Tech Alert

Overview

The California Department of Technology (CDT) is advising all customers that to strengthen security and reduce risk, global security standards governing the maximum validity period for Secure Socket Layer (SSL)/Transport Layer Security (TLS) certificates will change effective March 15, 2026. As part of this change, certificate lifespans will be significantly reduced from the current 365-day validity period.

Certificate validity will decrease to:

• 200 days in 2026
• 100 days in 2027
• 47 days by 2029

CDT Secure Certificates Services is preparing for these industry-mandated changes by transitioning to a Delegated Administrator model in the Sectigo Certificate Manager (SCM) platform. This approach will enable departments to directly issue and manage their own certificates.

Action Requested

Departments and agencies that currently obtain SSL/TLS certificates from CDT must do the following, on or before March 15, 2026:

• Open a Secure Certificates request in the CDT IT Services Portal (ServiceNow).
  • Select the “Add/Delete Delegated Administrator” service option.
  • Designate 2–3 delegated administrators (or one shared departmental account).
• Review available training materials and best practices (note: materials are currently being updated) at https://cdt.ca.gov/services/certificates/.
• Begin planning for certificate automation to support shorter certificate lifespans.

Departments will continue managing certificate installations on their own systems. CDT Secure Certificates Services will continue to provide support for access, guidance, and compliance questions via requests in the IT Services Portal (ServiceNow).