DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Moving to 199-day validity for public TLS certificates

Solution ID : ALERT66
Last Modified : 12/12/2025

Per SC081v3, certificate validity goes from 397 to 199 days in 2026

Description

DigiCert will stop accepting public TLS certificate requests with a validity greater than 199 days on February 3, 2026,  at 00:00 UTC. Note that API requests specifying a validity period greater than 199 days will be automatically adjusted to 199 days.

All public TLS certificates issued on or after February 17, 2026, at 00:00 UTC cannot exceed the new 199-day maximum validity. This change affects all DigiCert public TLS products:

  • Public DV TLS products
  • Public OV TLS products
  • Public EV TLS products
  • EU QWAC, and QWAC PSD2

Important: DigiCert may update this article if new information becomes available. Save this page and check for updates. The Last Modified date appears under the title.

Why is DigiCert reducing the maximum validity of public TLS certificates to 199 days?

DigiCert is making this change to align with the CA/Browser Forum’s Ballot SC081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods. This ballot sets a timeline to reduce TLS certificate validity from 398 days to 200 days in 2026, 100 days in 2027, and 47 days in 2029. Learn more about Ballot SC081v3.

 

Maximum validity period of public TLS/SSL in the CA/Browser Forum

Certificate issued Maximum certificate validity   
Before March 15, 2026 398 days
Between March 15, 2026, and March 15, 2027 200 days
Between March 15, 2027, and March 15, 2029 100 days
After March 15, 2029 47 days
*DigiCert's maximum certificate validities are one day shorter than the maximum validity allowed by the CA/Browser Forum’s, to avoid exceeding the maximum permitted validity.

Items covered in this article

 

What's changing?

Today, DigiCert issues public TLS certificates with a maximum 397-day validity. On February 17, 2026, DigiCert will issue TLS certificates with a maximum 199-day validity. 199-day maximum validity is the first stage of this multi-phase industry transition to 47-day TLS certificates.

  • Order public TLS certificates with a maximum 199-day validity
    • CertCentral
      On February 3, 2026, at 00:00 UTC, you will have three certificate validity options when ordering TLS certificates in CertCentral: 199 days, custom expiration date with a 199-day limit, and custom length up to 199 days.
    • CertCentral Services API
      On February 3, DigiCert will automatically adjust 1-year public TLS certificate validity to 199 days for requests submitted via the CertCentral Services API. This new behavior is intended to prevent unexpected errors and ensure your requests continue to process successfully.
      See the CertCentral Services API requests will automatically be adjusted to 199 days section in this article.
    • If you want a 397-day public TLS certificate, order it before February 3, 2026, at 00:00 UTC.
  • DigiCert will issue public TLS certificates with a maximum 199-day validity

    On February 17, 2026, at 00:00 UTC, DigiCert will issue public TLS certificates with a maximum 199-day validity.
    If planning to order 397-day TLS certificates right up until the February 3, 2026, deadline, make sure your domain and organization validations are up to date. TLS certificate issued after February 17, 2026, at 00:00 UTC will have a 199-day maximum validity.

 

What do I need to do?

No immediate action is required. We recommend you prepare for this change:

  • Get your 397-day certificate before DigiCert stops issuing them:

    1. Order your certificates before February 3, 2026, at 00:00 UTC.
    2. Help us issue your certificates before February 17, 2026, at 00:00 UTC.
  • Prepare for the future

The maximum certificate validity will shorten to 46 days by 2029, which will make manual certificate lifecycle management (CLM) impractical. DigiCert strongly recommends you adopt automation solutions through CertCentral (like ACME) and Trust Lifecycle Manager.

Contact your account manager if you want to learn more about automation.

 

What happens to 397-day certificates not issued before the February 17, 2026, deadline?

What happens with your certificate depends on what type of CertCentral account you have. Learn how to identify your CertCentral account.

