Loading...
Website owners should take notice of the future changes to the SSL/TLS industry that affect security, certificate management, and user trust.
In 2026, Certificate Authorities (CAs), such as DigiCert and Sectigo, will be implementing many significant updates that comply with the CA/B Forum requirements.
The following are the five significant SSL/TLS changes effective in 2026 with a brief overview, timelines, and action steps.
Change 1 – Public TLS Certificates Will Change To 199 Day Validity
Public SSL/TLS Certificates will no longer be issued for one year; they will now be valid for 199 days with shorter renewal periods.
Changes for DigiCert (Timeline)
| Maximum Certificate Validity | Due Date |
| 397 days | Before February 24, 2026 |
| 199 days | Between February 24, 2026 – Early 2027 |
| 99 days | Between Early 2027 – Early 2029 |
| 46 days | After Early 2029 |
Changes for Sectigo (Timeline)
| Maximum Certificate Validity | Due Date |
| 398 days | Before March 15, 2026 |
| 200 days | Between March 15, 2026 – March 15, 2027 |
| 100 days | Between March 15, 2027 – March 15, 2029 |
| 47 days | After March 15, 2029 |
Required Actions to Take
- Discover all certificates
- Inventory all certificate-dependent systems
- Map automation opportunities
- Build a rollout plan
- Embrace automation
Also Read: How to Prepare for a 47-Day SSL/TLS Shortened Lifespan?
Change 2: Domain Validation (DCV) Reuse Reduction
By not allowing DCV to be reused for a longer period of time, the verification process will occur more frequently.
Changes for DigiCert (Timeline)
| Maximum Domain Validation Reuse Period | Timeline |
| 397 days | Before February 24, 2026 |
| 199 days | Between February 24, 2026 – Early 2027 |
| 99 days | Between Early 2027 – Early 2029 |
| 9 days | After Early 2029 |
Changes for Sectigo (Timeline)
| Maximum Domain Validation Reuse Period | Due Date |
| 398 days | Before March 15, 2026 |
| 200 days | Between March 15, 2026 – March 15, 2027 |
| 100 days | Between March 15, 2027 – March 15, 2029 |
| 10 days | After March 15, 2029 |
Required Actions to Take
- Prepare for DCV to be checked more recently/more frequently
- DNS-based validation should be used to provide more reliable methods
- Automate as much as you can with DCV
Also Read: DigiCert Elevates Industry Standards with New Open-Source DCV Library
Change 3: Using MPIC for Domain Control & CAA Checks
Multi-Perspective Issuance Corroboration (MPIC) to verify that domain control and CAA checks are accurate across multiple networks.
| CA/Browser Forum Timeline | Number of Distinct Remote Network Perspectives Used | Number of Allowed Non-corroborations |
| Phase One — Effective March 2025 | Check from multiple network locations only | Not applicable |
| Phase Two — Effective September 2025 | Check from at least 2 remote network locations | One non-corroboration allowed¹ |
| Phase Three — Effective February 2026 | Check from at least 3 remote network locations and at least 2 different Regional Internet Registries (RIRs) | One non-corroboration allowed¹ |
Required Actions to Take
- Ensure that the domain DNS and HTTP validation paths are accessible on public networks
- Prevent firewall and/or geo-blocking problems
- Closely monitor any validation failures
Change 4: DNSSEC Enforcement
DNSSEC has an enhanced role in verifying domain ownership as well as validating the security of issuing certificates.
DNSSEC has an enhanced role in verifying domain ownership as well as validating the security of issuing certificates.
| Date | Event / Update | Notes |
| February 24, 2026 | DigiCert begins enforcing DNSSEC validation | DNSSEC validation applied during DCV + CAA checks when DNSSEC is present. |
| March 12, 2026 | Sectigo operational date | Sectigo compliance hub highlights broader 2026 compliance changes, including DCV reuse shortening and reminders for DNSSEC signing configuration. |
| March 15, 2026 | CA/Browser Forum Baseline Requirements update | DNSSEC validation becomes mandatory for relevant DNS lookups (industry-wide effective date in BR text). |
Required Actions to Take
- Review DNS configurations
- Ensure DNSSEC is properly implemented (if enabled)
- Fix misconfigured or broken DNSSEC records
Change 5: Sunsetting Client Authentication EKU from Public TLS Certificates
Public TLS certificates will no longer support Client Authentication Extended Key Usage (EKU).
| Change | Chrome Policy | DigiCert Transition Plan |
| Extended Key Usage (EKU) | Prior to June 15, 2026 — Both Server and Client Authentication EKUs can be included in TLS certificates | October 1, 2025 — Start issuing public TLS certificates with only Server Authentication EKU by default.Temporarily allow option to include both Server and Client Authentication EKUs during enrollment |
| Starting June 15, 2026 — Only Server Authentication EKU can be included in TLS certificates | May 1, 2026 — Fully remove Client Authentication EKU from newly issued public TLS certificates (new, renewals, reissues, duplicates) | |
| PKI Hierarchy | Prior to June 15, 2026 — TLS certificates may be issued from multipurpose root hierarchies | DigiCert will convert these roots to dedicated TLS hierarchies: • DigiCert Global Root G2• DigiCert Global Root G3• DigiCert TLS ECC P384 Root G5• DigiCert TLS RSA4096 Root G5• QuoVadis Root CA2 G3 |
| Starting June 15, 2026 — TLS certificates must be issued from dedicated TLS root hierarchies |
Required Actions to Take
- Stop using public TLS certificates to authenticate clients
- Switch to either using a private PKI or dedicated client-authentication certificates
- Audit all applications that use Mutual TLS (mTLS)
Future Changes to Keep in Mind
| Date | Update |
| March 15, 2026 | The Crossover method (3.2.2.4.8 ) will be phased out entirely. Phone/email methods are officially discouraged, but still allowed. |
| March 15, 2027 | Phone verification methods will be completely phased out, and no new certificates will be issued using this form of verification. |
| March 15, 2028 | Email verification methods will be completely phased out, and all certificates will use DNS, HTTP or IP verification forms. |
Conclusion
The SSL/TLS ecosystem continues to change in order to create better security, trust, & automation. By keeping current with these developments, you will eliminate the risk of certificate failures and downtimes as well as regulatory compliance issues.
Keep your current by monitoring the industry and visiting our blog for information on any updates to the CA/B forum, as well as the latest changes by DigiCert & Sectigo.
Our site has numerous options to purchase SSL certificates, and feel free to reach out to our support staff for assistance with anything.
