AWS Certificate Manager Shortens Certificate Lifetimes: What It Means for Your Cloud Security Strategy
Joseph Klimczak On February 18, 2026, AWS announced an important update to AWS Certificate Manager (ACM) that aligns public TLS certificate lifetimes with new industry-wide security standards.
Read the official announcement
This change reflects a broader shift across the web toward shorter-lived certificates, stronger automation, and reduced exposure to key compromise.
🔐 What Changed?
AWS Certificate Manager now issues public certificates with a maximum validity of 198 days, replacing the previous 395-day validity period.
This update ensures compliance with the CA/Browser Forum mandate requiring certificate lifetimes to be no longer than 200 days starting March 15, 2026.
Key Highlights
- New certificates: Automatically issued with a 198-day validity by default.
- Existing certificates: Continue to work until they expire or renew—no manual changes required.
- Renewals: ACM automatically renews certificates 45 days before expiration under the new model.
- Legacy 395/398-day certs: Renew normally, then switch to the 198-day lifecycle.
➡️ In short: No action is required from customers—ACM handles the transition seamlessly.
📉 Pricing Adjusted to Match Shorter Lifetimes
Because certificates now live for roughly half as long, AWS reduced pricing for exportable public certificates:
| Certificate Type | Old Price | New Price |
|---|---|---|
| FQDN Certificate | $15 | $7 |
| Wildcard Certificate | $149 | $79 |
These lower prices reflect the reduced validity window while keeping automated lifecycle management intact.
🛡️ Why the Industry Is Moving to Shorter Certificate Lifetimes
Although this update is operationally small, it represents a significant evolution in TLS security philosophy.
1. Reduced Risk Window
If a private key is compromised, a shorter certificate lifetime limits how long attackers can exploit it.
2. Encouragement of Automation
Modern PKI assumes automated issuance and rotation rather than manual certificate management—something ACM already abstracts away.
3. Alignment With Zero-Trust Principles
Frequent credential rotation is a core tenet of Zero Trust architectures, making short-lived certificates a natural fit.
4. Standardization Across Browsers and CAs
The CA/Browser Forum mandate is an ecosystem-wide move—not AWS-specific—ensuring consistent security baselines across providers.
⚙️ What This Means for AWS Customers
If You Already Use ACM (Most Users)
You’ll likely notice no operational difference:
- Certificates still auto-renew.
- Integrations with services like ALB, CloudFront, and API Gateway remain unchanged.
- Deployment workflows do not need modification.
If You Export Certificates
Plan for:
- More frequent renewal cycles.
- Updated cost modeling (now cheaper per certificate).
- Ensuring downstream systems expect shorter validity periods.
If You Manage Certificates Manually Elsewhere
This announcement is a signal to accelerate automation—manual rotation every ~6 months is not sustainable.
📊 Operational Impact Snapshot
| Area | Before | After |
|---|---|---|
| Default Validity | 395 days | 198 days |
| Renewal Timing | ~60 days prior (legacy) | 45 days prior |
| Compliance | Pre-mandate | CA/B Forum aligned |
| Customer Action Needed | Sometimes | None |
| Exportable Cert Cost | Higher | Reduced |
🚀 Strategic Takeaway
This change isn’t just a technical adjustment—it’s part of a broader movement toward ephemeral trust models in cloud security.
Organizations that:
- Automate certificate lifecycle management
- Treat credentials as short-lived assets
- Integrate renewal into CI/CD and infrastructure pipelines
…will be best positioned for the next wave of PKI modernization.
✍️ Final Thoughts
AWS Certificate Manager’s shift to 198-day certificates demonstrates how cloud platforms are quietly enforcing stronger security hygiene across the internet. With automation handling the heavy lifting, customers gain improved security posture without additional operational burden.
You must be logged in to post a comment.