Feb 2, 2026

Upcoming Changes to TLS Validity FAQs

OVERVIEW: This article contains upcoming changes and updates to GlobalSign SSL/TLS Validity. This page will be revised regularly to reflect new updates. We recommend you bookmark or revisit this for the latest changes and developments. The information provided here is for customers on the GCC platform. For Atlas customers, please refer to this page. Can't find what you're looking for? Get in touch for assistance.

 

• GENERAL QUESTIONS                                                                       
  1. What is changing?
  2. Why is this change happening?

• IMPORTANT DATES                                                                                              
  3. What is GlobalSign's timetable for this change?
  4. What are the important dates to be aware of?

• IMPACTS AND RECOMMENDATIONS                                
  5. How these changes impact my Certificate?
  6. Which GCC products are in scope for this change?
  7. What are the changes for the new "1-year" TLS Certificates?
  8. What happens to existing 1-year TLS Certificates?
  9. What does it look like in practice?
  10. Are standalone 6‑month certificates available?
  11. Will expiry and renewal notifications change?
  12. Can I edit the SANs on my 199-Day certificates?
  13. Are custom validity periods supported?

 

---

GENERAL QUESTIONS

1. What is changing?

Effective March 15, 2026, new CA/B Forum Baseline Requirements for publicly-trusted TLS certificates take effect, mandating:

1. Certificates issued on or after this date are limited to a maximum validity of 200 days.

2. Identity validation reuse for all publicly trusted certificates is limited to 398 days.

3. Domain / IP address validation reuse is limited to 200 days.

 

2. Why is this change happening?

This change is part of series of maximum validity reductions for publicly trusted TLS certificates, taking place through 2029, ultimately limiting certificates to a maximum validity of 47 days. These changes are intended to reduce exposure time compromised keys, reduce reliance on revocation systems, and to encourage best practices of more agile and automated PKI.

 

​​

---

IMPORTANT DATES

3. What is GlobalSign's timetable for this change?

While 200 days is the maximum permitted validity of a publicly-trusted TLS certificate, the maximum recommended validity is 199 Days.

GlobalSign will limit the validity of its publicly-trusted TLS certificates to 199 days and follow this pattern in limiting identity reuse to 397 days and domain validation reuse to 199 days.

 

Date Issued	Certificate Validity Period	Domain Name and IP Address Validation Data Reuse Periods
Present	397 days	397 days
March 15, 2026 onwards	199 days	199 days
March 15, 2027 onwards	99 days	99 days
March 15, 2029 onwards	46 days	46 days

 

 

4. What are the important dates to be aware of?

Date	Event
August 25, 2025	Domain validation reuse for MSSL (GCC) set to 199 days.
November 11, 2025	MSSL domains validated on or before 2025.08.25 is set to expire 2026.03.14.
March 14, 2026	GlobalSign in full enforcement mode for reduced validity requirements.
March 15, 2026	CA/B Forum TLS Baseline Requirements for 200-day max validity in full effect.

 

 

 

---

IMPACTS AND RECOMMENDATIONS

5. How will these changes impact me?

The primary impact of 199-day validity is replacing certificates more frequently. The exact workflow will depend on:

1. Which GlobalSign platform you use.

2. If you purchase certificates individually, in product packs, or take advantage of SAN Licensing.

3. Whether you order through the Web UI, API, or 3rd-Party Integration.

 

6. Which GCC products are in scope for this requirement?

In scope	Out of scope
All publicly-trusted TLS Certificates in GCC: AlphaSSL, Domain Validated (DV), Organization Validated (OV), Extended Validated (EV), QWAC. Publicly-trusted TLS Certificates issued by custom or branded CAs.	Certificates issued under: IntranetSSL product lines. Privately trusted hierarchies. Public certificates which do not contain the server authentication (serverAuth) EKU.
For Atlas, please refer to this page.

 

7. What changes for new “one (1) year” TLS Certificates in GCC?

In GCC, orders for 1-Year TLS certificates on or after March 14, 2026, are eligible for two 199-day certificates, providing up to 398 days of total potential coverage.

• Certificate 1: 199 days validity (billed at the 1‑year price).

• Certificate 2: 199 days validity, free renewal of the first certificate.

8. What happens to existing 1-year TLS Certificates in GCC?

Orders issued before March 14, 2026 will have up to 398 days of validity.

• For Reissues:

  • If you reissue an existing certificate on or after March 14, 2026 which has more than 199 days of validity remaining, the validity of the reissued certificate will be shortened to 199 days. However, you can reissue again at a later date to reach the original expiry of the first cert.

• SAN Changes to existing certificates after March 14, 2026:

  • If more than 199 days remain on the existing certificate:

    • Added SAN certificate is issued with 199‑day validity (shortened).

    • Validity may be recovered later via reissue.

  • If 199 days or fewer remain on the existing cert:

    • Added SAN certificate uses the original expiry date.

9. What does this look like in practice?

1. New order placed for a 1-Year certificate via the GCC UI or API.

2. The first certificate is issued with 199 Days of validity.

3. When the first 199‑day certificate is within the 30-day renewal window, use the renew function to receive the second 199‑day certificate at $0 (free).

   • Renewal must:

     • Use the same PAR (account).

     • Use the same product.

     • Follow applicable SAN option constraints: Can swap SANs of the same type but cannot add SANs or change SAN type (i.e., swapping a wildcard for FQDN SAN).

4. Any further renewal is treated like a normal renewal:

   • You see whatever options your price table allows.

   • Regular pricing applies.

IMPORTANT: To get the free certificate, you must use the renewal function. If there is no original order associated, standard billing will apply.

 

10. Are standalone 6‑month certificates available?

Yes, with the following conditions:

• The product SKU must be enabled on the account.

• 6‑month GCC certificates are normalized to 199 days.

• The price of two 6‑month certificates is about 20% higher than a one 1‑year contract.

• No standalone 6-month option for EV.

11. Will expiry and renewal notifications change?

• Renewal notifications will now start 30 days before expiration (shortened from 90 days).

• Each certificate displays its own expiry date. There is not a “combined” 398-day expiry; certificates are managed individually.

12. Can I edit the SANs on my 199-Day certificates?

• For MSSL SAN Licensing customers, SANs can be added or removed on any valid certificate.

• For customers using the 1-Year Contract:

  • SANs may be edited for a fee on the first 199 Day certificate.

  • SANs may only be edited for a fee on the second 199-day certificate if the 6-month SAN option is enabled.

  • For EV: SANs may be edited for a fee on the first or second 199-day certificate.

13. Are custom validity periods supported?

Custom validity periods are supported for standalone 6-month certificates. Custom validity periods are not available for certificates using the bundled 1 Year model.