How often will you actually renew an SSL certificate over the next four years?
Until March 2026 the answer for a typical public TLS cert is "once a year, give or take." After that it accelerates fast. Here's the math, by phase, with a table of issuances per year for any portfolio size you care about.
The schedule
Under CA/Browser Forum Ballot SC-081v3, public TLS certificate maximum validity drops in three steps:
| Effective from | Max validity | Equivalent | Renewals per cert / year |
|---|---|---|---|
| Today | 398 days | ~13 months | ~0.92 |
| March 15, 2026 | 200 days | ~6.5 months | ~1.83 |
| March 15, 2027 | 100 days | ~3.3 months | ~3.65 |
| March 15, 2029 | 47 days | ~1.5 months | ~7.77 |
So a single certificate goes from ~1 renewal a year today to nearly 8 renewals a year by 2029.
Per-portfolio renewal table
Multiply that out across the size of your TLS estate:
| Certs in portfolio | Today (~398d) | 2026 (~200d) | 2027 (~100d) | 2029 (~47d) |
|---|---|---|---|---|
| 1 cert | 1 / year | 2 / year | 4 / year | 8 / year |
| 10 certs | 10 / year | 18 / year | 37 / year | 78 / year |
| 50 certs | 46 / year | 91 / year | 183 / year | 388 / year |
| 100 certs | 92 / year | 183 / year | 365 / year | 777 / year |
| 600 certs | 550 / year | 1,095 / year | 2,190 / year | 4,660 / year |
| 1,000 certs | 917 / year | 1,825 / year | 3,650 / year | 7,766 / year |
| 10,000 certs | 9,170 / year | 18,250 / year | 36,500 / year | 77,660 / year |
For comparison, 4,660 renewals per year is roughly 18 issuances per business day, every business day. Nobody is doing that by hand.
Per-day load at the 2029 cadence
If you flatten 47-day issuances over the calendar:
| Portfolio | Approx. renewals per day |
|---|---|
| 10 certs | ~0.2 / day (one every 5 days) |
| 100 certs | ~2 / day |
| 600 certs | ~13 / day |
| 1,000 certs | ~21 / day |
| 10,000 certs | ~213 / day |
You can absorb 2/day with some scripting and an alerting tool. You cannot absorb 213/day without a Certificate Lifecycle Management platform or equivalent automation.
The validation reuse changes that nobody talks about
It isn't just certificate lifetime that's shrinking. SC-081v3 also reduces how long you can reuse organisation validation (OV/EV) data:
- Today: 825 days max. Get OV'd once and stretch the validation across 2+ years of renewals.
- From March 2026: 398 days max. Re-do organisation validation roughly annually.
For most OV/EV customers that means re-submitting identity documents, business registration evidence, and authorisation letters once a year — on top of the 8x increase in renewals. Multi-year "coverage" deals from CAs still exist, but they're now buying you a sequence of short-lived certs, not the cert itself.
What to do about it
The short version: monitor everything, automate everything you can, and start now.
The longer version is in our pillar piece on the SC-081v3 schedule, but the rough phasing is:
- 2026: complete inventory + monitoring on every cert. Set up SSL/TLS certificate expiry monitoring with two-stage alerts.
- 2027: switch every renewable cert to ACME or CA API automation.
- 2028: dry-run a 47-day cadence on internal certs to find what breaks.
- 2029: the new normal arrives — you should already be running it.
The teams that wait are the teams that outage in March 2029. The teams that move now have three years of breathing room.
Further reading
- Apple's 47-day TLS certs explained: full SC-081v3 breakdown
- SSL/TLS Certificate Expiry Monitor — Trace Warrior's monitor with email + webhook alerts, 14-day free trial
- SSL Certificate Checker — free on-demand cert inspector