There was a time when SSL administration felt almost routine: install the file on the server, check the green padlock in the browser, and forget about it for a year, sometimes even two. But the security industry is steadily moving away from the idea of “long-lived” certificates. The gradual tightening of their validity periods forces a rethink of привычные approaches to maintaining web resources.

Timeline of shortening validity periods

Until recently, 398 days was considered the norm – a bit more than a year of peace of mind. Now we are entering a phase of intensive changes, where each next step effectively halves the validity window.

  • From March 15, 2026, the maximum lifetime of a certificate will be 200 days. This will require checking configurations roughly every six months.
  • From March 15, 2027, the window narrows to 100 days. Quarterly renewal becomes the new normal.
  • From March 15, 2029, the term will be limited to 47 days. That means reissuance will happen every month and a half.

It is important to distinguish between the subscription period and the actual validity of the certificate. You can still pay for the service two or three years ahead, but the technical part – generating a new key and installing it on the server – will happen much more frequently.

How reissuance works

In essence, renewal is the replacement of the current digital signature with a new one. Although the owner and domain data remain unchanged, the browser requires fresh confirmation that the site still belongs to you and that the connection has not been intercepted.

Technically, this looks like generating a new request in the hosting control panel. If the service is already paid for, the procedure is usually free and takes a few minutes, but it requires attention to dates.

Why security is becoming “shorter”

The reason behind these changes is not a desire to complicate life for admins. A shorter certificate lifecycle acts as a safeguard. Information about companies and domain ownership changes faster than we tend to assume. The more often reissuance happens, the more up-to-date the information the browser sees.

There is also a purely technical aspect: certificate revocation lists (CRL) do not always work reliably. If a key is compromised, the best way to minimize damage is to ensure it becomes invalid as quickly as possible. Besides that, each new issuance allows certification authorities to introduce more modern encryption algorithms without waiting years for outdated certificates to expire.

What this changes in practice

For an average site visitor, nothing changes – the padlock in the address bar remains where it is. The main load shifts to those who maintain the resource.

The main risk now is not financial, but simply forgetting. Miss the renewal date, and the site instantly gets marked as “not secure,” which scares away traffic. Since doing this manually every 47 days becomes impractical, automation turns into a priority. Most modern control panels already include auto-renewal tools, and using them is no longer optional.

An SSL certificate is no longer a static setting. It becomes a dynamic process, as routine as creating backups or updating plugins. The idea is simple: security has to be relevant “here and now,” not as it was a year ago.