Bare-metal servers with AMD EPYC™ 9355 processor are now available in our UK location. Click here to order.

SSL/TLS Certificate Lifespans Are Changing in 2026: What It Means for Customers

  • Published on 4th Mar 2026

In early 2026, the industry is shifting to much shorter SSL/TLS certificate lifetimes, affecting all certificate authorities. These changes come from the CA/Browser Forum (the Web PKI standards body) and have been adopted by major CAs, including DigiCert, Sectigo, and Let’s Encrypt. In practice, this means that certificates you buy will still be one-year (or multi-year) products, but each issued certificate file will be valid for only about 200 days instead of ~398 days. A phased rollout then further shortens lifetimes: roughly 100 days by early 2027 and ~47 days by 2029.

Why is this happening?

Longer-lived certificates mean longer exposure if a key is compromised or a site’s ownership changes. Shorter lifetimes limit these risks and force more frequent re-validation. The CA/Browser Forum Ballot SC-081v3 (passed in 2025) set this schedule: a maximum validity of ~200 days in 2026, ~100 days in 2027, and ~47 days in 2029. Certificate vendors are simply following these new rules; for example, DigiCert notes that it will align with this plan and reduce the maximum certificate validity to 199 days as of Feb 24, 2026. Sectigo and other CAs likewise will stop issuing longer certs by mid-March 2026.

What is changing (key points)

  • Certificate validity (new orders): Effective Q1 2026, any newly issued public SSL/TLS certificate will be valid for only about 200 days (often implemented as 199 days). By March 15, 2027, it will drop to ~100 days, and by March 15, 2029, to just ~47 days.
  • Validation reuse periods: The rules also shrink how long you can reuse prior validations. Domain Control Validation (DV) reuse is cut from ~397 days to 199 days; Organization Validation (OV/EV) reuse is cut from ~825 days to ~397 days. (This means if your domain or business was validated more than ~6 months ago, you’ll need to re-validate sooner than before.)
  • Multi-year purchases: You can still buy 2–3-year certificate plans, but the cert you install will only ever be as long as allowed. A typical 3‑year plan means you pay up front, but you’ll receive one 200-day cert, then a reissued cert for the next ~166 days, and so on, until your 36 months are covered. Each reissue is free (it uses the time you already paid for). In effect, multi-year plans simply allow price-lock, while requiring annual (or twice-annual) reissuance of the certificate file

What this means for you

  • Same purchase process: Continue to buy 1-year (or multi-year) SSL certificates from Bacloud as before. There’s no need to buy “two certificates” separately. But each certificate you receive will expire in ~200 days instead of a year. You’ll then get a second certificate for the remainder of your term (around 166 days if you bought a 365-day term).
  • Certificate issuance and reissuance: When you purchase a certificate before early 2026, it can still be issued with the full ~397‑day validity. After the cutoff dates, any new order or reissue is capped at ~200 days. In practice, most CAs (including those behind Bacloud’s SSL products) will automatically issue that shorter cert, and when it expires, they’ll issue the second half of the term at no extra cost. Your SSL vendor will email you the renewed certificate file when it’s ready.
  • Reinstallation required: After each certificate (200-day and then 166-day, etc.) is issued, it must be installed on your server or site before the old one expires. For example, if you manage your own VPS or dedicated server, use your control panel or SSH to replace the certificate file. If you have Bacloud web hosting (cPanel), note that we include free AutoSSL certificates (Let’s Encrypt) that renew automatically – they will continue to update without manual work. However, if you purchased a paid SSL certificate (RapidSSL/Comodo/Certum/etc.) through Bacloud, you should reinstall the reissued certificate. Bacloud’s support team can assist with this if needed – simply submit a ticket with the new certificate file or use your hosting panel’s SSL install feature.
  • Validation timing: Plan ahead for domain and organization validation. Since domain validation now only lasts ~199 days, make sure to re-validate any domains before your next certificate needs to be issued. Likewise, if you use OV/EV certs, ensure your company’s validated information is updated (within 397 days) so it can be reused. If a validation expires, you’ll need to redo it before the next cert is issued, which could delay issuance. It’s best to complete domain and org validations well in advance of ordering a certificate around the cut-off date.
  • Notifications: Enable renewal/reissue reminders with your SSL provider. As certificates renew every ~6 months instead of yearly, missing one could cause unexpected downtime. You’ll receive emails from the CA or Bacloud with the reissued cert – mark these as important so you don’t overlook them.
  • No change to existing certificates: Any certificates issued before the cut-off date in 2026 remain valid for their original term. For example, a 397-day certificate issued in January 2026 will still run out in February 2027 as planned. It’s only new orders (and reissues/renewals) on or after the cutoff that use the shorter lifespans.

