(1 votes, average: 5.00 out of 5, rated)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

February 12, 2026 Comments closed

Code Signing Certificates’ Lifespans to Drop to One Year

in Industry Lowdown

Starting March 1, the lifespans of software-signing digital certificates will be reduced from 39 months to 15 months. Order a 2- or 3-year certificate ASAP before they’re officially gone

Editor’s Note: Major CAs, including DigiCert and Sectigo, are rolling out these changes ahead of the March 1 deadline.

Shorter code signing certificate lifespans = more secure software supply chains

There have been numerous industry shake-ups in recent years regarding certificate validity periods. Since 2015, we’ve watched the CA/Browser Forum steadily march down SSL/TLS certificate validity periods from five years to one year. (Validity will drop to 47 days by 2029.) The idea is to make digital certificates more secure by:

• decreasing the validity period of certificates (so their cryptographic keys are replaced more frequently and are valid for less time in the event they become compromised)
• ensuring that the most up-to-date algorithms are in use and certificates are compliant with industry standards
• ensuring individual and organizational identity data remains as current as possible (which is good when employees leave your organization)

For code signing certificates, these benefits strengthen your software supply chain. Historically, code signing certificates have been issued with one- to three-year validity periods. Starting on or before March 1, 2026, code signing certificates will be valid for no more than 460 days. (Most CAs are rolling out these changes ahead of time to mitigate last-minute validation delays and other issues.)

What do these certificate lifespan changes mean for your business, and what do you need to do to prepare?

Let’s hash it out.

What’s Happening (From an Industry Perspective)

The maximum lifespan of a code signing certificate will be reduced by more than half, dropping from 39 months (call it three years) to 15 months (let’s say one year) starting March 1, 2026. This is thanks to CA/B Forum Ballot CSC-31, which spells out the certificates’ maximum validity period reduction.

Essentially, this means any certificates issued on or after March 1, 2026 must have a lifespan that doesn’t exceed the one-year limit.   

When the Certificate Lifespan Reductions Will Roll Out

Some leading certification authorities (CAs) will stop accepting requests for code signing certificates with lifespans longer than one year ahead of the March 1 deadline.

Here’s what to know when placing your certificate orders through TheSSLstore.com:

	Sectigo and Comodo CA	DigiCert
When the Changes Take Effect	For orders placed after Feb. 15, 2026   (For orders placed by Feb. 15* and issued no later than Feb. 22**, one-, two-, and three-year certificates are available)	For orders placed after Feb. 18, 2026   (For orders placed by Feb. 18* and issued no later than Feb. 23**, one-, two-, and three-year certificates are available)
Products Available After the Change	One-year certificates (using any delivery method)   (Two- and three-year certificate coverage plans will be available to customers who select the HSM delivery option. This method will require annual certificate reissuances.)	One-year certificates (using any delivery method)

* Order your two- and three-year certificates prior to these dates to give each CA time to complete the required validation processes.

* Multi-year certificates issued after the CA’s specified issuance dates may be canceled and the payments refunded.

What These Changes Apply To

Per the guidance from the CA/B Forum’s ballot, these changes apply to every public code signing certificate issued on or after March 1, 2026. (This includes standard and extended validation [EV] code signing certificates.)

Existing code signing certificates are unaffected by these changes. Basically, if your certificate was issued before that date, then it’ll remain valid for its full lifespan (i.e., when it reaches its original expiration date), barring revocation.

If your certificate’s about to expire and you want to get a two- or three-year certificate, go ahead and do that now!  

We’ll get into all of that shortly… but first, let’s first talk about how these changes will impact you or your organization.

What All of This Means for You

Historically, code signing certificate users had up to three years to use a single certificate (barring any revocations). Once these changes take effect:

• All public code signing certificates will be limited to a maximum lifespan of one year.
• All new DigiCert code signing certificates will be limited to one year of coverage.
• Sectigo code signing certificates will be limited to one year, with the exception that customers who use hardware security modules (HSMs) can still purchase multi-year coverage for their certificates. However:
  • Every code signing certificate must be generated and stored on a Luna Network Attached HSM V7 .x, YubiKey 5 FIPS Series token, or Google Cloud KMS (Cloud HSM).
  • Each certificate must be reissued every year.

So, what does this mean for your organization? If you want to get a two- or three-year code signing certificate, now’s the time to act.

Certificate Order vs Issuance Dates (An Important Distinction)

When ordering two- and three-year certificates: The following dates are when a code signing certificate must be issued by the CA, not when you place your order! Given the likely surge in code signing validation requests, it would be best to place your order ASAP to give your chosen CA sufficient time to complete the validation process and issue your certificate.

Not sure where to start? Get in touch with our support team.

• #Certificate Validity
• #Code Signing