Abstract
The bell rings. Last call for 398-day certificates is March 15.
After that, every CA is required to cut you off at 200 days. Some have already stopped serving them early. The rest follow in two weeks.
The irony of good certificate management is that when it works, nobody notices. No alerts, no outages, no 2am pages. The only time it gets attention is when something expires. Which means the teams doing it well rarely have the budget or the political capital to fix the process before it breaks.
March 15 is your excuse to fix it anyway. Here’s what to do before closing time.
The 200-day certificate deadline
A certificate issued this week gets you to early 2027, roughly 13 extra months compared to anything issued after the deadline. That’s one fewer renewal cycle to deal with right now, and enough time to get automation in place before the 100-day era arrives in March 2027. This isn’t about avoiding automation forever. It’s about doing it on your schedule instead of in a panic.
Here’s the schedule the CA/Browser Forum set with Ballot SC-081:
- March 15, 2026: 200-day maximum
- March 15, 2027: 100-day maximum
- March 15, 2029: 47-day maximum
A certificate issued after March 15 gets 200 days. The deadline is based on when the certificate is issued, not when you place the order.
The math on doing nothing
Here’s what manual certificate management looks like at each stage of the schedule. These are minimum renewals per certificate per year, assuming you renew right at expiration.
| Validity period | Renewals per year | For 10 certs | For 50 certs |
|---|---|---|---|
| 398 days (today) | ~1 | ~10 | ~50 |
| 200 days (March 2026) | ~2 | ~20 | ~100 |
| 100 days (March 2027) | ~4 | ~40 | ~200 |
| 47 days (March 2029) | ~8 | ~80 | ~400 |
If you have 50 certificates and you’re still handling renewals manually in 2029, that’s 400 renewal events a year. That’s not a process anymore, that’s a fulltime job.
What are you going to do about it?
Go renew any commercial certificates you have. Right now, before March 15 jumps up at you. Even if certs aren’t close to expiring. This buys you time to figure out what to do next.
Do a search for certs you’ve forgotten about. A certificate discovery scan will show you the staging servers, internal tools, and other things you might have forgotten about. Go renew those certificates too.
Use the runway to fix the process. With your new certs, you have until 2027 to figure this out. Get started on a project plan. Figure out the budget you need. You need to figure this out before 100-day certs drop on March 2027.
CertKit can show you every certificate in your infrastructure, what’s expiring, and what you still have time to renew before March 15. Free during beta.
Comments