The CA/Browser Forum (a voluntary association of leading Certification Authorities and web browser vendors such as Google, Apple, Mozilla, and Microsoft, which defines binding standards and rules for the issuance of SSL certificates) voted in April 2025 to approve a schedule for the gradual reduction of SSL certificate validity from the current 398 days to a target of 47 days.
What does this mean in practice?
The shortening of SSL certificate validity will result in certificates needing to be renewed on the server more frequently. With the final limit of 47 days, a certificate will need to be replaced a total of 8 times per year.
Why is such a significant change being introduced?
There are several reasons why the CA/B Forum decided on and scheduled this gradual timeline:
Increased security (more frequent renewals help prevent potential attacks and website compromise)
Faster response to changes and potential threats, such as key decryption risks
Support for automation in certificate replacement
Why exactly 47 days?
A validity period of 47 days may seem unusual (approximately one and a half months), but there is a logical calculation behind it, following a consistent pattern:
200 days = 6 months (184 days) + 1/2 of a 30-day month (15 days) + 1 day reserve
100 days = 3 months (92 days) + approximately 1/4 of a 30-day month (7 days) + 1 day reserve
47 days = 1 month (31 days) + 1/2 of a 30-day month (15 days) + 1 day reserve
This model of “odd” validity periods has long been a standard approach of the CA/B Forum. The current limit of 398 days was calculated as 1 year (366 days) + 1 month (31 days) + 1 day reserve.
How will the gradual reduction take place?
The reduction of SSL certificate validity will not happen all at once. According to the schedule below, the final adjustment will take place in three consecutive phases.
The current state (until March 14, 2026): maximum SSL certificate validity is 398 days.
From March 15, 2026 – maximum validity will be 200 days (Phase 1)
From March 15, 2027 – maximum validity will be 100 days (Phase 2)
From March 15, 2029 – maximum validity will be 47 days (Phase 3)
Note: CA DigiCert will implement the above change for 2026 earlier, starting February 24, 2026.
Will SSL certificates issued before March 15, 2026 be automatically shortened?
No. All certificates issued before the start of the first reduction phase will remain valid for the period for which they were originally issued. The change will apply when creating a new certificate after March 15, 2026 – at that time, it will only be possible to issue a certificate with a maximum validity of 200 days.
Note: Certificates issued by CA DigiCert will have a 200-day validity already from February 24, 2026.
Once the individual rule changes come into effect, Certification Authorities will no longer be allowed to issue certificates with a validity longer than 200 days (2026) / 100 days (2027) / 47 days (2029).
FORPSI SSL Certificate Offering (by Certification Authority)
On our website, we offer SSL certificates from CA Actalis, for which the validity change will apply from March 15, 2026. These include:
Actalis DV SSL
Actalis DV SSL Wildcard
Actalis DV SSL SAN
All other SSL certificates we offer belong to the CA DigiCert group, and the validity change will apply already from February 24, 2026. These include:
RapidSSL
RapidSSL Wildcard
QuickSSL Premium
QuickSSL Premium SAN
How will SSL certificate replacement work in the first phase of shortening?
During the first phase of SSL certificate validity reduction, effective from March 15, 2026 (for CA DigiCert from February 24, 2026), it will be necessary within one calendar year to install two consecutive SSL certificates.
The first SSL certificate will be issued after payment is received and applicant validation is completed. The second, subsequent certificate will be issued before the first SSL certificate expires. Installation will proceed as follows:
If the SSL certificate is installed on our FORPSI server, we will perform the replacement (reinstallation) ourselves. We will request customer cooperation only if necessary and if we are unable to resolve the issue on our side.
If the customer installs the SSL certificate on their own server, it will be necessary to monitor the expiration of the first SSL certificate. When we invite them to activate the second SSL certificate, they must take the necessary steps to ensure the second certificate is issued in time and replaced on the server without delay.