← Back to Blog
SSL Compliance Deadlines in 2025-2026: What You Need to Know

SSL Compliance Deadlines in 2025-2026: What You Need to Know

The SSL/TLS landscape is shifting faster than it has in years. Between the CA/Browser Forum's vote to slash certificate lifetimes to 47 days, mandatory multi-perspective validation checks, and PCI DSS 4.0 enforcement, organizations face a dense calendar of compliance deadlines through 2026 and beyond.

Missing any of these can mean browser warnings for your users, failed compliance audits, or outright connection failures. This post lays out every deadline you need to track, what each one requires, and how to stay ahead of them.

The Big Picture: What Changed and Why

The core theme across all of these changes is the same: shorter-lived certificates, stronger validation, and the elimination of legacy protocols. Certificate authorities, browser vendors, and payment card regulators are all moving in the same direction --- reducing the window of exposure when a certificate is compromised or misconfigured.

For operations teams, this means automation is no longer optional. Manual certificate management that worked with 398-day lifetimes will collapse under 200-day, 100-day, and eventually 47-day renewal cycles.

Completed Deadlines (Already in Effect)

These deadlines have already passed. If you have not addressed them, you are already out of compliance.

CAA Checking Enforcement (September 2017)

What it is: CA/Browser Forum Ballot 187 made Certificate Authority Authorization (CAA) DNS record checking mandatory for all publicly trusted certificate authorities. Before issuing a certificate, CAs must check your domain's CAA records to verify they are authorized to issue for that domain.

Who it affects: Every organization with publicly trusted SSL/TLS certificates.

What to do now: If you have not published CAA records for your domains, do it. CAA records let you restrict which CAs can issue certificates for your domain, which is a straightforward defense against unauthorized issuance. Add a DNS record like example.com. IN CAA 0 issue "letsencrypt.org" for each CA you use.

PCI DSS 4.0 Full Enforcement (March 31, 2025)

What it is: PCI DSS version 4.0.1 requirements became mandatory on March 31, 2025. The "future-dated" requirements that were previously best-practice recommendations are now required for compliance. For TLS specifically, PCI DSS 4.0 Requirement 4 mandates TLS 1.2 or higher for transmitting cardholder data over public networks. Organizations must also document and inventory all SSL/TLS certificates in use, maintain a list of cryptographic cipher suites and protocols with their locations, and have a documented plan for addressing cryptographic vulnerabilities.

Who it affects: Any organization that processes, stores, or transmits payment card data.

What to do now: Confirm that no system in your cardholder data environment supports TLS 1.0 or 1.1. Document your certificate inventory and cipher suite configurations. If you have not already passed a PCI DSS 4.0 assessment, this is overdue.

MPIC Soft Enforcement (March 15, 2025)

What it is: CA/Browser Forum Ballot SC-067v3 introduced Multi-Perspective Issuance Corroboration (MPIC), requiring certificate authorities to perform domain validation and CAA checks from multiple geographically distinct network vantage points. As of March 15, 2025, CAs were required to begin performing MPIC checks in a monitoring/reporting mode. Certificate issuance was not blocked during this phase, but CAs began logging corroboration results.

Who it affects: Certificate authorities directly, but site operators indirectly --- if your DNS or BGP configuration has issues visible from some network perspectives but not others, this surfaces those problems.

Upcoming Deadlines

MPIC Hard Enforcement --- September 15, 2025

What it is: The "hard block" date for MPIC. Starting September 15, 2025, certificate authorities must refuse to issue certificates if multi-perspective validation checks fail to corroborate the primary Domain Control Validation (DCV) or CAA records. At least five remote perspectives must succeed. Some CAs, including Sectigo, began enforcement slightly ahead of this date.

Who it affects: Anyone requesting new or renewed SSL/TLS certificates. If your domain validation responses are inconsistent across geographic regions --- due to split-horizon DNS, BGP routing anomalies, or CDN misconfigurations --- certificate issuance could fail.

