Shorter TLS certificate lifetimes: what you need to know
The CA/Browser Forum (CA/B Forum) the industry that brings together certificate authorities (such as DigiCert and Sectigo, our partners) and major browser vendors (Google, Mozilla, Apple, Microsoft, etc.) has decided to progressively reduce the validity period of TLS certificates.
This change aims to improve overall web security by reducing the exposure window if a certificate is compromised.
What this means for you
Starting March 15, 2026, a new reduction phase will take effect:
- Validity period : newly issued TLS certificates will have a maximum lifetime of 200 days, down from the current 398 days.
- Implementation timeline : this change applies only to certificates issued on or after March 15, 2026. Certificates issued before that date will remain valid until their existing expiration date.
- More frequent renewals : as a result, certificates will need to be renewed or reissued every 200 days.
More automation is coming
With certificates requiring more frequent renewal, manual management quickly becomes impractical. That’s why we are actively working on fully automating certificate renewals using the ACME protocol, the industry standard supported by leading certificate authorities.
Very soon, Gandi will enable you to manage your TLS certificates in a fully automated way, delivering greater simplicity and stronger security.
What about existing solutions?
No need to worry:
- The current system will not be discontinued.
- It will remain available at least until 2027.
- However, it will be affected by the shorter certificate lifetimes, in line with CA/B Forum requirements.
