Support >
  About cybersecurity >
  How long is an EV certificate valid? A breakdown of the new rules from the CA/B Forum in 2026!

How long is an EV certificate valid? A breakdown of the new rules from the CA/B Forum in 2026!

Time : 2026-07-15 14:32:30
Edit : DNS.COM

  EV certificates (Extended Validation Certificates) have long been recognized as having the highest level of trust in the digital certificate system, not only because of their rigorous review process, but also because they directly display the company name in the browser's address bar, giving users an immediate sense of trust. However, 2026 saw a significant rule adjustment. If you still believe that EV certificates can be applied for for many years at once and left unattended, your understanding may need to be revised.

  I. Conclusion: March 15, 2026, is a watershed moment.

  Before March 15, 2026, the maximum validity period for EV SSL certificates was 398 days (approximately 13 months), a standard previously enforced by the CA/B Forum. This meant that as long as the certificate was issued before this date, it could still be used normally within the 398-day period.

  However, from March 15, 2026, the rules officially changed: the maximum validity period for all newly issued public SSL/TLS certificates (including EV certificates) was reduced to 200 days (approximately 6.6 months). In the CA/B forum's timeline, this is just the first step—the validity period will be further shortened to 100 days by March 15, 2027, and finally compressed to 47 days by March 15, 2029.

  It's important to note that EV certificates, like OV certificates, are subject to this rule, unlike DV certificates which only verify domain ownership. EV certificates involve deep verification of organizational identity; each renewal or update requires a new enterprise qualification verification process, resulting in a tighter timeframe and greater operational pressure.

  II. Why reduce the validity period from 398 days to 200 days, or even 47 days?

  This seemingly radical adjustment has a clear practical logic behind it.

  The primary driving force is to shorten the risk window period for private key leakage. The longer the certificate validity period, the longer the private key is exposed in the network environment. Once leaked, attackers can use the certificate to carry out man-in-the-middle attacks or forge legitimate websites. By forcing frequent rotation, even if the private key is leaked at a certain point in time, its effective attack window is significantly compressed.

  Secondly, it promotes the automation of certificate management. When certificate validity periods are shortened to hundreds or even tens of days, manually managing the application, deployment, and renewal of each certificate becomes extremely impractical. The industry trend is to foster automated certificate management tools (such as the ACME protocol), making "high-frequency certificate rotation" an automated infrastructure capability, rather than a burden on maintenance personnel.

  Thirdly, a phased implementation timeline.

  Based on notifications from multiple CA organizations, the EV SSL certificate validity period change will proceed according to the following schedule:

Effective date Maximum validity period of certificate illustrate
Before March 15, 2026 398 days Certificates issued before this time point can be used normally until their expiration.
Starting March 15, 2026 200days This restriction applies to both newly issued and reissued certificates.
Starting March 15, 2027 100days Further shorten
Starting March 15, 2029 47days Final target value

  IV. Actual Impact on Enterprises and Recommendations

  First, the renewal schedule needs to be redesigned. Previously, EV certificates could be applied for once and remain valid for over a year; now, renewals are required every 6.6 months, and each renewal involves re-verification of the organization's identity. It is recommended to initiate the renewal process 30-60 days in advance, avoiding processing at the expiration date.

  Second, managing multiple certificates in bulk will become a pain point. If an enterprise holds EV certificates for multiple external business applications (e-commerce payment pages, enterprise login portals, API gateways, etc.), and each certificate has a different expiration date, manually tracking the update window for each node will become extremely cumbersome. It is recommended to use a unified certificate management platform for lifecycle tracking.

  Third, the differences in the review process between EV certificates and OV/DV certificates will still affect the processing time. The EV certificate application process involves enterprise registration information verification, telephone follow-ups, etc., and the review typically takes 3-5 business days. With the shortened validity period, if verification is unsuccessful or there are delays due to supplementary materials, the actual usable certificate time will be even shorter. Sufficient review time should be allowed, especially when applying for an EV certificate for the first time.

  Fourth, some vendors offer a transitional solution of "purchase annually, issue certificates in installments." For example, GlobalSign issues two 199-day certificates for one-year orders, with the second certificate renewable free of charge 30 days before its expiration. This mechanism alleviates the hassle of "paying every 199 days" for businesses, but certificate deployment and renewal still require manual or automated processing.

  Fifth, a concept to distinguish: EV code signing certificates

  It's important to note that "EV certificates" have two branches—EV SSL certificates (used for website encryption) and EV code signing certificates (used for software signing). Their validity periods are not synchronized.

  From March 2026, the maximum validity period for EV code signing certificates has been adjusted to 459-460 days (approximately 15 months), instead of the 200 days for SSL certificates. When applying, be sure to confirm whether you need an EV SSL certificate or an EV code signing certificate, as their validity periods, uses, and review processes are significantly different.

DNS Amy
DNS Luna
DNS Anna
DNS NOC
Title
Email Address
Type
Information
Code
Submit