What to do:

  • Test your domain validation from multiple regions before your next certificate renewal
  • Ensure DNS responses are consistent globally
  • Review your CAA records for accuracy
  • If you use split-horizon DNS, confirm that validation challenges resolve correctly from external perspectives

Certificate Maximum Validity Drops to 200 Days --- March 15, 2026

What it is: The first phase of CA/Browser Forum Ballot SC-081v3, which passed in April 2025 with unanimous support from Apple, Google, Mozilla, and Microsoft. This ballot, originally proposed by Apple, sets a phased reduction schedule for TLS certificate lifetimes. On March 15, 2026, the maximum certificate validity drops from 398 days to 200 days. The Domain Control Validation (DCV) reuse period also drops to 200 days. For OV and EV certificates, Subject Identity Information (SII) reuse drops from 825 days to 398 days.

Who it affects: Every organization with publicly trusted TLS certificates. This is the most operationally significant change in the near term.

What to do:

  • Audit your current certificate inventory and note expiration dates
  • Any certificate issued after this date cannot be valid for more than 200 days
  • If you are not already using automated certificate management (ACME protocol, for example), start planning the migration now
  • Update any internal processes that assume annual certificate renewals
  • A 200-day maximum effectively means a six-month renewal cadence

DNSSEC Validation for CAA Lookups --- March 15, 2026

What it is: Also from Ballot SC-067v3, certificate authorities must deploy DNSSEC validation back to the IANA root trust anchor on all DNS queries associated with CAA record lookups performed by the primary network perspective. This strengthens the integrity of CAA checks by preventing DNS spoofing attacks during the issuance process.

Who it affects: Organizations whose domains use DNSSEC. If your DNSSEC configuration is broken or has expired signatures, CAA lookups may fail, which could block certificate issuance.

What to do:

  • If you use DNSSEC, verify your signatures are valid and your chain of trust is intact
  • Use dig +dnssec example.com to check your DNSSEC status
  • Monitor for DNSSEC signature expiration --- these can silently break and cause certificate renewal failures

Certificate Maximum Validity Drops to 100 Days --- March 15, 2027

What it is: The second phase of SC-081v3. Maximum TLS certificate validity drops to 100 days. DCV reuse also drops to 100 days. This moves the renewal cadence to approximately every three months.

Who it affects: Everyone with publicly trusted certificates.

What to do:

  • Automated certificate management is effectively mandatory at this point
  • Ensure your ACME client or certificate automation platform handles renewals reliably
  • Test your automation under failure conditions --- what happens when a renewal fails? Do you get alerted?

Certificate Maximum Validity Drops to 47 Days --- March 15, 2029

What it is: The final phase of SC-081v3. Maximum certificate validity drops to 47 days, and DCV reuse drops to just 10 days. This means certificates must be renewed approximately monthly, and domain ownership must be re-validated with nearly every issuance.

Who it affects: Everyone. This is the endgame of the Apple/Google push for shorter certificate lifetimes.

What to do:

  • This is three years away, but it requires infrastructure changes that take time to implement
  • Organizations should be running fully automated certificate lifecycle management well before this date
  • Legacy systems that cannot support automated renewal will need to be upgraded or isolated

TLS 1.0/1.1: The Deprecation That Will Not End

Major browsers disabled TLS 1.0 and 1.1 by default starting in 2020. However, the server side of the equation is still catching up. Throughout 2025 and into 2026, major cloud and SaaS providers are removing TLS 1.0/1.1 support entirely:

  • Microsoft Azure: Rejected TLS 1.0/1.1 connections for new storage accounts as of November 1, 2025; global enforcement across all Azure Blob Storage endpoints as of February 3, 2026
  • Various SaaS platforms: Wasabi, Splashtop, Chef, Octopus, and others all dropped TLS 1.0/1.1 support through late 2025

If your servers or API endpoints still negotiate TLS 1.0 or 1.1, you face compliance violations under PCI DSS, potential issues with HIPAA and GDPR requirements, and connection failures as upstream providers refuse legacy handshakes.

Check your server configuration:

# Test if your server still accepts TLS 1.0
openssl s_client -connect example.com:443 -tls1

# Test if your server still accepts TLS 1.1
openssl s_client -connect example.com:443 -tls1_1

# If either connects successfully, you need to disable them

How to Check Your Compliance

Use these tools and commands to audit your current SSL/TLS posture.

SSL Labs (Qualys): Visit ssllabs.com/ssltest for a comprehensive report covering protocol support, certificate chain validity, cipher suites, and known vulnerabilities. Aim for an A or A+ rating.