  • CertCentral Subscription accounts
    DigiCert will issue your 199-day public TLS certificate. Your order and certificate validity will be 199 days.
    With CertCentral Subscription accounts, the pricing model is different in that your subscription is based on what you want to secure. Learn more about what you are subscribing to.
  • CertCentral Enterprise and Partner accounts
    For Enterprise and Partner accounts your experience will depend on the order type: Multi-year Plan (MyP) orders versus 1-year orders*.
    • MyP orders
      If you ordered 2- or 3-year Multi-year Plan with 397-day certificate validity, DigiCert will issue a 199-day TLS certificate while the order itself retains 2- or 3-year validity. When your certificate nears its expiration, you will need to reissue it. A new certificate will then be issued with the extended validity period.
    • 1-year orders
      If you ordered a 1-year certificate on a 1-year order, DigiCert will issue a 199-day TLS certificate instead, but your order validity will not change. When your certificate nears its expiration, you’ll need to reissue it.
      *397-day certificate orders will work the same way.

 

How does this affect existing public TLS certificates with a validity greater than 199 days

This change doesn’t affect active certificates issued before the February 17, 2026, deadline. These certificates will continue to be trusted until they expire. When the certificate nears its expiration date, you need to renew it with a 199-day certificate or order a certificate from the DigiCert® Multi-year Plan.

 

How does this affect existing 365/397-day TLS certificate reissues and duplicate issues?

The new 199-day maximum validity does impact 365/397-day TLS certificate reissues and duplicates.

Before February 3, 2026, when you reissue or duplicate a public TLS certificate, the new certificate can have a validity period of up to 397 days.

On or after February 3, 2026, when you reissue or duplicate a public TLS certificate, the new certificate can have a validity period of up to 199 days.

 

How does this affect public TLS certificate renewals?

You can still renew a certificate order as early as 90 days to 1 day before it expires. As of February 17, 2026, DigiCert will issue your certificate with a199-day maximum validity.

If you have an MyP order, you can renew your order with up to 3-year order validity, but each certificate will be issued with a maximum validity of 199 days.

If you don’t have an MyP order, you can renew your order with up to 199-day order validity.

 

CertCentral Services API requests will automatically be adjusted to 199 days

CertCentral Services API requests will be automatically adjusted to 199 days. This behavior is intended to prevent unexpected errors and ensure your requests continue to process successfully.

In the table below, you can see the details about the API impact for Multi-year Plan (MyP) and non-MyP orders. MyP allows customers to pay a single price for up to three years of TLS/SSL order coverage. If using MyP, you can continue reissuing your certificates at no additional cost until the plan expires.

 

API impact for Multi-year Plan (MyP) and non-MyP orders

       Name                             Req/Opt                         Type           Description for MyP* account Description for non-MyP account                                                                                               
Certificate  required  object  Certificate details  Certificate details
.. cert_validity  optional  object  Defines the validity period of certificates issued for this order. Cannot exceed order validity period.  Defines the validity period of certificates issued for this order. Cannot exceed order validity period.
.. .. years
(Deprecated)		 optional  int  397-daycertificate validity is automatically converted to 199 days. 
Allowed value: 1		 cert_validity.years value is ignored. 
.. .. days  optional  int  Number of days for the issued certificate.
Max:  199		 cert_validity.days value is ignored. 
.. .. custom_expiration_date  optional  string A custom expirationdate for the certificate.
Range: Must be within 199days of the date you request the certificate. 		 cert_validity.custom_expiration_datevalue is ignored. 
validity_years
(Deprecated)		 optional  int Number of years for the order.
Range: 1 - 3 		 Number of years for the order. 
Allowed value: 1
1-year validity is automatically converted to 199 days.
Custom_expiration_date
(Deprecated)		 optional  string A custom expirationdate for the order. 
Range: Must be within 3 years of the date you request the order. 		 A custom expiration date for the order. 
Range: Must be within 199 days of the date you request the order. 
order_validity  optional  object Defines the validity period of the order. Defines the validity period of the order.
.. years  optional  int Number of years the order is valid.
Range: 1 - 3 		 Number of years for the order. 
Allowed value: 1
1-year validity is automatically converted to 199 days. 
.. days  optional  int Number of days the order is valid.
Max: 1095 		 Number of days the order is valid.
Max: 199 
.. custom_expiration_date  optional  string A custom expirationdate for the order. 
Range: Must be within 3 years of the date you request the order. 		 A custom expiration date for the order. 
Range: Must be within 199 days of the date you request the order. 

References

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.