Skip to main content

End of 397-day public TLS/SSL certificates

Improving TLS/SSL certificate security by moving to 199-day certificates

Industry says goodbye to 397-day maximum validity public TLS and QWAC certificates

On February 24, 2026, DigiCert will stop issuing 397-day public DV, OV, and EV TLS/SSL and Qualified Website Authentication Certificates (QWAC) and QWAC PSD2 certificates. The new maximum TLS certificate validity is 199 days. Read our knowledge base article to learn more about the move to 199-day TLS certificates.

Following industry best practices, DigiCert implemented a 199-day maximum validity for all public TLS/SSL and QWAC/QWAC PSD2 certificates. This practice accounts for time zone differences and prevents Certificate Authorities from mis-issuing a public TLS/SSL certificate that exceeds the new 200-day maximum validity requirement.

DigiCert is also enforcing the change earlier to ensure all systems are fully aligned and stable ahead of March 15, and to prevent any risk of issuing certificates that exceed the CA/B Forum's new 200-day limit. See Shortened TLS/SSL Certificate Validity: Frequently Asked Questions.

Notice

The maximum validity of the TLS certificate doesn't remain at 199 days for long. See the Maximum validity period timeline for public TLS/SSL in the CA/Browser Forum table in this article.

Items covered in this article:

What do I need to do?

With the new 199-day maximum TLS certificate validity, we recommend maximizing your TLS coverage by buying new public TLS/SSL certificates with a DigiCert® annual plan.

With your annual plan, all you need to do is select the DigiCert TLS certificate you want to use to protect your domain. The order includes the 1-year plan and, by default, a 199-day TLS certificate. To learn more, go to DigiCert annual plans.

Notice

As of February 24, 2026, DigiCert TLS certificate orders are 1-year by default. Contact your account manager or DigiCert Support if you’re interested in using the 2 and 3-year plans.

Coverage limitations

CertCentral Subscription accounts and Enterprise accounts with subscription contracts don’t use DigiCert annual plans. See Annual plan limits.

DigiCert Services API integrations

Your CertCentral Services API integrations will continue to work the way they did before this change in CertCentral.

What happens if my 397-day public TLS/SSL certificate wasn't issued before the February 24, 2026, deadline?

Pending public TLS/SSL certificate orders with a validity period greater than 199 days are automatically converted to a DigiCert annual plan.

This means:

  • The annual plan retains the purchase's validity.

    For example, if you order a 1-year certificate, your annual plan is valid for 12 months.

  • The first certificate on the plan is issued with a maximum validity of 199 days

  • To use the remaining coverage on the order, you need to reissue the certificate before it expires in 199 days.

How does this affect my existing 1-year public TLS certificates?

This change doesn’t affect active certificates with a validity greater than 199 days issued before the February 24, 2026, deadline. These certificates remain trusted until they expire.

For example, on February 1, 2026, you bought a 1-year OV TLS certificate. We issued the certificate on February 3, 2026. When the certificate nears its expiration date, instead of renewing another 1-year TLS certificate, you renew it with a 199-day certificate on an annual plan.

How does this affect my 1-year certificate reissues and duplicate issues?

The shortened maximum certificate lifecycle period of 199 days does affect public 1-year TLS certificates reissues and duplicates. Now, when you reissue or duplicate a 1-year TLS certificate, the new certificate's validity can’t exceed 199 days. This means some reissued certificates may expire before the order expires.

To use the remaining validity included with the order, reissue your certificate during the final 199 days of the order. You may request reissues with a validity of up to 199 days, or until the order expires, whichever is sooner.

Example: Reissuing a 1-year public TLS certificate now

  1. On February 23, 2026, we issued your 1-year Basic OV TLS certificate, your original certificate. This certificate has a validity of 365 days and expires on February 23, 2027, at the same time, the order expires.

    • Order validity term: February 23, 2026 – February23, 2027 (365 days)

    • Certificate validity term: February 23, 2026 – February23, 2027 (365 days)

  2. On February 25, 2026, the day after DigiCert implemented the new 199-day maximum validity change, you reissue the certificate. This reissued certificate has a maximum validity of 199 days and expires on September 12, 2026.

    • First reissued certificate validity term: February 25, 2026 – September 12, 2026 (199 days)

  3. On September 9, 2026, you reissue the certificate. This reissued certificate has a validity of 167 days because certificate validity can’t exceed the order validity.

    • Second reissued certificate validity term: September 9, 2026 – February 23, 2027 (167 days)

  4. If you need to reissue a 1-year public TLS certificate and have questions about what to expect during the reissue, contact your account manager or DigiCert Support before reissuing it.

How does this affect my public TLS/SSL certificate renewals?

The renewal process remains the same. You can reissue a TLS certificate at any time and renew a TLS order up to 90 days before it expires.

Maximum validity period timeline for public TLS/SSL in the CA/Browser Forum

On February 24, 2026, DigiCert began issuing 199-day public TLS certificates in accordance with the new industry requirements. However, the maximum validity for TLS certificates doesn't stay at 199 days for long. In early 2027, the maximum validity is reduced again to 99 days. Then, in early 2029, the maximum validity is reduced one more time to 46 days. To learn more about reducing public TLS certificate validity to 46 days, read our blog, TLS Certificate Lifetimes Will Officially Reduce to 47 days.

Table 1. CA/Browser Forum due dates and DigiCert timelines for reducing TLS certificate validity

CA/Browser Forum

DigiCert

Maximum certificate validity

Due date

Maximum certificate validity1

Timeline

200 days

Between March 15, 2026, and March 15, 2027

199 days

Between February 24, 2026, and early 20272

100 days

Between March 15, 2027, and March 15, 2029

99 days

Between early 2027 and early 20292

47 days

After of March 15, 2029

46 days

After early 20292

1DigiCert's maximum certificate validity is one day shorter than that allowed by the CA/Browser Forum. We do this to avoid exceeding the maximum permitted validity.

2Future release dates are subject to change based on the latest CA/Browser Forum requirements.


In this section: