ExpiryPing
← Back to Blog

June 4, 2026 · 4 min read

SSL Certificates Just Got a Lot Shorter — What It Means for Agencies

The CA/Browser Forum reduced SSL certificate lifespans from 398 days to 200 days. By 2029 it drops to 47 days. Here's what that means for agencies managing client sites.

Most developers I've talked to don't know this yet.

In March 2026 the CA/Browser Forum officially reduced the maximum SSL certificate lifespan from 398 days to 200 days. By 2027 it drops to 100 days. By 2029 it's 47 days.

That's roughly 8x more renewal cycles per year by 2029.

The Real Problem Isn't Renewal

Let's Encrypt, Cloudflare, and most modern hosting handles renewal automatically. The problem is when auto-renewal fails silently.

And it does fail. More often than you'd think.

Here's how it happens:

  • DNS challenge fails after a nameserver migration
  • Let's Encrypt rate limiting kicks in
  • Nginx or Apache doesn't reload after cert renewal
  • Wildcard certs that can't auto-renew without manual steps
  • Client moves hosting, breaks the automation, nobody notices

In every one of these cases the cert expires. The browser shows a security warning. The client calls you.

Domain Expiry Is Worse

At least SSL has auto-renewal as a partial solution. Domain expiry doesn't.

Auto-renew on a domain requires:

  • Credit card on file at the registrar
  • Card not expired
  • Registrar actually processing the charge
  • Client not accidentally disabling it

I've seen agencies lose client domains because the registrar renewal email went to a former employee's inbox. The domain expired, dropped, and a squatter picked it up within hours.

What the 47-Day Change Means in Practice

By 2029 you'll be managing roughly 8 renewal cycles per year per domain instead of one. More cycles means more chances for something to go wrong.

For an agency managing 30 client sites that's potentially 240 renewal events per year to stay on top of.

How to Handle It

The answer isn't manual tracking — spreadsheets don't scale and don't alert you at 2am when something breaks.

What you need is passive monitoring. Something that checks every cert and domain daily, and emails you at 30, 14, 7, and 1 day before anything expires. No credentials required — just the domain name.

That's exactly why I built ExpiryPing. It monitors SSL certificates and domain expiry across all your client sites and sends email and Slack alerts before anything expires. Free for up to 3 domains, paid plans from $19/month.

If you're managing more than a handful of client sites, the 47-day change makes passive monitoring a necessity, not a nice-to-have.

Monitor your SSL certificates and domains

ExpiryPing alerts you at 30, 14, 7, and 1 day before anything expires. No credentials required. Free for 3 domains.

Start Free