Loading...
The requirements for publicly trusted code signing certificates are becoming more stringent, and the new limits are now effective. This is because of the CA/Browser Forum’s Ballot CSC-31, which shortens the validity period of the certificates to enhance the security of the software supply chain in case the private keys are compromised.
We shall examine the current status of the validity limits and the changes made by the major certificate authorities in this blog.
Current Validity Limitation Update
From or before March 1, 2026, publicly trusted code signing certificates have a maximum validity period of no more than 460 days.
This change brings an end to the previous maximum validity period of up to 39 months and is in line with the overall industry trend to enforce shorter lifecycles for cryptographic credentials.
The main objectives of reducing the length of time a certificate is valid include:
- Portfolio reduction (e.g., reducing the risk that a private key will be exposed)
- More frequent rotation of certificates
- Compliance with current cryptographic practices
- Maintaining accurate identity validation for the certificate holder
Certifications issued after March 1, 2026, will be subject to the 460-day limit; however, any certificates that were issued before March 1, 2026, will remain valid until they expire or are suspended.
Certification Authority Enforcement Updates
Due to the expiration of requested longer validity periods, cutoff dates for such requests have been reached (no longer processing extended-duration requests).
DigiCert Update
As of February 24, 2026, DigiCert will no longer accept requests for publicly trusted code signing certificates with a validity period longer than 459 days.
This is in line with the industry maximum and ensures that the updated baseline requirements are met.
Sectigo Update
The Sectigo implementation includes the following structure:
- One-year code signing certificates remain the same and are issued as usual
- Two- and three-year coverage is only available for HSM-based certificates
- Certificates issued through tokens or USB hardware are restricted to one-year validity
This will ensure that Sectigo remains compliant while still offering extended coverage through secure key storage environments that require annual certificate reissuance.
Cutoff Timing Status
To remain ahead of the enforcement timelines, both DigiCert and Sectigo have set earlier operational cutoffs, which are on February 16, 2026. These dates have been reached, meaning that any request that exceeds the new validity thresholds is no longer accepted through the standard ordering process.
Organizations that are using code signing infrastructure should consider the shorter lifecycle as the current operational baseline.
Operational Considerations
With shorter certificate lifetimes becoming the norm, the following changes are being made by organizations that handle software signing processes:
- Tracking and managing certificate lifecycles
- Incorporating automated signing processes
- Best practices for storing signing keys securely
- Monitoring compliance with development pipelines
Move to cloud key storage like Google KMS, Azure Keyvault, or DigiCert KeyLocker for continuous key management and reduce the renewal/reissuance frequency.
All the above changes are part of the industry shift to enhance trust in distributed software development.
