Paid SSL certificates max out at 398 days. Let\'s Encrypt and most free issuers cap at 90 days. By 2029, every public certificate will renew at least every 47 days. The right reminder lead time depends on which one you have.
Done in seconds. No sign-up required.
Since September 2020, every publicly-trusted SSL certificate has been capped at a maximum lifetime of 398 days under CA/Browser Forum baseline requirements. Most paid certificates are issued as either 1-year (398 days) or 2-year-plan-with-1-year-reissue arrangements. DigiCert, Sectigo, GoDaddy, and every other major CA conform to this limit — there is no tier that buys you a 2-year cert anymore.
Let\'s Encrypt, which now issues more than 60% of all public certificates, has always used 90-day lifetimes. The shorter window forces automation: manual renewal every 90 days is painful enough that everyone scripts it, which means renewal failures are operational problems instead of human-memory problems.
In April 2025, the CA/Browser Forum unanimously approved Ballot SC-081, phasing maximum certificate lifetimes from 398 days down to 47 days. The transition is staged so the ecosystem has time to fully automate.
The endpoint is intentional. A 47-day lifetime makes manual renewal impractical and forces every operator onto ACME-style automation. It also limits the blast radius of any single compromised key to about a month and a half. If you currently rely on calendar reminders to renew a paid cert once a year, that pattern stops working in 2027 at the latest.
Match the lead time to the worst-case renewal, not the happy path.
Lead time: 30 days. Long enough to handle DNS or CAA changes, validation retries, and a possible reissue if anything goes wrong.
Lead time: 60 days. If auto-renew has been failing silently, you still have a full month to investigate before any visible breakage.
Lead time: 14 days. At this cadence the reminder is a backstop on automation, not the primary mechanism. Fully automated renewal is mandatory.
Yes, almost always. Most CAs let you renew within the last 30 days of validity, and the new cert\'s expiry date is calculated from your old cert\'s expiry — not from today — so you do not lose any paid days by acting early.
Renewing early also gives you a buffer to catch problems. CAA record changes, DNS validation failures, and CDN edge issues can each take a day or two to debug. If you wait until the last possible day, any one of those becomes a live outage. Renew at the 30-day mark and the worst-case scenario is "deploy delayed by a few days," not "site is down right now."
For Let\'s Encrypt and other automated 90-day certs, the standard renewal window is the last 30 days of the cert. Certbot defaults to renewing when 30 days remain, which means if anything fails on first attempt, cron has 30 days of retries. Pair that with a 60-day external reminder and you get two independent safety nets — automation plus a date-based reminder that does not depend on whether your scripts are working.
Paid SSL certificates currently max out at 398 days under CA/Browser Forum rules. Let's Encrypt and most other free issuers cap at 90 days. The industry is moving toward a 47-day maximum, with full implementation phased in by March 2029. Your renewal cadence should match whichever lifetime your provider issues.
The CA/Browser Forum approved Ballot SC-081 in 2025 to phase certificate lifetimes down to 47 days by March 2029, with intermediate steps at 200 and 100 days first. The reasoning: shorter lifetimes limit the damage of compromised keys and force automation, since manual renewal at 47-day cadence is impractical.
Yes. Most CAs let you renew up to 30 days before expiry — and the new certificate's validity is added on top of any time remaining on the old one, so you do not lose paid days. Renewing early is the safer pattern: it gives you a buffer to catch validation problems before the old cert expires.
30 days for paid one-year certificates, 60 days for 90-day Let's Encrypt certificates, 14 days once 47-day certificates become standard. Always pad for worst-case validation issues — DNS propagation delays, CAA record updates, and CDN-blocked ACME challenges can each consume days on their own.
For publicly-trusted certs, no. The 398-day cap applies to every CA in every browser's trust store. Internal CAs that issue certs only for private networks can still issue multi-year certs, but those certs are not trusted on the public web.
Let's Encrypt set 90 days as a deliberate forcing function for automation — short enough that no human realistically renews manually, long enough that automated renewal failures have a few attempts to catch up before expiry. The model worked: it pushed the entire industry toward shorter, automated cycles.
Whatever cert type you have, the reminder lead time should match. 30 days for paid, 60 for Let's Encrypt. Set it once, get follow-ups until you renew.
Create SSL Renewal ReminderLast modified: