Starting in 2026, publicly trusted code signing certificates will no longer be valid for three years. The CA/Browser Forum approved an industry standard that cuts the maximum lifetime from roughly 39 months to about 460 days (around 15 months). Browsers and operating systems will only trust certificates that follow the new rule beginning in March 2026. This change directly affects how software is released, updated, and trusted. Shorter validity means faster certificate rotation, tighter renewal windows, and more operational pressure on build and release pipelines. In this article you’ll find the essential facts: what exactly changed, the effective timelines, which teams and systems this affects, and concrete ways to adjust your signing and release workflows. Understanding the Shift to Shorter Code Signing Certificate Lifespans Long lived signing keys have always been a weak point. If a key leaks, gets copied, or is misused, the damage lasts as long as the certificate stays valid. Shortening the lifetime reduces that window and is the core driver behind this change. This new guideline was set at the standards level and applies across the public trust ecosystem. Every CA that issues publicly trusted code signing certificates must follow the same limit. Here is what […]
