1. Maximum validity allowed by industry rules
Since September 1, 2020, all publicly trusted SSL/TLS certificates are subject to limits set by the CA/Browser Forum.
Publicly trusted SSL/TLS certificates
- Maximum validity: 398 days (approximately 13 months)
- This applies to all certificate types, regardless of validation level:
- Domain Validation (DV)
- Organization Validation (OV)
- Extended Validation (EV)
- Certificates issued for longer periods (e.g. 2 or 3 years) are no longer allowed by browsers.
The 398-day limit includes:
- The certificate’s “Not Before” and “Not After” dates
- Any reissued certificate must still comply with this limit
2. Validity by validation level
Domain Validation (DV)
- Maximum validity: up to 398 days
- Minimum validity: no formal minimum (can be days or weeks)
- Common real-world durations:
- 90 days (e.g. Let’s Encrypt)
- 1 year (398 days)
DV certificates only confirm control over the domain name. Validity length does not change the validation strength.
Organization Validation (OV)
- Maximum validity: up to 398 days
- Requires verification of:
- Organization name
- Physical address
- Legal existence
- Organization data must be re-validated when the certificate is reissued
OV certificates issued before 2020 could last up to 2 years, but this is no longer permitted.
Extended Validation (EV)
- Maximum validity: up to 398 days
- Requires the most extensive identity checks:
- Legal existence
- Operational existence
- Verified authority of the requester
- EV status does not allow longer validity than DV or OV
EV certificates must be fully revalidated on each renewal.
3. Special certificate categories
Wildcard SSL certificates
- Maximum validity: up to 398 days
- Can be DV or OV
- EV wildcard certificates are not allowed
- The wildcard nature does not affect the validity limit
Multi-Domain (SAN) certificates
- Maximum validity: up to 398 days
- Applies regardless of:
- Number of domains
- Mix of base domains and subdomains
- Adding or removing domains requires reissuance, still limited to 398 days
4. Short-lived certificates
Some Certificate Authorities issue certificates with intentionally shorter lifetimes:
Let’s Encrypt
- Validity: 90 days
- Short validity is a design choice, not a technical limitation
- Automatic renewal is expected
Other CAs may offer:
- 30-day certificates
- 60-day certificates
- Custom short-term certificates for testing or automation
5. Private and internal certificates
Private CA / Internal PKI certificates
- Validity: not restricted by browsers
- Common validity periods:
- 1 year
- 2 years
- 5 years
- 10 years (common for root certificates)
- Used in:
- Internal networks
- Corporate infrastructure
- Development and testing environments
Browser trust rules do not apply unless the certificate is publicly trusted.
6. Root and intermediate CA certificates
These are not end-entity SSL certificates and have different lifetimes:
Root CA certificates
- Typical validity: 20–30 years
- Installed directly in browser and OS trust stores
Intermediate CA certificates
- Typical validity: 5–15 years
- Used to issue end-entity certificates
These certificates are governed by CA policy, not the 398-day rule.
7. Historical validity limits (for context)
| Period | Maximum validity |
|---|---|
| Before March 2018 | Up to 3–5 years |
| March 2018 – Aug 2020 | 825 days (~27 months) |
| Since Sept 2020 | 398 days |
Older certificates issued under previous rules may still appear in archives but cannot be newly issued today.