No, you cannot get a publicly trusted SSL/TLS certificate valid for more than 1 year anymore.
Here’s why and the current situation:
1. Maximum Validity Rules
- Industry rules set by the CA/Browser Forum limit the maximum lifespan of publicly trusted certificates.
- Currently, the maximum validity for new certificates is 398 days (roughly 13 months).
- By 2029, this maximum will be reduced to 47 days.
This applies to all publicly trusted Certificate Authorities (Let’s Encrypt, DigiCert, GlobalSign, etc.).
2. Why Multi-Year Certificates Are No Longer Allowed
- Security concerns:
- Long-lived certificates increase risk if the private key is compromised.
- Shorter lifespans reduce the impact of stolen or misissued certificates.
- Cryptography upgrades:
- Short-lived certificates allow faster adoption of stronger algorithms.
- Revocation reliability:
- Revocation mechanisms (CRL, OCSP) are often unreliable. Shorter lifespans reduce dependence on revocation.
- Automation push:
- Encourages automated certificate issuance and renewal to prevent human error.
3. Workarounds for Long-Term Security
While you cannot get a public certificate valid for more than 1 year, there are some alternatives:
- Cloudflare Origin Certificates
- Valid up to 15 years, but only trusted by Cloudflare, not browsers.
- Works if your site is always behind Cloudflare and uses Full (Strict) SSL.
- Private/internal certificates
- Organizations can issue their own certificates for internal use with longer validity.
- Not trusted by public browsers.
- Automated renewal
- Use Let’s Encrypt or other ACME-compatible CAs to issue certificates that automatically renew every 60–90 days.
- Ensures the site is always secure without manual intervention.
Summary
- Publicly trusted SSL certificates cannot exceed 1 year today.
- By 2029, maximum lifespan will shrink to 47 days.
- For long-term validity, you must rely on automation or use Cloudflare Origin Certificates for private trust.