Certificate Validity Period and Renewal
Understand SSL certificate validity periods, why the industry shortened maximum lifetimes, and how to plan certificate renewals to avoid expiration-related outages and service disruptions.
Detailed Explanation
Certificate Validity Periods
Every SSL/TLS certificate has a defined validity period — the window between the Not Before and Not After timestamps in the X.509 Validity field. Outside this window, the certificate is rejected by all standards-compliant TLS implementations.
Current Maximum Lifetimes
The CA/Browser Forum has progressively shortened the maximum certificate lifetime:
| Year | Maximum Validity |
|---|---|
| Before 2015 | 5 years (60 months) |
| 2015 | 39 months |
| 2018 | 825 days (~27 months) |
| September 2020 | 398 days (~13 months) |
| Proposed (2025+) | 90 days (under discussion) |
Let's Encrypt already issues certificates with 90-day lifetimes, setting the de facto standard for automated certificate management.
Why Shorter Lifetimes?
Shorter validity periods improve security in several ways:
Faster key rotation — if a private key is compromised, the window of exposure is limited to the certificate's remaining lifetime. With 398-day certificates, the maximum exposure is just over a year.
Reduced revocation dependence — CRL and OCSP (the mechanisms for revoking certificates) have known reliability issues. Shorter lifetimes mean certificates naturally expire quickly even if revocation fails.
Stronger algorithms — shorter lifetimes allow the ecosystem to adopt new cryptographic algorithms faster. When certificates expire every 90 days, the transition period for deprecating weak algorithms is months instead of years.
Planning Certificate Renewal
A robust renewal strategy should account for:
- Renewal window — most CAs allow renewal 30 days before expiry without losing validity time
- Propagation time — after renewal, the new certificate must be deployed to all servers
- Testing — verify the new certificate before deploying to production
- Monitoring — automated alerts at 30, 14, 7, and 1 day before expiry
Automated Certificate Management
The ACME protocol (Automatic Certificate Management Environment), used by Let's Encrypt and other CAs, automates the entire lifecycle:
# Certbot automatic renewal
certbot renew --deploy-hook "systemctl reload nginx"
# Check renewal timer
systemctl status certbot.timer
ACME clients handle certificate issuance, validation, installation, and renewal without manual intervention. This is the recommended approach for all environments.
Common Renewal Failures
- DNS propagation delays — DNS-01 challenges fail if TXT records have not propagated
- Firewall rules — HTTP-01 challenges require port 80 to be accessible
- Stale configurations — server configs pointing to old certificate paths after renewal
- Permission issues — the renewal process does not have write access to the certificate directory
- Rate limits — Let's Encrypt has rate limits (50 certificates per domain per week)
Certificate Lifetime in Decoded Output
Validity
Not Before: Jan 15 00:00:00 2024 GMT
Not After : Jan 14 23:59:59 2025 GMT
Calculate the remaining validity: compare Not After against the current date. Any certificate with less than 30 days remaining should be prioritized for renewal.
Use Case
Plan and automate SSL certificate renewals to prevent expiration-related outages. Monitor certificate validity periods across your infrastructure and set up alerts before certificates expire.