Is your renewal process ready for what’s coming?

On March 15, 2026, the maximum validity of SSL/TLS certificates drops from 398 days to 200. In practice, that means renewing roughly twice as often as you do today. And this is just the first step — the industry roadmap goes further:

  • 2027: maximum validity drops to 100 days
  • 2029: certificates valid for just 47 days

By the end of the decade, anyone still renewing manually will be doing it every six weeks.

This does not mean you’ll pay more often. Free CAs stay free, and paid CAs keep subscription pricing — the change only affects how often you reissue, not what you pay.

Note: this only applies to newly issued certificates

Certificates issued before March 15, 2026 under the old rules (398 days) remain valid until their natural expiry date — there is no need to reissue them early. The new rules apply exclusively to certificates issued from that date onward.

Why It Matters

A missed certificate renewal is not a minor inconvenience. The moment a certificate expires, browsers display full-screen security warnings. Visitors bounce. APIs break. Integrations go dark. Customer trust takes a hit that’s hard to recover from quickly.

Renewing once a year was manageable to do manually. At 47-day cycles, it’s not. One person on leave, one overlooked alert — and a production site goes down. The margin for error is shrinking alongside the certificate lifetimes.

The Fix: Automate with ACME

The ACME protocol was built for exactly this scenario. It handles certificate issuance and renewal automatically in the background, without any manual steps. Every major hosting environment already supports it:

  • cPanel: AutoSSL manages renewals automatically once activated. After the initial setup, nothing else is required.
  • Plesk: The SSL It! extension handles renewals silently, before certificates have a chance to expire.
  • VPS / Dedicated servers: Certbot paired with a cron job keeps certificates current at no cost. One setup, runs indefinitely.
  • Kubernetes: cert-manager integrates directly into your cluster and handles the full certificate lifecycle automatically.

What to Do Before March 2026

The deadline is closer than it looks. Three steps to get ahead of it:

  • Audit your domains. Know which certificates you have, when they expire, and how they’re currently being renewed. Most control panels have a certificate overview page.
  • Enable automation. On AvaHost cPanel and Plesk plans, AutoSSL and SSL It! can be activated in minutes. On a VPS, Certbot setup takes less than half an hour.
  • Add a monitoring layer. Even with automation in place, an independent expiry alert is a useful safety net. A tool like UptimeRobot will notify you if anything slips through.

The Bottom Line

Shorter certificate lifetimes are better for internet security overall. But they put real pressure on anyone still renewing manually. The window to fix this comfortably — before renewals start failing under the new schedule — is right now.

Automate once. Then it handles itself, regardless of how short the validity windows get.