SSL Certificate validity periods are getting shorter. From March 15, 2026, the maximum validity for any SSL Certificate is 200 days, with further reductions to 100 days in 2027 and just 47 days by 2029.
These industry-wide changes mean that manual SSL Certificate management is becoming increasingly difficult to sustain. Trustico® Certificate as a Service (CaaS) provides a fully automated solution that eliminates the burden of frequent reissue entirely.
Why SSL Certificate Validity Periods Are Getting Shorter
The CA/Browser Forum, which sets the industry standards that all Certificate Authorities (CA) must follow, approved a phased reduction in the maximum lifetime of SSL Certificates. The purpose of shorter validity periods is to ensure that domain ownership is verified more frequently, reducing the window during which a compromised or incorrectly issued SSL Certificate can be exploited.
For website owners and server administrators, this means that SSL Certificates will need to be reissued more often than ever before. An SSL Certificate purchased today with a multi-year license will still require a new reissue roughly every six months under the 200-day limit, and eventually every few weeks once the 47-day maximum takes effect in March 2029. Discover SSL Certificate Validity Period Changes 🔗
Important : These validity reductions apply to all SSL Certificates across the entire industry, regardless of the provider or Certificate Authority (CA). They are not specific to Trustico® or Sectigo® and cannot be overridden. The only practical way to manage this change at scale is through automation.
The Problem with Manual SSL Certificate Management
Traditionally, website owners have managed their SSL Certificates by manually requesting a reissue, completing Domain Validation (DV), and installing new SSL Certificates on their servers. When validity periods were 397 days, this meant performing this process roughly once a year, which was manageable for most organizations.
With 200-day validity periods now in effect, the same process must happen approximately twice per year for each domain. When validity drops to 100 days, that increases to roughly four times per year. At 47 days, administrators will need to reissue and install SSL Certificates nearly every month. For organizations managing multiple domains and subdomains, the manual approach quickly becomes unsustainable. Learn About Managing Short SSL Certificate Validity 🔗
The Solution : Certificate as a Service (CaaS) with Full Automation
Trustico® Certificate as a Service (CaaS) solves the problem of frequent SSL Certificate reissue by fully automating the entire process. With a Certificate as a Service (CaaS) license, your server handles SSL Certificate reissue automatically, without any manual intervention required.
Certificate as a Service (CaaS) uses the Automatic Certificate Management Environment (ACME) protocol, the same industry-standard technology used by major web infrastructure providers worldwide.
An ACME client installed on your server communicates directly with the Certificate Authority (CA) to request, validate, and install SSL Certificates automatically. When your installed SSL Certificate approaches its required reissue date, the ACME client initiates a new reissue, completes domain validation, and installs the replacement SSL Certificate, all without you having to do anything. Explore Certificate as a Service (CaaS) Information 🔗
Tip : With Certificate as a Service (CaaS), it does not matter whether the maximum validity is 200 days, 100 days, or 47 days. Your SSL Certificates are automatically reissued within your license period, so every future reduction in validity is handled for you without any changes to your setup.
How Certificate as a Service (CaaS) Works
The Certificate as a Service (CaaS) model is straightforward. Instead of purchasing individual SSL Certificates that require manual management, you purchase a Certificate as a Service (CaaS) license for your domain. That license covers continuous SSL Certificate protection for the duration of your purchase, with all reissues handled automatically by the ACME protocol.
