The security certificate on your website has an expiry date, and that date is getting shorter - deliberately, across the whole industry. If your certificates have started needing renewal more often than they used to, you are not imagining it, and it is about to happen again. Here is what is changing, why, and what it means for you if you are not the person who lives in a terminal all day.
What is actually changing
The rules for how long a certificate can last are set by the CA/Browser Forum - the group of web browsers (Chrome, Safari, Firefox) and certificate authorities that, between them, decide what your browser trusts. They voted to shrink the maximum lifetime of a certificate in steps:
- Until early 2026: a certificate could last about 398 days (just over a year).
- March 2026: cut to 200 days. (This one has already happened.)
- March 2027: cut to 100 days.
- March 2029: cut to just 47 days.
Think of it like the best-before date on milk getting shorter every year. The milk is the same; you just have to replace it far more often, and the cost of forgetting goes up.
Why are they doing this?
Two reasons, both reasonable. First, security: if a certificate's secret key is ever stolen, a shorter lifetime limits how long a criminal can misuse it. Second, hygiene: shorter certificates force everyone to stop renewing by hand and set up automation, which is more reliable in the long run. It is genuinely a good direction for the web. It just creates a transition period that lands on website owners.
What this means for you
The headline: more renewals means more chances to miss one. A certificate you used to touch once a year will, by 2029, need replacing roughly eight times a year. Every one of those renewals is an opportunity for the same old failure - the one where a certificate quietly expires and your site starts showing visitors a full-page security warning instead of your homepage.
How exposed you are depends on your setup:
- If you renew certificates manually (a reminder in someone's calendar, a note in a spreadsheet), this is the wake-up call. That approach barely survives once a year. It will not survive every six weeks.
- If your certificates auto-renew (many modern hosts and tools do this for you), you are in much better shape - but automation fails silently more often than people think, and now it has eight times as many chances to fail. A renewal that breaks quietly and goes unnoticed is the most common cause of these outages.
What to do about it
You do not need to become a certificate expert. You need two things: renewals that happen automatically, and a safety net that tells you when one does not.
The automation is usually handled by your hosting provider, CDN, or a tool like Let's Encrypt. The safety net is the part most people are missing - an outside check that watches your certificates and warns you, with plenty of time to act, when one is heading for expiry or a renewal has silently failed. That is exactly the gap that gets wider every time these lifetimes shrink. We wrote more about the end state in The 90-Day Certificate Era.
The shift is not something to fear - it is something to set up once and stop worrying about. The teams that will be fine in 2029 are the ones who replace "remembering" with "monitoring" now, while the cadence is still forgiving.
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.
Keep reading
What Is SSL/TLS Certificate Monitoring and Why Does It Matter?
Valid SSL Certificate, but Chrome Says 'Not Secure'? Here's Why
I don't want to learn what PKI, CA, ACME, EKU stand for, I only want a working certificate for my website
Related guides
-
What Is SSL/TLS Certificate Monitoring? A Complete Guide
A plain-English definition of SSL/TLS certificate monitoring, what it catches beyond expiry, and why shorter certificate lifespans are making it essential.
-
“This Website Cannot Be Trusted”: What It Means and How to Fix It
What the “this website cannot be trusted” error really means, and how to fix it fast.