SSL/TLS Certificate Validity Changes: New 200‑Day Limit Explained

March 02, 2026 12:04

Beginning March 15, 2026, all publicly trusted Certificate Authorities must comply with new industry requirements that shorten the maximum validity period of SSL/TLS certificates to 6 months. These changes also affect how long domain validations (DCV) can be reused.

The new rules (Ballot SC-081v3) apply industry‑wide and are designed to strengthen web security by reducing the lifespan of certificates and domain validation records.

⚠ For all certificates issued from now on we highly recommend to double check the expiration date after the certificate has been issued. Make sure that you renew all your certificates in time!

What Is Changing?

Maximum Certificate Validity Reduced to 200 Days

Starting March 15, 2026, SSL/TLS certificates can be issued for a maximum of 200 days. This reflects a shift from the previous 1‑year validity model to a shorter, more secure lifecycle.

DCV Reuse Limited to 199 Days

Domain Control Validation records can now be reused for only 199 days. Any DCV records older than this will be invalid and new records have to be created. Certificates will not be issued using domain validation records older than 199 days after the enforcement date.

Why These Changes Matter

The shortened certificate lifetime improves security by:

Minimizing the risk that private keys are compromised
Reducing the time window in which a compromised certificate could be exploited
Ensuring domain ownership is re-validated more frequently
Minimizing long‑term reliance on older validation data

As a result, you should expect:

More frequent certificate renewals
More frequent DCV checks
Possible early re-validation of domains validated before late 2025
Re-issuance requirements for certificates tied to older DCV records

What Stays the Same

Existing certificates remain valid until their original expiration date.
1‑year certificates are still issued the same way from your perspective. You can still request 1‑year certificates, but each issuance will follow the new 200‑day limit, requiring a mid‑term re-issuance to cover the remainder of the subscription term.
Your ZeroSSL dashboard and API workflows will continue to support automated re-issuance

How This Affects ZeroSSL Plans

With the new 200‑day limit:

1‑year plans will include multiple certificate issuances throughout the term
30 days before a certificate expires you should get back the credits to issue a replacement certificate
DCV must be valid at the time of each issuance, meaning domains must be re-validated earliest 30 days before expiration and their maximum lifetime is 200 days

Frequently Asked Questions

Will my existing certificates stop working?

No. Existing certificates will remain valid until their current expiration date. The new limits apply only to certificates issued after March 15, 2026.

Do I need to revalidate my domain immediately?

Not necessarily, but any DCV record older than 199 days will not be accepted for certificate issuance after March 15, 2026.

Will ZeroSSL support automated renewals under the new rules?

Yes. ZeroSSL’s ACME automation and API workflows support frequent renewals and re-issuance.

Need Help?

If you have questions about how these changes impact your ZeroSSL setup, our support team is here to help. We will continue to provide updates and resources as the industry transition moves forward.