Step 1 : Purchase a Certificate as a Service (CaaS) License
Select the Certificate as a Service (CaaS) product that matches your needs. Trustico® offers Certificate as a Service (CaaS) licenses for both single site domains and wildcard SSL Certificates that cover unlimited subdomains. Licenses are available in multi-year terms, providing long-term automated protection at a predictable cost. View Our Certificate as a Service (CaaS) SSL Certificates 🔗
Step 2 : Obtain Your External Account Binding (EAB) Credentials
After your purchase is processed, you will receive External Account Binding (EAB) credentials. These credentials link your ACME client to your Trustico® Certificate as a Service (CaaS) license. The External Account Binding (EAB) credentials ensure that only your authorized server can request SSL Certificates against your license. Learn About External Account Binding (EAB) Credentials 🔗
Step 3 : Install an ACME Client on Your Server
An ACME client is a lightweight software tool that runs on your server and manages the entire SSL Certificate lifecycle. Popular ACME clients include Certbot, acme.sh, and win-acme, each suited to different server environments and operating systems. Discover Supported ACME Clients 🔗
Step 4 : Configure Your ACME Client with Your External Account Binding (EAB) Credentials
Once your ACME client is installed, configure it with the External Account Binding (EAB) credentials provided by Trustico® and set the ACME server directory URL to the provided endpoint. This one-time configuration step connects your server to the Certificate Authority (CA) infrastructure. From this point forward, your ACME client will handle all communication with the Certificate Authority (CA) on your behalf. Explore ACME Protocol and Server Configuration 🔗
Step 5 : Your SSL Certificates Are Now Fully Automated
After configuration, your ACME client will automatically request your initial SSL Certificate, complete Domain Control Validation (DCV), and install the SSL Certificate on your server. When an SSL Certificate approaches its expiration date, the ACME client will automatically reissue a new one, extending your protection based on the remaining license validity. No manual steps are required from this point forward.
Note : The implementation of your ACME client on your server infrastructure is your responsibility. Every hosting environment is different, and the configuration will depend on your specific server software, operating system, and network setup. Trustico® provides the External Account Binding (EAB) credentials and configuration parameters, while the server-side installation is completed by your technical team.
Available Certificate as a Service (CaaS) Products
Trustico® offers Certificate as a Service (CaaS) licenses through both the Trustico® and Sectigo® product lines. Each product provides the same automated ACME-based management, with the choice between product lines depending on your preference and requirements.
Single Site Certificate as a Service (CaaS) Licenses
Single site Certificate as a Service (CaaS) licenses cover a single Fully Qualified Domain Name (FQDN), such as www.example.com. These are ideal for organizations that need automated SSL Certificate management for individual websites or applications.
Wildcard Certificate as a Service (CaaS) Licenses
Wildcard Certificate as a Service (CaaS) licenses cover unlimited subdomains under your domain, such as *.example.com, as well as the root domain itself. These are designed for organizations managing multiple subdomains or dynamic infrastructure where new subdomains are created frequently.
Certificate as a Service (CaaS) Compared to Traditional SSL Certificates
Traditional SSL Certificates require manual reissue, validation, and installation each time the installed SSL Certificate approaches the end of its validity. This approach has worked well when SSL Certificates lasted a full year, but it is becoming impractical as validity periods shorten.
Certificate as a Service (CaaS) removes the manual steps entirely, replacing them with an automated process that scales effortlessly regardless of how short validity periods become.
The key difference is operational overhead. With a traditional SSL Certificate, every validity period reduction directly increases your workload. With Certificate as a Service (CaaS), your workload remains the same, because automation handles every reissue cycle for you. Discover Traditional SSL Certificates vs Certificate as a Service (CaaS) 🔗
Getting Started Today
The transition to shorter SSL Certificate validity periods has already begun. Rather than waiting until the administrative burden of manual reissue becomes overwhelming, organizations can adopt Certificate as a Service (CaaS) now and benefit from automated management immediately.
To get started, select the license that matches your domain requirements. After your purchase, follow the steps outlined above to configure your ACME client and activate fully automated SSL Certificate management. View Our Certificate as a Service (CaaS) SSL Certificates 🔗
For additional information about how Trustico® is helping customers adapt to shorter SSL Certificate validity periods, including information on other tools and approaches beyond full automation, review our website from time to time as it will be updated as the industry adapts to the required changes. Learn About Managing Short SSL Certificate Validity 🔗
Below RRP CaaS
Below RRP CaaS
Below RRP CaaS
Below RRP CaaS
