If you manage a website, you have probably noticed something strange lately: Your “one-year” SSL certificate expired in just a few months.
You are not being scammed. This is part of a major security overhaul mandated by the global body that governs internet security standards (The CA/Browser Forum). As of March 2026, the maximum lifespan of a new SSL/TLS certificate is 200 days.
But why shorten the lifespan? And how do you actually get the full year you paid for? Here is everything you need to know.
1. Closing the “Broken Window” Window
When a hacker steals a website’s private key, they have a “dwell time”—the period between the theft and when the certificate expires. With 400-day certificates, hackers had over a year to abuse that stolen key. By cutting the life to 200 days, security teams are reducing that free hacking window by more than half.
2. Forcing Proof of Ownership
A lot can change in a year. Domains get sold, companies go bankrupt, or servers get abandoned. A long certificate meant an old owner’s certificate could still work on a new owner’s server. By forcing renewal every 200 days, the system ensures the person holding the certificate today is still the legitimate owner.
3. The Push for Robots, Not Humans
Manually tracking expiry dates via a spreadsheet is a nightmare. The industry is trying to kill manual renewal entirely. By making certificates expire faster, they are forcing website owners to adopt automated renewal systems. If you automate, you never notice the expiry date. If you don’t, you will lose your security seal constantly.
The Timeline: This is Just the First Step
The 200-day limit is not the final destination. The CA/Browser Forum has already voted on a roadmap to shrink certificates even further.
- The Past (Until March 2026): 365 days (12 months)
- The Present (March 2026): 200 days (~6.5 months)
- The Near Future (March 2027): 100 days (~3 months)
- The Long Term (March 2029): 47 days (~1.5 months)
By 2029, your certificate will expire faster than a Netflix free trial. Automation will not be a luxury; it will be a requirement for survival.
The “Two-Part” Purchase: How to Get Your Full Year
Here is the most confusing part for website owners who bought a “1-year plan.”
Since a single certificate cannot legally be issued for longer than 200 days, Certificate Authorities (CAs) have changed how they sell time. When you buy a “12-month” certificate today, you are actually buying a two-part subscription:
- Part A (Days 1 to 199): You install this immediately.
- Part B (Days 200 to 365): This is a free “renewal” waiting in your account.
The Critical Warning: Part B is not automatic. You must log into your Certificate Authority’s portal during a specific 30-day window (starting 30 days before Part A expires). You click a button, and they generate the second certificate for free. If you miss that window, you forfeit the remaining six months of your plan and must buy a brand new certificate.
What You Should Do Right Now
If you are a small business owner or blogger, you have two options.
Option 1 (The Hard Way): Set four calendar reminders for every certificate you own. Check the expiry date every month. Pray you don’t get sick during your renewal window.
Option 2 (The Smart Way): Switch to a hosting provider or Certificate Authority that supports ACME automation (the same technology Let’s Encrypt uses). With automation, your server talks to the CA automatically, swaps the old certificate for the new one, and installs it while you sleep.
The Bottom Line
The 200-day limit is annoying for manual users but excellent for security. It forces hackers to work faster, ensures websites prove their identity more often, and drags the industry—kicking and screaming—into the age of automation.
Key takeaway: If you bought a 1-year certificate, you are safe, but you must remember to claim your free renewal halfway through. And if you haven’t automated your renewals yet, 2029 (when certificates last only 47 days) will be a very stressful year for you.
