March 15 Was Not a Drill
On March 15, 2026, the CA/Browser Forum's Ballot SC-081v3 officially took effect. The maximum validity period for publicly trusted TLS certificates dropped from 398 days to 200 days. Every certificate authority — DigiCert, Sectigo, Let's Encrypt, GlobalSign, and others — is now bound by this limit.
If your organization was renewing certificates once a year, that cadence is over. The clock just got shorter, and it will keep shrinking.
What Exactly Changed
Three things shifted simultaneously on March 15:
- Maximum certificate validity: 200 days (down from 398 days)
- Domain Control Validation (DCV) reuse: 200 days (down from 398 days)
- Subject Identity Information (SII) reuse: 200 days for OV/EV certificates
This means you cannot simply re-issue a certificate with old validation data. Every renewal now requires fresh domain ownership proof within the 200-day window.
The Immediate Impact
Renewal Frequency Doubles
The math is straightforward:
Previous (398-day max): ~1 renewal per certificate per year
Now (200-day max): ~2 renewals per certificate per year
For an organization managing 5,000 certificates, that's 10,000 renewal operations per year instead of 5,000. For enterprises with 50,000+ certificates, the operational load has doubled overnight.
Existing Certificates Are Not Affected — Yet
Certificates issued before March 15 with 398-day validity remain valid until their expiration date. However, when they come up for renewal, the new 200-day limit applies. Most organizations will feel the full impact by October 2026, when the first wave of post-March certificates begins expiring.
DCV Revalidation Is Now More Frequent
Previously, CAs could reuse domain validation results for up to 398 days. That window is now 200 days. If your organization uses manual DNS or HTTP validation methods, this doubles the administrative burden of proving domain ownership.
Who Is Most Affected
High-Risk Organizations
- Enterprises with large certificate portfolios (1,000+ certificates) relying on manual tracking
- Multi-cloud deployments where certificates are spread across AWS, Azure, GCP, and on-premises
- Organizations using OV/EV certificates that require additional identity validation
- Companies with complex approval workflows where renewal takes days or weeks
Lower-Risk Organizations
- Teams already using ACME-based automation with Let's Encrypt or other ACME-capable CAs
- Organizations with a Certificate Lifecycle Management (CLM) platform handling discovery and renewal
- Companies that adopted 90-day certificate practices ahead of the mandate
What You Should Do Right Now
Step 1: Audit Your Certificate Inventory
You cannot manage what you cannot see. Run a comprehensive discovery scan across:
- All public-facing domains and subdomains
- Cloud provider certificate stores (AWS ACM, Azure Key Vault, GCP Certificate Manager)
- Load balancers, CDNs, and reverse proxies
- Internal PKI and self-signed certificates
- Kubernetes clusters and service mesh configurations
Step 2: Identify Certificates Expiring Before October 2026
Any certificate issued after March 15 with a 200-day validity will expire by early October. Build a timeline of upcoming expirations and ensure renewal processes are in place.
March 15, 2026 + 200 days = October 1, 2026
April 1, 2026 + 200 days = October 18, 2026
May 1, 2026 + 200 days = November 17, 2026
Step 3: Automate DCV Where Possible
Switch from manual domain validation to automated methods:
- DNS-01 validation: Automate TXT record creation via cloud DNS APIs
- HTTP-01 validation: Automate file placement on web servers
- ACME protocol: Implement end-to-end automated issuance and renewal
Step 4: Establish Renewal Policies
Configure renewal thresholds that account for the shorter validity:
# Recommended renewal policy for 200-day certificates renewal_policy: threshold_days: 30 # Begin renewal 30 days before expiry alert_warning_days: 45 # Warning alert at 45 days alert_critical_days: 14 # Critical alert at 14 days auto_renew: true retry_interval_hours: 6 max_retries: 20
Step 5: Plan for What Comes Next
200 days is just the first step. The full SC-081 timeline:
| Effective Date | Max Validity | Max DCV Reuse |
|---|---|---|
| March 15, 2026 | 200 days | 200 days |
| March 15, 2027 | 100 days | 100 days |
| March 15, 2029 | 47 days | 10 days |
Investing in automation now prepares you for 100-day and eventually 47-day certificates.
Common Mistakes to Avoid
Waiting Until October
The October expiration wave will hit organizations that issued 200-day certificates in March. If you wait until September to prepare, you will be scrambling alongside thousands of other organizations, potentially competing for CA support and infrastructure resources.
Relying on Calendar Reminders
Spreadsheets and calendar alerts do not scale. With 2x renewal frequency now and 8x by 2029, manual tracking guarantees missed renewals and outages.
Ignoring Wildcard and SAN Certificates
Wildcard and multi-SAN certificates often protect critical infrastructure. Their renewal complexity is higher, and a missed renewal can take down dozens of services simultaneously.
Overlooking Internal Certificates
While SC-081 applies to publicly trusted certificates, aligning internal CA policies with the same validity periods simplifies operations and improves security posture.
The Automation Imperative
200-day certificates make automation strongly recommended. 47-day certificates will make it mandatory. The organizations that invest in certificate lifecycle automation now will have a significant operational advantage:
- Zero-touch renewals that complete without human intervention
- Automated deployment that pushes renewed certificates to endpoints
- Continuous discovery that catches rogue or unknown certificates
- Policy enforcement that ensures compliance with validity requirements
How TigerTrust Helps
TigerTrust was built for exactly this transition. Our platform provides:
- Automated discovery across cloud, on-premises, and hybrid environments
- ACME integration with all major certificate authorities
- Policy-driven renewal with configurable thresholds and automation rules
- Multi-cloud deployment that pushes certificates to AWS, Azure, GCP, and Kubernetes
- Real-time monitoring with alerting before certificates reach critical expiration windows
The shift to 200-day certificates is the starting line, not the finish. Organizations that treat March 15 as a wake-up call and invest in automation now will navigate the 100-day and 47-day transitions smoothly. Those that delay will face compounding operational risk with each phase.
Start your certificate audit today — the clock is already ticking.