Preparing for Shorter SSL/TLS Certificate Lifetimes
- Last Updated: March 06, 2026
The web browser and certificate authority industry is shortening the maximum allowed lifetime of TLS certificates. These changes will improve security on the Web, but you may have to change certificate maintenance practices for apps you run on Heroku.
The good news is that if you’re using Heroku Automated Certificate Management, no changes are required: Heroku already refreshes and updates certificates on your apps according to the new policies.
If you maintain and upload certificates for your Heroku applications yourself, here is what the changes will mean for you.
Industry shift towards shorter certificate lifetimes
The CA/Browser Forum is phasing in shorter maximum lifetimes for all publicly trusted SSL/TLS certificates. While the final goal is a 47-day limit by 2029, the first major milestone is approaching quickly.
Starting March 15, 2026, the maximum validity period for publicly trusted SSL/TLS certificates will be reduced to 200 days.
| Effective Date | Maximum Certificate Lifespan |
|---|---|
| Current | 398 days |
| March 15, 2026 | 200 days |
| March 15, 2027 | 100 days |
| March 15, 2029 | 47 days |
Why this is happening
Shorter certificate lifespans improve security by:
- Reduced exposure: Shrinks the window of exposure if a private key is compromised
- Modern standards: Ensures certificates rotate frequently to adopt the latest cryptographic standards
- Automation: Encourages a shift toward automated certificate management
Recommended actions for manual certificate users
If you use custom SSL certificates on Heroku (certificates you obtain and upload yourself), you will need to:
- Plan for more frequent renewals: After March 15, 2026, you’ll need to renew certificates at least every 200 days (approximately every 6.5 months) rather than annually.
- Update your renewal processes: Ensure your team or certificate management tools can handle the increased renewal frequency.
- Check your current certificates: Review the expiration dates of your existing certificates.Note: Certificates issued before March 15, 2026 with longer validity periods will remain valid until they expire, but renewals after that date must comply with the new 200-day maximum.
Automating certificate renewals with Heroku ACM
Consider switching to Heroku Automated Certificate Management (ACM). ACM automatically provisions and renews certificates for your custom domains at no additional cost, eliminating the need for manual certificate management.
To enable ACM for your app:
heroku certs:auto:enable -a your-app-name
Learn more: Heroku ACM Documentation
Have questions about certificate management?
If you have questions about these changes or need assistance with your certificate strategy, please contact Heroku Support or visit our documentation:
We’re committed to helping you navigate these industry changes smoothly.
