Day TLS Certificate Change? What You Need to Know Before March 2026

Picture of Donald Ross

From March 2026, the security and IT operations world will experience a major shift – the maximum validity period for public TLS/SSL certificates is being cut from around 398 days to just 200 days.

If you rely on digital certificates to secure your applications, load balancers, or APIs, this change will affect you directly.

Here’s a Q&A explaining what’s changing, why it’s happening, and how you can prepare- including how platforms like AppViewX can help you stay ahead.

quantum tangle dates 200-day certificate

What exactly is happening?

From 15 March 2026, the maximum lifetime for publicly trusted TLS/SSL certificates will drop to 200 days.
Further reductions are already on the roadmap – to 100 days in 2027 and just 47 days by 2029 – as part of the industry’s move towards faster certificate lifecycles and stronger automation.
This means you will have to renew and deploy certificates at least twice as often as you do today. Manual management will quickly become unmanageable.

 

Why is this happening?

The change is being driven by the CA/Browser Forum to improve trust, agility, and resilience across the internet. As well as this, the NCSC’s timeline for Post-Quantum Cryptography (PQC) readiness is a key driving factor for organisations to ensure their certificate estate is fully in line with PQC standards.

Here’s why:

  • Reduced exposure to risk – Shorter lifetimes mean less chance for compromised or mis-issued certificates to be exploited.
  • Push towards automation – Frequent renewals encourage organisations to automate certificate management.
  • Improved crypto agility – Easier adoption of stronger algorithms and post-quantum standards when needed.
  • Greater industry consistency – Aligning certificate policies across browsers, CAs, and public trust frameworks.

 

If your certificate is issued before the deadline, it can still have the current maximum validity (around 398 days). However, any certificate issued on or after 15 March 2026 must follow the new 200-day rule – even if the renewal process started earlier.

What if I renew before 15 March 2026?

If your certificate is issued before the deadline, it can still have the current maximum validity (around 398 days). However, any certificate issued on or after 15 March 2026 must follow the new 200-day rule – even if the renewal process started earlier.
In other words, it’s the issue date, not the renewal request date, that determines compliance.

 

How can I prepare for 200-day TLS certificates in 2026?

Preparation starts now. Here’s what to do:

  1. Audit your certificate estate – Identify all TLS/SSL certificates across your infrastructure, devices, and applications.
  2. Map your renewal processes – Which certificates are automated? Which are still manually renewed or deployed?
  3. Adopt automation – Move to a Certificate Lifecycle Management (CLM) platform such as AppViewX AVX ONE, which integrates with CAs, DNS, load balancers, and app servers to handle renewals automatically.
  4. Establish visibility and alerts – Use dashboards to monitor expiry dates, validation status, and compliance.
  5. Test and tune workflows – Run mock renewals, test integrations, and ensure zero-downtime deployment of new certificates.
  6. Educate teams and stakeholders – Everyone involved in DevOps, security, and compliance should understand what’s changing and why.
    With AppViewX much of this can be centralised, providing full visibility of certificates, automated renewals via ACME or API integration, and policy-driven compliance across hybrid or multi-cloud environments.

 

Will this increase costs?

Not necessarily in licensing terms – most CAs price by certificate, not duration. However, the operational cost of managing renewals manually will rise sharply. Automating through a platform like AVX ONE offsets that by eliminating human error, reducing outages, and freeing up team capacity.

Internal or private PKI certificates aren’t bound by the same rules, but aligning them to similar lifecycles is considered best practice.

Does this affect all certificates?

This change applies to publicly trusted certificates, those used for websites and internet-facing services. Internal or private PKI certificates aren’t bound by the same rules, but aligning them to similar lifecycles is considered best practice. It simplifies management and ensures consistency across environments.

 

What about validation reuse for OV/EV certificates?

For Organisation Validation (OV) and Extended Validation (EV) certificates, the reuse periods for domain and organisation validation are also shortening in line with the certificate lifetimes.

That means even your validation data (like proof of domain control) must be refreshed more frequently, reinforcing the need for automation.

 

What happens if I don’t prepare for the 2026 changes??

The risks are significant:

  • Service outages from expired certificates.
  • Security and compliance issues due to missed renewals or outdated policies.
  • Brand damage and SLA breaches if customer-facing applications go down.
  • Operational chaos from increased renewal frequency without proper tooling.
  • Potential security breaches from weak trust handling.

In short, doing nothing isn’t an option, and automation will become unavoidable.

 

How can AppViewX help?

AppViewX ‘s AVX ONE platform simplifies and automates the entire certificate lifecycle:

  • Discovery and inventory – Automatically locate every certificate in your environment.
  • Automation – Use ACME or API-based integrations to renew and deploy certificates without manual steps.
  • Policy enforcement – Ensure compliance with the new 200-day limits and internal governance policies.
  • Integration – Seamlessly connects with F5 BIG-IP, Azure Key Vault, AWS ACM, and leading CAs.
  • Reporting and analytics – Real-time visibility into expiry risks and certificate health.

With these capabilities, AppViewX customers can adapt to the new shorter lifecycles without adding administrative overhead or risking downtime.

 

What’s next?

The upcoming 200-day certificate limit marks a turning point in digital trust.

It’s a push towards automation, agility, and proactive security that needs to be taken into account for organisations across the globe. If you haven’t yet moved to automated certificate lifecycle management, now is the time.

Platforms like AppViewX’s AVX ONE CLM ensure you’re ready for March 2026 and beyond and our expert consultants here at FullProxy are on hand to implement and onboard the platform for you.

About the Author

Picture of Donald Ross
Donald Ross
Technical Manager
With extensive, decades-long cyber and network security expertise, Donald safeguards businesses through innovative solutions and unwinds through a love of retro gaming.

How to Install Fortinet FSSO and DC Agent

The Fortinet FSSO collector and DC agent can be incredibly valuable tools. Throughout this blog, we’re going to give you the key points in configuring and how to install Fortinet FSSO and DC agent here.
Read more
Login screen for email and password

Zero Trust Approach: What Is It & Why Should You Follow It?

As cyber-attacks become more sophisticated, the security framework of Zero Trust should be at the forefront of everyone’s mind, especially when protecting sensitive data.
Read more
Legacy software upgrade shown on laptop

Legacy Software Risk: Upgrading Your Legacy Software

Many organisations are still relying on legacy software which can have a major impact on cyber security and can affect the performance and productivity of an infrastructure which can result in significant cyber risks. So, what are the issues an organisation can face with outdated legacy software?
Read more

Want to be in the know?

We’ve got decades of experience installing. configuring and optimising advanced security solutions for private & public sector organisations with complex security & compliance needs.

Talk to an expert