I would like to inform you about an important change that affects all web server operators and possibly your HCL Domino Servers: The maximum validity periods of SSL/TLS certificates will be drastically shortened in stages.
What is happening?
The CA/Browser Forum – the body that sets the rules for publicly trusted certificates – approved a phased reduction of the maximum validity period for SSL/TLS certificates in April 2025 with Ballot SC-081v3.
The goal: To increase internet security by reducing the window for compromised certificates and promoting the automation of certificate management.
The new timeline at a glance
Period | Max. Certificate Validity | Max. Domain Validation (DCV) |
Until March 14, 2026 | 398 days (as before) | 398 days |
From March 15, 2026 | 200 days | 200 days |
From March 15, 2027 | 100 days | 100 days |
From March 15, 2029 | 47 days | 10 days |
Important: Some certificate authorities are implementing the changes even earlier. DigiCert has already stopped accepting certificate requests with more than 199 days validity since February 24, 2026. Sectigo made the switch on March 12, 2026.
What does this mean for you in practice?
1. More frequent renewal required
Instead of once a year as before, your SSL/TLS certificate will need to be renewed at least twice a year in the future – from 2027 even every three to four months and from 2029 nearly monthly.
2. Domain validation will be required more frequently
Domain validation (DCV) must be performed again with each certificate renewal. From 2029, the reuse of an existing validation will only be valid for 10 days.
3. Automation becomes a must
Manual certificate management will become increasingly impractical with these short validity periods. Anyone who fails to renew in time risks outages and error messages for employees and customers.
Impact on your HCL Domino Server
For operators of HCL Domino Servers – whether for iNotes/Verse, Traveler, or web applications – this means:
- The keyring files (keyring.kyr / keyring.sth) will need to be updated much more frequently.
- An expired certificate will cause browsers to block access to your server and the HCL Verse App to stop working.
- Plan the renewal cycles early in your maintenance calendar.
How I can support you
As an official SECTIGO Reseller, I continue to offer you the familiar full service:
- Timely reminders before your certificate expires
- Complete handling of the certificate renewal including creation of the keyring files for your Domino Server
- Consulting on automation of certificate management, especially with Domino CertStore (certstore.nsf) from Domino 12
- Review and optimization of your server configuration (TLS protocols, cipher suites)
My tip: If you are still running Domino 9.x or 10.x, now is a good time to consider upgrading to Domino 12 or higher. The Certificate Manager (certstore.nsf) included there significantly simplifies certificate management and supports automatic renewals via the ACME protocol (e.g. with Let's Encrypt).
Recommended actions
Check when your current SSL/TLS certificate expires
Plan the next renewal according to the new 200-day deadline
Contact me if you need support with the transition or automation
If you have any questions, I am always happy to help.