Shorter SSL/TLS certificate lifetimes: what you need to know
The CA/Browser Forum, the consortium that brings together certificate authorities (such as DigiCert and Sectigo, our partners) and major browser vendors (Google, Mozilla, Apple, Microsoft, etc.) has decided to progressively reduce the validity period of SSL/TLS certificates.
This change aims to improve overall web security by reducing the exposure window if a certificate is compromised.
What this means for you
In the first quarter of 2026, a new phase of the reduction comes into effect:
- Validity period: newly issued SSL/TLS certificates have a maximum lifetime of 200 days, down from the previous 398 days.
- Implementation timeline: this measure applies only to certificates issued or reissued on or after the following dates, depending on the certification authority (please note that certificates issued before these dates will remain valid until their current expiration date):
- DigiCert: February 24, 2026
- Sectigo: March 12, 2026
- More frequent renewals: as a result, certificates will need to be renewed or reissued every 200 days.
More automation is coming
With certificates requiring more frequent renewal, manual management quickly becomes impractical. That’s why we are actively working on fully automating certificate renewals using the ACME protocol, the industry standard supported by leading certificate authorities.
Very soon, Gandi will enable you to manage your SSL/TLS certificates in a fully automated way, delivering greater simplicity and stronger security.
What about existing solutions?
No need to worry:
- The current system will not be discontinued.
- It will remain available at least until 2027.
- However, it will be affected by the shorter certificate lifetimes, in line with CA/Browser Forum requirements.
