Part 4 of 6
People keep saying certificate validity is dropping from one year to one month. Here is the real public TLS timeline and what it means.
Introduction
I keep hearing the same claim: certificate validity is going from one year to one month. That is not the full story.
The real change is more gradual, but it is still a big operational shift.
The actual timeline
- Before March 15, 2026: maximum validity is 398 days
- From March 15, 2026: maximum validity becomes 200 days
- From March 15, 2027: maximum validity becomes 100 days
- From March 15, 2029: maximum validity becomes 47 days
So no, the industry is not jumping straight from one year to one month tomorrow.
Why shorter lifetimes are happening
The long-term direction is very clear: certificates will live for much shorter periods than many admins are used to.
Why is this happening? Because shorter lifetimes reduce risk. If a certificate is misissued, or a private key is compromised, or validation data becomes stale, a shorter lifetime reduces how long that problem can remain active.
What this means for Linux admins
For Linux admins and small website owners, the practical message is easy to understand:
Manual renewal might still work today. But it will become less practical every year.
Closing thoughts
The “one month” wording is not correct as an immediate change, but the bigger message is true: the future of public TLS is shorter-lived certificates and more frequent renewal.
Read next: How to Automate TLS Certificate Renewals on Linux Before Short Lifetimes Become a Problem
