SSL in 2026: What's changed and what's coming

Part 1: 200-day certificate lifespans arrive

What changed in March 2026

As of March 15, 2026, publicly trusted TLS certificates can no longer be issued with validity periods longer than 200 days (down from 398 days).

This marks the first phase of a multi-year reduction plan expected to further shorten certificate lifespans over the coming years.

Phase	Maximum Validity	Target Date
Current	200 days	March 15, 2026
Expected Phase	100 days	2027 (planned)
Expected Final Phase	47 days	2029 (planned)

Later reductions (100-day and 47-day lifetimes) are part of the industry roadmap and may be subject to final ratification and implementation timelines.

Why this matters operationally

Enterprises now manage tens of thousands of certificates across domains, microservices, cloud platforms, and internal services.

Under the old 398-day model: roughly one renewal per certificate annually
At 200 days: nearly two renewals per year
At 47 days: roughly eight renewals per certificate annually

Manual processes such as spreadsheets and calendar reminders will not scale.

Domain Control Validation (DCV) reuse shrinks too

Year	DCV Reuse Period
2026	200 days
2027 (planned)	100 days
2029 (planned)	10 days

Organizations must repeatedly prove domain control - not just for new certificates, but for re-issuance as well.

Part 2: Validation gets harder

Multi-Perspective Issuance Corroboration (MPIC)

Certificate Authorities must now perform validation from multiple geographically and network-diverse perspectives. Geo-blocked or partially reachable validation endpoints may cause issuance failures.

DNSSEC enforcement

If DNSSEC is deployed on a domain, CAs must validate it during DCV and CAA checks. Misconfigured DNSSEC can block certificate issuance.

Legacy validation deprecation

March 15, 2026 - Crossover method removed
2027 (planned) - Phone-based validation eliminated
2028 (planned) - Email-based DCV eliminated

DNS-based and HTTP-based automated validation become the long-term standard.

Part 3: The end of multipurpose certificates

Public TLS certificates are being restricted to Server Authentication EKU only.

Systems using public certificates for both server encryption and mutual TLS (mTLS) client authentication must migrate to:

Private PKI for internal mTLS, or
Dedicated client-authentication certificates

Part 4: Post-quantum cryptography moves toward production

The harvest now, decrypt later risk

Attackers can capture encrypted traffic today and decrypt it in the future once quantum capabilities mature.

Hybrid key exchange

Modern TLS 1.3 implementations are introducing hybrid key exchange combining:

Classical ECDHE
ML-KEM (NIST-standardized post-quantum key encapsulation)

Common hybrid combinations include:

X25519 + ML-KEM-768
secp256r1 + ML-KEM-768
secp384r1 + ML-KEM-1024

Performance benchmarks show ML-KEM-768 is viable for enterprise workloads.

Part 5: The monitoring gap widens

Automation does not guarantee correct deployment, chain validity, or full visibility.

Modern certificate monitoring focuses on:

Expiration detection
Shadow IT discovery
Non-standard port monitoring
Real-world TLS validation

As lifespans shrink, unknown certificates increasingly translate into outages.

What you should do now

Immediate actions

Audit all certificates
Replace spreadsheets with lifecycle management tools
Adopt DNS-based validation
Separate mTLS certificates

12-24 month roadmap

Automate end-to-end lifecycle management
Prepare for post-quantum hybrid key exchange
Reduce certificate provider fragmentation

Conclusion

Shorter lifespans, stricter validation, and the arrival of post-quantum cryptography mark the end of manual certificate management.

Organizations that adapt will make certificate operations predictable.

Those that do not will face increasingly frequent renewal-related outages.