Shorter Validity for Code Signing Certificates Starting February 2026

The CA/Browser Forum decided to gradually reduce the maximum validity period of publicly trusted Code Signing certificates in order to limit long-term risk, improve supply-chain security, and force more regular key rotation. This decision is formalized in Ballot CSC-31, which reduces the maximum lifetime of Code Signing certificates from 39 months to 460 days, effective for certificates issued on and after March 1, 2026.

The core motivation is simple: if a private key leaks, is extracted from a build environment, or is misused by an insider, the certificate’s remaining lifetime determines how long that key can keep producing signatures that look valid. In the real world, detection and revocation aren’t always immediate or perfectly effective, so the safest structural control is to reduce how long the credential can remain usable by design.

To align with evolving CA/Browser Forum requirements, Sectigo and other Certificate Authorities will begin enforcing a maximum code signing certificate validity of 459 days. In other words: getting a multi-year Code Signing certificate will soon no longer be possible.

Finally, it is worth emphasizing that these changes do not affect code-signing certificates issued before March 1, 2026. Existing certificates will remain valid until their natural expiration date or until they are revoked by the issuing certification authority, whichever comes first. There is no retroactive shortening of validity; the new limits apply only to certificates issued after the enforcement date.