SSL Calendar Logo SSLCalendar
Blog About
October 2026: The First 200-Day SSL Cert Expiration Wave

October 2026: The First 200-Day SSL Cert Expiration Wave

Experts warn October 1, 2026 could trigger widespread outages as the first 200-day SSL certificates expire. Research shows 40% of enterprises aren't ready.

The 200-day certificate era officially began on March 15, 2026. But the real test is still ahead. Industry experts are now pointing to a specific date — October 1, 2026 — as the moment we’ll find out how many organizations actually prepared for the transition. That’s when the first wave of shorter-lived certificates will start expiring, and according to new research, a troubling number of enterprises aren’t ready.

Why October 1 Matters

The math is straightforward. When the CA/Browser Forum’s Ballot SC-081v3 took effect on March 15, the maximum validity for new public TLS certificates dropped from 398 days to 200 days. Organizations that renewed or issued certificates right around that date now hold certificates that will expire in late September or early October 2026.

Tim Callan, Chief Compliance Officer at Sectigo, laid out the concern in a TechRadar analysis published March 30: on the week of October 1, 2026, expect headlines about unexpected outages as the first batch of short-lived certificates reach their expiration date. Organizations that previously renewed once a year now face a renewal cycle they may not have fully accounted for.

This isn’t hypothetical anxiety. We’ve already seen what happens when certificate renewals fall through the cracks — Google’s Bazel build system went down for 13 hours in December 2025, and Riot Games locked millions of League of Legends players out in January 2026 — both due to expired certificates that no one was watching.

40% of Enterprises May Not Be Ready

Research from CSC, based on an analysis of over 100,000 global SSL certificate records, found that 40% of enterprises could be at risk of an outage caused by expired SSL certificates. The study also revealed that 17% of companies surveyed didn’t even know what domain control validation (DCV) method they were using — a critical gap when renewals are about to become twice as frequent.

The problem compounds as you look ahead. The 200-day maximum is just the first step in a phased reduction:

  • March 15, 2026: Maximum validity drops to 200 days (now in effect)
  • March 15, 2027: Further reduction to 100 days
  • March 15, 2029: Final reduction to 47 days

By 2029, organizations could face up to eight certificate renewals per year per domain. Any manual process that barely handled annual renewals will collapse under that frequency.

What Makes October Different

Previous certificate-related outages have typically been isolated incidents — one company forgets to renew, one service goes down. October 2026 is different because it represents a systemic inflection point. Every organization that issued a certificate under the new 200-day rules in March or April 2026 will hit their first renewal window at roughly the same time.

That means:

  • Support queues at CAs could spike as organizations rush to renew certificates they didn’t realize were expiring so soon.
  • Automated renewal systems will face their first real test under the new validity period. Systems configured for annual renewals may not trigger in time.
  • Third-party dependencies could cascade. If your SaaS provider, CDN, or API gateway lets a certificate lapse, your service goes down too — even if your own certificates are current.

How to Prepare Before October

The organizations that will sail through October are the ones taking action now, while there are still six months of runway. Here’s what to prioritize:

  • Audit your certificate inventory. Know every certificate across every domain, subdomain, and service. Shadow IT and forgotten staging environments are where expirations hide.
  • Verify your automation actually works. If you use ACME, certbot, or a managed provider’s auto-renewal, test it. The Bazel outage proved that automation can fail silently for weeks.
  • Set up multi-stage alerting. You want notifications at 90, 60, and 30 days before expiry — not a single alert the week before.
  • Check your DCV method. With WHOIS-based email validation deprecated since July 2025, make sure your domains use DNS-based or file-based validation methods that will work reliably for frequent renewals.
  • Map your third-party dependencies. Identify which external services your infrastructure depends on, and ask whether those providers have adapted to the new certificate lifecycle.

Don’t Wait for the Headlines

October 1 will be a watershed moment for the SSL/TLS industry. Some organizations will handle it seamlessly because they prepared. Others will learn the hard way that shorter certificate lifetimes require a fundamentally different approach to certificate management.

To make sure you’re in the first group, SSLcalendar.com provides calendar-based expiration reminders that alert you well before certificates reach their renewal window. Add your domains now, and you’ll have full visibility into your October expiration timeline before it becomes an emergency. For organizations managing certificates across many domains, SSLboard.com offers comprehensive certificate surveying, chain validation, and vulnerability detection — the kind of infrastructure-level visibility that prevents outages before they start.

The clock to October is ticking. Six months is plenty of time to prepare — but only if you start now.

Sources: Why October 1, 2026, could be the day SSL/TLS certificates ‘break the Internet’ — TechRadar, CSC Research Finds 40% of Enterprises Could Be at Risk of an Outage Due to SSL Expiration, CA/Browser Forum Ballot SC-081v3.

← Back to Blog