Last year it was widely reported that the CA/Browser Forum had voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029. The first reduction will come into action in a few weeks, on March 15th 2026, accelerating the need for organizations to automate their monitoring and renewal processes around certificate expiry. The CA/Browser Forum is a group of certificate authorities (CAs) and software vendors, including major CAs such as DigiCert and GlobalSign, as well as browser vendors such as Google, Apple, Mozilla, and Microsoft.

SSL/TLS certificates are digital credentials that secure communication between a client and a server by encrypting data, authenticating the server’s identity, and ensuring data integrity. They enable HTTPS and protect sensitive information such as passwords, personal data, and payment details from interception or tampering. When a user connects to a secure site, the certificate is verified by a trusted Certificate Authority before an encrypted session is established.

Although commonly called SSL certificates, modern systems use TLS. When certificates expire without renewal, users see a warning on their browser informing them that their connection isn’t private or secure.

Why is the Lifespan of SSL/TLS Certificates Being Reduced?

The lifespan of SSL/TLS certificates is being reduced to improve security, reduce risk, and better align with modern, automated IT environments. Shorter-lived certificates limit the damage caused by compromised private keys, mis-issued certificates, or outdated / deprecated cryptographic standards, as any exposure window is significantly reduced. In principle the reduction should sets the expectation that organization will automate and should encourage the adoption of automation for certificate issuance, renewal, and rotation, reducing human error and operational risks.

A Tapered Plan for SSL/TLS Certificate Lifespan Reduction

The reduction to a 47-day maximum lifetime for certificates will be phased in over the next few years according to a schedule of:

  • March 15, 2026: the maximum lifetime for a TLS certificate will be 200 days.
  • March 15, 2027: the maximum lifetime for a TLS certificate will be 100 days.
  • March 15, 2029: the maximum lifetime for a TLS certificate will be 47 days.

The current maximum certificate lifespan is 398 days.

What is Domain Control Validation (DCV)?

Domain Control Validation (DCV) is a process used by Certificate Authorities (CAs) to verify that an individual or organization requesting an SSL/TLS certificate actually controls the domain name for which the certificate is being issued.

Domain Control Validation Reuse Reduction

The changes in maximum certificate lifetime will also be accompanied by significant reductions in the DCV reuse period allowed, which will drop to 10 days by March 2029. This means organizations will need to work on significantly tighter schedules within their certificate lifecycle processes. DCV is concerned with how long the Cas will accept the same proof that you own and control a domain before it needs to be reverified.

The Need to Proactively Monitor SSL/TLS Certificate Expiry

Monitoring SSL certificates for expiry is critical to avoid service disruptions, browser warnings, and user trust issues. An expired certificate can block access to your website or application, break secure connections, and cause compliance failures.

It can also disrupt APIs and services, leading to lost revenue or data exposure. Regularly checking which certificates are nearing expiry ensures continuity, maintains security, and supports compliance. Alerting in advance allows timely renewal and prevents last-minute emergencies.

How eG Enterprise Monitors and Alerts on SSL/TLS Certificate Problems

eG Enterprise V7.5 introduced a number of enhancements for SSL/TLS certificate monitoring. With eG Enterprise you can answer questions including:

  • Which SSL certificates are nearing expiry? Have any expired?
  • Which (if any) SSL certificates are privately signed?
  • Certificate Chain Validity – Are root/intermediate certificates valid? Are any nearing expiry?
  • Revocation Status – Have any certificates been revoked?
  • Signature Algorithm – Are any certificates using lower strength public keys?

Further details on the SSL/TLS certificate monitoring capabilities of eG Enterprise are covered in another blog, see Advanced Proactive SSL Certificate Monitoring | eG Innovations.

The SSL/TLS Certificate Expiry Report

For those of you using eG Enterprise and looking to prepare for the changes on March 15th, you may want to access the ready-to-go SSL Certificate Expiry Report via the “Reporter” tab in the main eG Enterprise console. Navigate to the “Reports by Function” section and “Domain Specific Reports -> Security and Compliance -> SSL Certificate”

Screenshot of the eG Enterprise built-in report on SSL/TLS certificate lifetimes and expiry timescales

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

The always available ready-to-go SSL/TLS Certificate Expiry Report within eG Enterprise will give you instant visibility on certificate validity

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

Related Information

About the Author

Ramesh is a Product Lead at eG Innovations with 15+ years of experience in enterprise Java development. He specializes in software architecture and monitoring technologies like Java APM, Real User Monitoring, and JMX. Passionate about clean code and scalability, he enjoys solving complex problems and sharing his expertise with the developer community.