OpenSSL from the command line:

# View full certificate details and chain
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -text -noout

# Check certificate expiration date
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -dates

# Check which TLS versions are supported
for version in tls1 tls1_1 tls1_2 tls1_3; do
  echo -n "$version: "
  openssl s_client -connect example.com:443 -$version </dev/null 2>&1 | grep -q "Secure Renegotiation" && echo "supported" || echo "not supported"
done

Check CAA records:

dig example.com CAA +short

Check DNSSEC:

dig example.com +dnssec +short

What Happens If You Miss a Deadline

The consequences vary by deadline, but none of them are theoretical:

  • Expired or soon-to-expire certificates: Browsers display full-page warnings that most users will not click through. Chrome, Firefox, and Safari all block access by default for expired certificates. This directly translates to lost traffic and lost revenue.
  • TLS 1.0/1.1 still enabled: Compliance audit failures for PCI DSS. Connection failures when upstream providers drop support. Security scanners will flag your endpoints.
  • MPIC failures: Your CA will not issue or renew your certificate. If you discover this at the last minute, you may face a gap in certificate coverage --- meaning downtime.
  • Missing the 200-day validity transition: Certificates issued under the old 398-day maximum will still be honored until they expire. But new certificates issued after March 15, 2026, cannot exceed 200 days. If your processes are not updated, you will be caught off guard when your CA shortens your certificate's validity.

How Monitoring Prevents Compliance Surprises

The common thread across all these deadlines is that problems are silent until they cause an outage or a failed audit. Your certificate might be expiring in three days, your TLS 1.0 configuration might still be active on a forgotten endpoint, or your DNSSEC signatures might have lapsed --- and you will not know until something breaks.

This is where SSL monitoring earns its keep. Continuous monitoring catches:

  • Certificates approaching expiration before they expire, giving your team time to renew
  • Protocol misconfigurations like TLS 1.0/1.1 still being served on endpoints you thought were updated
  • Certificate chain issues such as missing intermediates or untrusted roots
  • Configuration drift when a deployment reverts a TLS configuration to an older, non-compliant state

Alert24 includes SSL monitoring as part of its uptime checks. Every endpoint you monitor is checked for certificate validity, expiration dates, and chain integrity. When a certificate is approaching expiration or a misconfiguration is detected, you get alerted through your configured notification channels --- Slack, email, SMS, or PagerDuty --- before your users see a browser warning.

Combined with Alert24's on-call scheduling, those alerts reach the right person at the right time. No more finding out about an expired certificate from a customer support ticket.

Action Items Checklist by Deadline

Now (already overdue if not done):

  • Publish CAA DNS records for all your domains
  • Confirm no endpoints serve TLS 1.0 or 1.1
  • Complete PCI DSS 4.0 compliance assessment if you handle payment card data
  • Inventory all SSL/TLS certificates and their expiration dates
  • Set up SSL monitoring for all public-facing endpoints

Before September 15, 2025 (MPIC hard enforcement):

  • Test domain validation from multiple geographic regions
  • Fix any split-horizon DNS or BGP inconsistencies
  • Verify CAA records are accurate and consistent
  • Ensure your certificate renewal process can handle validation from multiple perspectives

Before March 15, 2026 (200-day maximum validity):

  • Implement automated certificate management (ACME or equivalent)
  • Update internal processes to handle six-month renewal cycles
  • Validate DNSSEC configuration if deployed
  • Test automated renewal end-to-end, including failure alerting
  • Update OV/EV certificate workflows for shortened SII reuse (398 days, down from 825)

Before March 15, 2027 (100-day maximum validity):

  • Confirm automation handles three-month renewal cycles reliably
  • Load-test your renewal infrastructure for increased frequency
  • Ensure monitoring covers all certificates, including those on internal and staging environments

Before March 15, 2029 (47-day maximum validity):

  • Full certificate lifecycle automation with no manual steps
  • Alerting and escalation for any failed renewals
  • Legacy systems upgraded or migrated to support automated renewal

Stay Ahead of the Calendar

The shift to shorter certificate lifetimes and stronger validation is not a single event --- it is a multi-year transition that has already started. Each deadline builds on the last, and the organizations that invest in automation and monitoring now will handle each phase without incident.

Alert24 gives you visibility into your SSL/TLS posture across every endpoint you operate. Set up monitoring once, and you will know about expiring certificates, misconfigurations, and compliance gaps before they become outages.

Start monitoring your SSL certificates with Alert24 --- free tier available, no credit card required.