Managing Certificates Going Forward

  • Manual workflow (until fully automated): If you manage certificates manually today, you will simply repeat your process twice as often. For each 1‑year certificate you buy, you’ll go through CSR creation/validation/etc. at ~200-day intervals. In other words, treat a “200-day” certificate like a 6-month cert: install it, then ~180 days later submit for a renewal or reissue and install the new cert. 
  • Automation (highly recommended): With certificates expiring every few months, automated renewal is the best approach. For example, on Linux servers, you can use ACME clients (Certbot, acme.sh, etc.) to automatically fetch and install Let’s Encrypt or other ACME-based certs every 60–90 days. (Bacloud’s NVMe Hosting with cPanel already has AutoSSL, which can use Let’s Encrypt; this certificate automatically renews.) If you use load balancers or other systems, see if they support the ACME protocol or an API. Even if you stick with paid SSL from our store, you can use scripts or platforms that call the CA’s API to request and retrieve the new certs on schedule. DigiCert and Sectigo both emphasize that automation is now a must – manual processes will become too error-prone as validity shrinks.
  • Bacloud Assistance: Bacloud will do its best to help customers adjust. If you are using a Bacloud-managed service that obtains SSL certificates for you (such as our cPanel hosting or managed servers), the platform will automatically follow the new rules. If you have an SSL from Bacloud’s store on a user-managed server, we’ll continue to provide reissued certificates in accordance with CA policy. Our support team can assist with any manual reinstallation or with setting up AutoSSL/ACME on your server. Please reach out if you are unsure how your particular setup handles renewals.

Frequently Asked Questions for Bacloud customers

  • Q: Do I have to buy twice as many certificates? No. You still buy one 1-year certificate as before. You just get two cert files (each ~200 days) per year. There is no extra cost for the second one – it’s part of your original purchase.
  • Q: What if I let a certificate expire? If a cert expires, you lose HTTPS until you install a new one, so be careful with shorter expirations. Always plan to reapply early. You can renew or reissue up to 90 days before expiry, which still works under the new rules.
  • Q: Will Bacloud upgrade my certs automatically? For our free hosting SSL (AutoSSL), yes – the system will fetch new certs for you. For paid certificates bought through Bacloud, the CA will issue the renewed cert and email it to you; you or our support will then install it. 
  • Q: Why not just let me buy a 2-year cert? Browser and CA rules no longer allow 2-year or 5-year certificate lifetimes. Even if you purchase 2–3 years up front, the installed cert is still issued in 200-day chunks. Multi-year plans just lock in pricing and let you reissue the cert over time.
  • Q: Can I switch to Let’s Encrypt or ACME? Yes – Let’s Encrypt certs (90-day lifetime) already work with automatic renewal (certbot/acme.sh or cPanel AutoSSL). Many Bacloud customers find this the simplest option, since it requires no manual reinstallation. 

In summary: nothing to panic about, but do plan for more frequent renewals. Continue purchasing certificates as you do now, but be ready to install the new certificate files roughly every 6–7 months. Keep your domain/organization validations up to date, enable renewal alerts, and consider automation. By understanding these changes now, you can ensure uninterrupted HTTPS coverage. If you have any questions or need help with your certificate setup, Bacloud support is here to assist.

 

« Back