top of page
Search

Shorter SSL Certificate Lifespans Are Coming – What NZ Businesses Should Know

  • Writer: Joseph Rapley
    Joseph Rapley
  • 1 day ago
  • 3 min read

If you manage a website or IT services for a NZ business, there’s a big change coming. SSL/TLS certificates (those things that make your site secure and show the padlock in the browser) are about to get much shorter lifespans.

Right now, these certificates last around 13 months. But starting in 2026, the industry will gradually shorten that. By March 2029, certificates will only last 47 days – just over six weeks. So instead of renewing once a year, you’ll be renewing every month and a half.

SSL Expiration
SSL Expiration

What’s Changing?

Here’s the timeline:

  • March 2026 – Max certificate lifespan drops to 200 days

  • March 2027 – Drops again to 100 days

  • March 2029 – Final drop to just 47 days


These changes are now locked in by the CA/Browser Forum, the group that includes major browser makers like Google, Mozilla, and Apple, along with certificate providers. All public SSL/TLS certificates will follow these limits.

By 2029, your certs will need renewing every six to seven weeks. And that means automation will become essential.


Why Is This Happening?

The goal is to make the web safer, more accurate, and less reliant on manual processes. Here’s how.

  • Reduce the risk if something goes wrong

    If a certificate or private key gets stolen, or is issued to the wrong person, it can be used to impersonate your site. The shorter the certificate's lifespan, the less time an attacker has to abuse it. A certificate that expires in 47 days is far less useful to an attacker than one that lasts a year.


  • Outdated information is a real problem

    Certificates include details about who owns the site and what encryption it supports. But over time, that information can go stale – a business might shut down, a domain might be sold, or encryption standards might change. Shorter lifespans mean that info gets refreshed more often, so users and browsers are trusting up-to-date details.


  • Certificate revocation doesn’t always work

  • In theory, if something goes wrong with a certificate, it can be revoked. But in practice, most browsers either don’t check revocation lists at all or check them inconsistently. That means a bad cert can remain trusted long after it should be blocked. Short lifespans solve this: if a certificate is compromised, it will soon expire anyway, whether or not the browser revokes it.


  • Push for automation across the board

    This is a big one. The industry wants to move away from the days of IT teams setting reminders to renew certs manually. It’s too easy to miss one, and too costly when you do. Automating certificate issuance and renewal is more secure, more reliable, and more scalable. Making certificates short-lived effectively forces that shift.


Think of it like moving from manual backups to automated ones – once it’s set up, it’s easier, safer, and far less likely to break.


What Does This Mean for You?

If you’re used to renewing certificates once a year, this will feel like a major change. Manually renewing them every 47 days is unrealistic and risky. But once automation is in place, it becomes a background process. You won’t have to think about expiry dates or downtime.


How to Prepare (Without the Panic)

1. Take stock - Make a list of all your SSL certificates – where they’re used, who manages them, and when they expire.


2. Set up automation - Use ACME clients like Certbot or Win-ACME, or talk to your hosting or IT provider about enabling automated renewals. Let’s Encrypt is a great example – it already uses 90-day certs and expects you to automate.


3. Ask your provider - If you use a third party to manage your website or hosting, check that they’re across the changes and have a plan. You don’t want to be caught out in 2026.


4. Test it early - Try switching one site to a 90-day cert and automate it now. It’s a great way to make sure your processes are solid before shorter lifespans are enforced.


Will This Cost More?

No. Certificate authorities have made it clear that shorter lifespans won’t lead to higher prices. You’ll still pay for a year (or multiple years) of coverage, and your certs will be reissued as often as needed within that period.

If you’re using Let’s Encrypt, it’s still free and designed for short-term, automated certificates.


Final Thoughts

At first glance, shorter SSL certificates might seem like a hassle, especially for small IT teams. But the intent is solid: to improve trust, reduce risks, and eliminate avoidable downtime.


You’ve got time to get ready as the first change doesn't come in until March 2026, but don’t leave it until the last minute. Start preparing now, and by the time 47-day certs arrive, you’ll have a smoother, more secure system that runs itself.


Sources:


 
 
bottom of page