Countdown to 200-day SSL/TLS Certificates

In cybersecurity, we rarely get the luxury of a "quiet" warning for a critical vulnerability. with a time and date attached. Usually these pop up in the middle of the night, followed by a frantic scramble to patch systems before they are exploited. But right now IT teams the world over have been given something unprecedented: a clear, multi-year roadmap for a fundamental shift in digital trust.

 

On March 15, 2026, the maximum validity for public SSL/TLS certificates will drop from 398 days to just 200 days. This means that certificates that were once renewed only once a calendar year, must now be renewed every 6 months. While this may sound like a technicality for the IT department, if mishandled or ignored, it will be a board-level business risk. If your organisation is not prepared to handle more frequent certificate renewals, this change will double your IT team’s operational workload overnight and spike your risk of service outages.

 

 

The "Set It and Forget It" Era is Over

Digital certificates have been the solid invisible workhorses of the internet for nearly 30 years - issued, installed, and forgotten for a year or more at a time. This did not need to change because their 2048-bit RSA encryption was considered unbreakable. But now the growing threat posed by quantum computing changes the risk calculus, as sufficiently advanced quantum computers could potentially break this encryption in months, or even weeks. 

 

These advanced quantum computers do not exist. Yet. But the clock is ticking to make certificates more secure. By refreshing certificates more frequently, the risk of them being cracked drops significantly, as the window for attackers to actually exploit a compromised certificate is minimised. This is why from this March, the lifetime validity drops from 398 days to 200 days. The NCSC’s timeline for Post-Quantum Cryptography (PQC) readiness is a major factor behind the move to 200 day certs -and is why it won’t stop there - with certificates validity incrementally dropping right down to 47 days by March 2029. By that point, manual certificate renewal processes will have long-since become unmanageable, meaning that automation becomes essential.

 

For many businesses, this sounds like more work for more security, with   shorter-lived certificates acting to:

• Reduce the impact of compromised keys
• Limit damage from misissued certificates
• Encourage automation and modern crypto hygiene
•  Align trust with ephemeral, cloud-native workloads

From a security perspective, this is progress. From an operational perspective, it’s a stress test.

 

 

Failing to Act Will Impact Your Business

When a certificate expires, the failure is immediate and highly visible. Depending on your businesses, you could see websites going dark, application programming interface (APIs) ceasing communicating, and internal systems like VPNs or Wi-Fi authentication failing without warning. Browser "Not Secure" warnings for your website may erode customer trust, but in regulated sectors like finance or healthcare certificate compliance violations can result in heavy penalties and legal consequences.

 

For that reason, anyone currently managing certificates manually via spreadsheets, is already behind the curve on their certificate hygiene. The NCSC’s timeline aims for PQC migration to begin in 2031, which means having fully automated certificate renewal by 2029 will put this part of an organisation significantly ahead of the curve.

 

 

Automation Is The Only Viable Strategy

To survive this transition, and the further transitions in the years to come, business leaders must shift their perspective to treat digital certificates as first-class infrastructure and a quantum preparation stress test.But to make that a reality, certificate automation is a requirement.

 

That is why certificate lifecycle management solutions (CLMs) are about to become much more important for businesses - the platforms that automate the discovery, deployment, renewal, and revocation of digital certificates across an IT infrastructure. Based on the principle that you can’t secure what you can’t see, automated discovery tools find every certificate in your environment (including those installed by shadow IT) and process error-free renewals to reduce the overall operational burden.

 

 

No Excuse for Lapses

With the problem well established, and this much warning, there is truly no excuse for a certificate to lapse in 2026. The industry has provided a clear schedule and the tools necessary to adapt. Those who insist on manual processes might limp on under the 200-day rules, but will be on course to fail when maximum validity reduces to 100 days in March 2027, or to 47 days in March 2029.

 

Organizations that embrace automation today will find themselves more resilient, more secure, and ready for the post-quantum future. Those that wait will face a cycle of constant, easily avoidable crises. Don’t wait for an outage to be your wake-up call.

 

---

 

Henry Lam is Field CTO at Sectigo

 

Main image courtesy of iStockPhoto.com and piyaphun