In the world of web security, we used to have a “set and forget” mentality where you bought an SSL certificate, installed it and ignored it for a year or two. Those days are now officially over.
I’ve been looking at a major shift driven by Google and Apple that is about to change how every business manages its online presence.
What’s Happening?
Starting March 15, 2026, the “shelf life” of a standard SSL/TLS certificate (the tech that gives you that little green padlock) is being reduced from 13 months to roughly 6 months (200 days) and this isn’t a once-off change. The industry roadmap is moving toward a future where certificates may only last 47 days by 2029.
Essentially, the “Digital Driver’s License” for your website is becoming a short-term permit that requires constant review and renewal.
Why the Rush? (And Why It’s Actually Good)
It feels like extra homework, but the goal is to achieve “Crypto Agility” and will result in a number of security improvements, including…
- Faster Response: If a security flaw is found in the way certificates are encrypted, shorter lifespans allow the entire internet to “reset” to a safer standard in months rather than years.
- Reduced Window of Risk: If a hacker manages to steal your SSL security key, they can currently use it for over a year. Shorter lifespans kill that stolen key much faster.
- Trust: It forces website owners to prove they still own and control their domain more frequently, making it harder for “ghost” sites or abandoned domains to be used for phishing.
The “Subscription” Model: How Paid SSL certs Will Work
You might be thinking: “I just paid for a 3-year SSL Cert. Am I losing money?”
Not exactly. Major hosting companies and Certificate Authorities (CAs) like Sectigo are changing to a Subscription Model.
When you buy a “12-month SSL,” you are paying for a year of coverage, not a single 12-month file where…
- The host will issue a certificate valid for 200 days.
- At the 190-day mark, their system will automatically generate a new certificate and swap it out.
But There’s Catch:
This only works if your hosting environment supports automation. If you are on an old server that requires you to copy-paste “CSR codes” and “Private Keys” manually, you are now going to have to do that twice as often, and soon, eight times as often.
Why You Should Review Your Domain and SSL cert Today
If your website SSL certificate expires and isn’t renewed in time, your visitors won’t see your homepage. Instead, they will see a giant red warning: “Your connection is not private.” For a small business, that is the digital equivalent of a “Closed by Health Inspector” sign on your front door.
Between now and March 15th, we have a window of opportunity to:
- Inventory: Ensure every sub-domain and landing page you own is accounted for.
- Automate: Switch your WordPress site to a host or a service that uses the ACME protocol (like Let’s Encrypt), which handles these renewals automatically so you never have to think about them.
- Last Call: Renew any manual certificates before the 15th to buy yourself one last full year of “breathing room” while we modernize your setup.
Website security is no longer a “once a year” task, it’s a continuous process. Make sure you get your site checked before your “Green Padlock” doesn’t turn red when you’re not looking.
