Public certificate validity is changing: what your organisation should do now

The validity period for publicly trusted certificates is changing. Here is what your organisation should be doing about it.

The CA/Browser Forum the governance body whose members span certificate authorities and browser vendors has agreed a phased reduction in the maximum validity of publicly trusted TLS certificates, down to 47 days. The change is not optional, and the timeline has already begun:

• 15 March 2026: maximum validity reduces from 398 days to 200. Most organisations will renew at least twice this year.
• 15 March 2027: maximum validity reduces to 100 days.
• 15 March 2029: maximum validity reduces to 47 days.

The rationale is twofold: shorter lifespans narrow the window in which a compromised certificate can be exploited, and they make manual management untenable, which in turn drives the automation the next era of cryptography will require. Post-Quantum Cryptography (PQC) is already in trial for future adoption, and by its nature it will demand far more frequent certificate regeneration.

These changes are not simply an operational inconvenience. They affect an organisation's wider cyber resilience, its ability to demonstrate effective control of its certificate estate, and its assurance position. In our experience, the organisations that manage this well are the ones that treat it as a governance exercise now, rather than a renewal scramble later.

We would recommend the following:

• Establish visibility. Determine the full scope of third-party certificates in use across every part of your organisation. You cannot control what you cannot see.
• Validate. Confirm each certificate carries the correct SAN(s) and the appropriate validation and cryptographic level, in line with your cryptographic policy.
• Record. Capture all relevant detail in your CMDB so the estate remains auditable.
• Evaluate the effort. A single SAN on one website, renewed via a scheduled ITSM task, may be entirely manageable by hand. A multi-certificate critical-infrastructure estate is not and should be assessed accordingly.
• Investigate automation. Stand up the ability to renew and report on certificates automatically during 2026, while the six-monthly cadence still leaves room to implement it properly and prove it works.

Contact McCormickCo Security

McCormickCo Security supports organisations in turning asset and endpoint data into meaningful assurance, strengthening submissions, supporting outcomes, and ultimately contributing to the safe and resilient delivery of services.

Contact | McCormickCo Security — Our team can provide further detail on the technical architecture, assurance mapping, and NHS-aligned delivery approach, and support organisations in assessing how this integration can be safely and effectively implemented within their environment.

‍

‍