¶ºÒõ¹Ý

TheÌýCA/Browser ForumÌýhas approved a new ballot that reduces the maximum validity period for publicly trustedÌýcode-signing certificatesÌýfrom 39 months (roughly threeÌýyears) to 460 days (about 15 months). This change will take effect March 1, 2026, andÌýrepresentsÌýthe industry’s continued effort toÌýencourage automation andÌýstrengthenÌýsoftwareÌýsupply chain securityÌý(SSC).

For organizations that rely on code signing to prove the authenticity and integrity of their software, this change raises important operational questions: What does it mean for us? Who will this update impact most? AndÌýperhaps mostÌýimportantly, whatÌýshould we do to prepare?

From TLS to code signing: The shift to shorter validity

The Certificate Authority/Browser Forum (CA/BF)—the body ofÌýcertificate authorities, browser vendors, and platform providers that define the rules of trusted certificates—regularlyÌýreviewsÌýstandardsÌýregardingÌýdigital certificates. Shorter validity periods ensure that cryptographic material is rotated moreÌýfrequently, reducing exposure if a private key is ever compromised.

More frequent renewals also help organizations keep keys current,Ìýcomply withÌýmodern standards, and adopt stronger controls for how and where private keys are stored and used. They provide a natural cadence for assessing cryptographic readiness and planning future transitions to stronger orÌýquantum-safe algorithms.

In recent years,Ìýwe’veÌýseenÌýTLS/SSL certificate lifetimes drop down toÌý398 days.ÌýThey’llÌýdrop again toÌý200 daysÌýin March 2026 and 100 the following year beforeÌýplummeting toÌý47 daysÌýin 2029.Ìý

NowÌýit’sÌýcode signing’s turn.ÌýThe new 460-day limitÌýaligns code signingÌýwith thisÌýshort-lived certificateÌýmodel—a model designed to minimize risk through regular key rotation and faster adoption of stronger security practices. The changeÌýalso reflects the reality that software and signing environments change much faster
than they used to.

Who will be affected?

Every organization that signs code with a publicly trusted certificate will beÌýimpactedÌýby the new 460-day limit. The level of disruption dependsÌýlargely onÌýhow you manage your private keys andÌýsigningÌýworkflows.

Hardware-token users

Organizations that store private keys onÌýtheÌýFederal Information Processing Standard (FIPS)Ìý´Ç°ù Common Criteria-compliant hardware tokens (e.g., USB tokens) will face the most operational change. Certificates—and potentially the tokens themselves—must be replaced every 15 months after March 1, 2026. Many teams currentlyÌýprocureÌýmulti-year tokens and renew less often; that renewal cycle will now need
to shorten considerably.

Customers using cloud-based signing services

Those who sign code through a managed signing platform like ¶Ù¾±²µ¾±°ä±ð°ù³Ù®Ìý°­±ð²â³¢´Ç³¦°ì±ð°ùÌý´Ç°ù ³§´Ç´Ú³Ù·É²¹°ù±ðÌý°Õ°ù³Ü²õ³ÙÌý²Ñ²¹²Ô²¹²µ±ð°ùÌýwill experience minimal disruption.ÌýBecauseÌýthese services alreadyÌýautomate certificate renewalÌýand key rotation in secure environments, the shorter lifetime should beÌýnearly
invisibleÌýto users.

Developers with legacy build systems

Older CI/CD pipelines that rely on manual processes or static certificates will require updates. These environments can be complex to modernize, but this change creates a clear incentive to automate and integrate with modern signing APIs, reducing future maintenance overhead and risks.

What this means for customers

The most immediate takeaway is that code-signing certificate renewals will happen more often. While this might seem like extra work,Ìýit’sÌýultimately aÌýpositive move toward resilience and security.

Customers should expect:

• An annual renewalÌýcadence:ÌýBuild your internal calendar around a 12-month cycle so you can budget and schedule renewalsÌýbefore certificates expire.

• More frequent hardwareÌýupdates:ÌýIf you use tokens, work with your security team to evaluate whether a cloud-based signing service could simplify management.

• An increased focus onÌýautomation:ÌýManual certificate management is unsustainable as lifetimes shrink. Automation reduces the risk of outages and enables seamless rotation.

• Tighter alignment with SSC best practices:ÌýFrequent renewals reinforce controls that protect against malware injection and tampering.

How to prepareÌýfor shorter code-signing certificate lifetimes

This change offers an opportunity to modernize your signing infrastructure—not just to stay compliant, but to improve security and efficiency. Here are key actions to take as you prepare for the new 15-month validity period.Ìý

1. Inventory your current certificates and renewalÌýdates.ÌýKnow what you have, whereÌýit’sÌýused, and when it expires. Visibility is the first step toward avoiding unexpected interruptions.
2. Evaluate your key storageÌýmethod.ÌýIf you still rely on physical tokens,Ìýstart exploringÌýcloud-based or managed signing solutions. These servicesÌýeliminateÌýtokenÌýlogisticsÌýand enable automated renewals under the new rules.Ìý
3. Automate renewal and signingÌýworkflows.ÌýIntegrate certificate issuance and rotation into your build pipelines using theÌýAutomated Certificate Management Environment (ACME) protocolÌý´Ç°ù ¶ºÒõ¹Ý APIs. Automation ensures continuity and reduces human error.
4. Update documentation andÌýpolicies.ÌýRevise internal security and operations policies to reflect the 15-month maximum validity. Clearly define ownership for certificate renewal, key rotation, and revocation.Ìý
5. Engage with your CAÌýearly.ÌýYour certificateÌýauthorityÌýcan help you plan the transition, recommend automation strategies, and ensure your environment meets the new standards well before enforcement begins.
   Ìý

Embracing the next phase of digital trust

The move to 460-day certificatesÌýisn’tÌýa disruption—it’sÌýprogress. It continues the industry’s ongoing evolution toward shorter lifespans that strengthen security, encourage automation, and reduce risk.

By March 2026, organizations that embrace automated, cloud-based signing services will adaptÌýalmost effortlessly, while those relying on manual or legacy processes may struggle with constant renewals and operational friction.

Now’s the time to modernize your approach to code signing—not simply to meet new requirements, but to reinforce the integrity of every release.Ìý

Ready to take the next step?ÌýConnect with an expertÌýtoÌýlearn how ¶ºÒõ¹Ý Software Trust Manager can help you simplify renewals, secure keys, and modernize your signing workflows beforeÌýthe 460-dayÌýtransition takes effect.