2025-12-16

Transition to shorter Code Signing certificate validity periods

Key information

From March 1, 2026, Code Signing certificates will have maximum validity period reduced from about 3 years to 460 days (about 15 months).

Important: The products Certum offers remain unchanged. However, individual certificates issued within these products must comply with the validity limits in effect at the time of issuance.

This means certificates will need to be renewed more frequently. Organizations should review their certificate inventory and renewal processes to ensure uninterrupted software signing workflows.

This change applies to products:

Certum Standard Code Signing for 2 and 3 years,
Certum EV Code Signing for 2 and 3 years.

This change will not affect any Code Signing products available with 1-year validity.

It will still be possible to order a 3-year Code Signing product, but you will need to complete one or more reissues to use the full validity included in your original product.

Key dates

March 1, 2026 – maximum certificate validity period is reduced to 460 days
March 15, 2026 – subject identity information validation data reuse period is 398 days

How to prepare?

Organizations should begin preparing now to ensure business continuity. The impact depends largely on how you manage your private keys and signing workflows.

Recommended actions include:

Inventory all certificates – Know what Code Signing certificates you have, where they’re used, and when they expire. Visibility is the first step toward avoiding unexpected interruptions.
Evaluate key storage method – If you rely on physical hardware tokens, consider switching to cloud based solutions – that eliminates token logistics and simplifies renewals. Hardware tokens may have limited storage space for certificates, and the increased frequency of token replacement can have a significant impact on your budget.
Evaluate signing workflows – Review existing procedures to align them with the maximum validity period. Test certificate issuance and rotation within build pipelines.
Update legacy build systems – Older CI/CD pipelines that rely on manual processes may require updates or modernization to support shorter certificate lifecycles.
Plan renewal cycles – Align your internal planning with a 12-month renewal cycle. This makes budgeting and scheduling renewals more predictable.

What will happen to Code Signing certificates after March 1, 2026?

Certificates issued before March 1, 2026 will remain valid until their expiration dates. The issuance date (not order date) determines the validity period. Application processing times for Standard and EV certificates may vary, so plan renewals early to ensure smooth continuity.

After March 1, 2026, all new Code Signing certificates will comply with the updated 460-day validity period.

If the issued certificate has a shorter validity period and expires before the end of your product’s validity, you can use the reissue process to take full advantage of the validity available under your product.

1-year Code Signing product requires no reissue,
2-years Code Signing product will require at least 1 reissue,
3-year Code Signing product will require at least 2 reissues.

Example: If you purchase a 2-years Code Signing product and the certificate is issued on March 1, 2026, it will be valid for 460 days. To use the full year of your product, simply reissue the certificate once between day 270 and day 460 – this will give you complete coverage for the entire 2 years, split across two certificates.

Subject identity information validation data reuse periods are also being shortened alongside certificate validity periods. This means that when you reissue a certificate, revalidation may be required if the previous validation has expired. Plan your reissues accordingly to avoid delays.

Why is this changing?

These changes, approved by the CA/Browser Forum in Ballot CSC-31, are designed to enhance the security of digital certificates and strengthen software supply chain security.

Key reasons include:

Enhanced security – shorter validity periods limit exposure to key compromise or takeover attacks and reduce the window in which outdated or compromised certificates can be misused.
Faster adoption of new standards – shorter periods ensure certificates reflect the latest security standards, keeping software aligned with industry best practices and helping organizations stay ahead of compliance requirements.
Regular key rotation – more frequent renewals help organizations keep cryptographic material current and adopt stronger controls for private key storage and usage.
Preparation for future transitions – frequent renewals provide a natural cadence for assessing cryptographic readiness and planning future transitions to stronger or quantum-safe algorithms.

Who will be affected the most?

Organizations that rely on 2- or 3-year Code Signing certificates, as they will need to switch to annual renewals and reissue processes.
Organizations using hardware tokens, where certificate replacement is logistically challenging and more frequent renewals increase operational workload.
Organizations with distributed development teams, where multiple projects or teams rely on separate signing processes.
Developers and companies with legacy systems or workflows designed for long certificate lifespans, which may require updates to support more frequent certificate changes.

Electronic signature activation

Electronic signature renewal