In April 2025 the CA/Browser Forum passed ballot SC-081v3, "Introduce Schedule of Reducing Validity and Data Reuse Periods." It does two things on the same set of dates: it shrinks maximum certificate validity, and - the part that gets less attention - it shrinks how long a CA may reuse domain control validation (DCV) before it has to re-check. Here is the schedule and what it does to your renewal pipeline.
The schedule
| Effective | Max validity | DCV data reuse |
|---|---|---|
| Until 2026-03-15 | 398 days | 398 days |
| 2026-03-15 | 200 days | 200 days |
| 2027-03-15 | 100 days | 100 days |
| 2029-03-15 | 47 days | 10 days |
The 200-day tier is already in force. The two that bite hardest are still ahead.
Validity is the obvious half. DCV reuse is the sharp one.
Most coverage focuses on the validity column, because that is the number that maps to "how often do I reissue." But the DCV reuse column is what changes the shape of automation. Today, having validated control of a domain, a CA can reuse that proof for up to 398 days - so you can reissue freely without re-running an HTTP-01 or DNS-01 challenge each time. By 2029, reuse drops to 10 days. In practice that means validation stops being a once-a-year event and becomes a near-continuous background process: most reissuances will require a fresh challenge.
If your renewal automation treats validation as the rare, fragile step it bolts on around a stable cert - manual DNS TXT updates, a human approving a CNAME, a challenge file dropped by a deploy script - that assumption breaks. Validation has to be as automated and as monitored as issuance itself.
Multi-perspective validation, in passing
Running alongside this is MPIC (Multi-Perspective Issuance Corroboration), which requires CAs to confirm domain control from several network vantage points rather than one, to resist BGP-hijack-based misissuance. It is a CA-side requirement, so it does not change your config - but it is part of why the whole validation surface is getting stricter, and why a flaky DNS or HTTP challenge that "usually works" is a worse bet than it used to be.
What this means operationally
- ACME everywhere, no exceptions. Any certificate still issued or installed by hand is a recurring liability at 47/10-day cadence. Inventory the manual holdouts now - the load balancer someone configured in 2021, the appliance with a web UI, the internal service with a long-lived cert - because those are where the 2027 and 2029 outages will come from.
- Validation is now a monitored dependency. Track challenge success/failure as a first-class signal. A DNS-01 that silently stops resolving, an HTTP-01 blocked by a new WAF rule, clock drift breaking issuance - these now recur every few weeks instead of yearly.
- Short-lived certs change rollout assumptions. Pinning, certificate caching, and anything that assumes a stable cert fingerprint needs review. Overlap windows shrink; "renew three weeks early and observe" compresses.
- External validation matters more, not less. Your renewal pipeline reporting success is not the same as the endpoint actually serving a valid, complete chain. The more often renewals run, the more often that gap appears. An outside check that doesn't trust the pipeline is the backstop. We walked through the failure-mode catalogue in Why Expiry Monitoring Alone Isn't Enough.
The bottom line
SC-081v3 is not really a "certificates expire faster" story - it is a "manual certificate operations stop working" story. The validity reduction is survivable with automation you may already have. The DCV reuse reduction is the one that turns validation into a continuous, monitored process. Teams that get there before March 2027 will barely notice 2029; teams that wait will meet both cliffs at once.
Source: CA/Browser Forum, Ballot SC-081v3.
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.
Keep reading
Shorter SSL Certificate Lifetimes: What the 2026-2029 Changes Mean for You
TLS Scan Report, Check by Check: A Technical Walkthrough
What Is SSL/TLS Certificate Monitoring and Why Does It Matter?
Related guides
-
What Is SSL/TLS Certificate Monitoring? A Complete Guide
A plain-English definition of SSL/TLS certificate monitoring, what it catches beyond expiry, and why shorter certificate lifespans are making it essential.
-
Common SSL Configuration Errors and How to Fix Them
The SSL configuration mistakes that bite teams in production, in plain English.