1. BrandShelter Help Centre
  2. Certificates
  3. SSL Certificates

SSL/TLS Certificate Lifetime Reduction – 47-Day Certificates by 2029

The CA/Browser Forum has approved updates to the TLS Baseline Requirements that will gradually shorten SSL/TLS certificate lifetimes and the reuse period for domain validation data.

These changes will reduce certificate validity to 47 days by March 2029, with the first customer-facing impacts starting in February–March 2026 across all major Certificate Authorities, including DigiCert and Sectigo.

Additionally, new DNSSEC validation requirements will apply to domains that have DNSSEC enabled. Incorrect DNSSEC configuration may prevent certificate issuance or reissuance. 

Industry-Wide Certificate Lifetime Schedule

The following timeline applies to all public TLS certificates:

Effective Date Maximum Certificate Lifetime Domain/IP Validation Reuse
From 24 February 2026 (DigiCert) 199 days 199 days
From 12 March 2026 (Sectigo) 199 days 199 days
From 15 March 2027 100 days 100 days
From 15 March 2029 47 days 10 days

Important Notes

  • Certificates issued before 24 February 2026 (DigiCert) or 12 March 2026 (Sectigo) will remain valid until expiration.
  • From these dates onward, Certificate Authorities cannot issue or reissue certificates for longer than 199 days, regardless of order length.
  • Shorter lifetimes will continue to roll out according to the industry schedule above.

 

Order Lifetime vs Certificate Lifetime

Due to the new limits, your order lifetime and certificate lifetime may no longer be the same.

E.g. if you place a 365-day order:

  • You will receive an initial certificate with the maximum validity allowed at the time (199 days).
  • Before this certificate expires, the certificate will be reissued covering the remaining 166 days of your order.
  • This reissuance is completed at no additional cost.

Browsers only check whether the currently installed certificate is valid at the time of use. They do not evaluate the total order lifetime.

 

Certificate Reissuance Process

  • Certificates covering the remaining 166 days are automatically reissued using your existing certificate details.
  • You will be notified 4 weeks before the upcoming reissuance.
  • If you need to change the CSR or certificate details, you will need to submit it before the deadline stated in the notification email.
  • 1 week before the 199-day certificate expires, you will get a new certificate covering the remaining period.
  • If no changes are requested, the replacement certificate will be reissued automatically to avoid service disruption.

 

Manual Certificate Reissuance

You may also manually reissue your certificate via the BrandShelter portal:

  1. Log in to the BrandShelter portal;
  2. Go to the SSL Certificates tab;
  3. Select the certificate;
  4. Click the menu Burger_menu.png (burger icon) next to the certificate;
  5. Choose Reissue.

 

Early Manual Reissuance – How Validity Is Calculated

If you manually reissue before the 199-day certificate expires:

  • The new certificate becomes valid from the date of reissuance;
  • It will cover the remaining order period, plus any unused time from the current certificate, up to a maximum of 199 days.

Example:

If you reissue on day 169 of the 199-day certificate, the new certificate will cover:

  • Remaining 166 days of the order;
  • Plus the 30 unused days from the original certificate.

This allows flexibility if you need to reissue earlier for operational reasons.

 

Domain Validation (DCV) Reuse Changes

DigiCert – From 24 February 2026

New domains
  • Any domains validated on and after February 24, 2026, can be reused for up to 199 days.
  • Revalidation will be required every 199 days (instead of 397 days today).
     
Existing domains
  • For domains validated on or before August 9, 2025, their domain validations will expire immediately on February 24, 2026.
  • For domains validated on or after August 10, 2025, these domain validations will remain valid through February 24, 2026, but will expire after 199 days.

 

Sectigo – From 12 March 2026

Sectigo will enforce a 199-day domain validation reuse limit starting 12 March 2026.

After this date:

  • Any domain validation older than the allowed reuse period must be revalidated before new certificate issuance or reissuance.

 

→ What this means for you

  • No existing certificates will be revoked.
  • You should prepare to revalidate domains every 199 days.
  • Reviewing domain validation expiration dates is strongly recommended.
  • The required validation method will depend on your current setup (DNS, HTTPS, or email validation).

If you need any assistance, please do not hesitate to contact your dedicated Account Manager or our support team.

 

DNSSEC Validation Requirement

Starting 3 March 2026, DigiCert will begin enforcing DNSSEC validation checks for domains where DNSSEC is enabled as part of domain control validation (DCV) and CAA verification.

If DNSSEC is enabled for your domain:

  • DigiCert will validate the DNSSEC chain during certificate issuance or reissuance.

  • DNSSEC misconfiguration (for example, expired signatures, or mismatched DS records) may prevent certificate issuance or reissuance.

At this time, this requirement applies to DigiCert certificates only. Other Certificate Authorities may introduce similar requirements in the future.

Domains without DNSSEC enabled are not affected by this requirement.

 

What to do if DNSSEC is misconfigured

If DNSSEC is enabled for your domain and certificate issuance fails due to DNSSEC validation errors, the DNSSEC configuration may need to be refreshed.

In most cases, this can be resolved by regenerating DNSSEC signatures in BrandShelter:

  1. Log in to the BrandShelter portal and open Domains → Portfolio.

  2. Select the affected domain.

  3. Click DNSSEC in the bottom action bar and choose Disable DNSSEC.

  4. Repeat the process and choose Enable DNSSEC to regenerate DNSSEC signatures.

After making changes, allow up to 48–72 hours for DNS propagation before requesting or reissuing a certificate.

 

How to verify that DNSSEC is correctly configured 

After the propagation period:

  1. In the top navigation bar, open Domain Tools and select Dig.

  2. Enter your domain name and click Dig.

Expected result:

  • status: NOERROR – DNSSEC is working correctly.

  • status: SERVFAIL or messages such as RRSIGs Missing – DNSSEC is still misconfigured.

If DNSSEC validation remains unsuccessful after propagation, please contact our team for assistance.

 

FAQs

Are SSL certificates becoming more expensive?

• No. There is no price increase.

 

Why are certificate lifetimes changing?

• Shorter certificate lifetimes improve security by:

  • Limiting exposure if a certificate is compromised.
  • Improving compliance readiness.
  • Reducing reliance on long-lived domain and IP validation data.
  • Improving overall security hygiene through more frequent certificate rotation.

• Browsers only verify that a certificate is valid at the time of use. They do not evaluate the total order lifetime.

 

Why does my certificate expire before my order ends?

• Industry rules limit certificate lifetimes. Longer orders are fulfilled through multiple certificate reissues.

 

Will I need to revalidate my domain more often?

• Yes. Domain validation reuse periods are being reduced to 199 days in 2026 and will continue to shorten over time, reaching 10 days by 2029.

 

Are existing certificates affected?

• No. Certificates issued before 24 February or 15 March 2026 remain valid until they expire.

 

Can I purchase a certificate for the exact certificate lifetime instead of 365 days?

• Not at this time. To keep the transition simple while certificate lifetimes continue to change, certificates are currently offered with a 365-day coverage period. As industry limits are reduced further in the future, we plan to introduce additional shorter purchase options.

More articles in this section