The confusion at checkout in 2026 is understandable. The price column shows 1-year, 2-year, 3-year options with discount percentages. But a separate notice somewhere on the page says certificates are only valid for 199 days. If the certificate expires every 199 days, does the 2-year plan actually give you 2 years of coverage? Yes, it does. And the reissuance that makes that work is free.
The 199-day certificate validity and the multi-year subscription are separate concepts. The subscription term is the period you paid for. The certificate validity is the period each individual certificate file is trusted. Under the current system, a 2-year subscription at $9.98 total gives you 2 full years of HTTPS coverage through a sequence of 199-day certificates, each reissued free within the subscription. You pay once. You get the coverage. The reissuance is an operational step, not an additional cost.
What is a multi-year SSL subscription?
A multi-year SSL subscription is a purchase agreement covering a fixed term (1, 2, or 3 years) under which the buyer pays once and receives unlimited free reissuances of the certificate for the full term. Because TLS certificate validity is currently capped at 199 days, a 2-year subscription requires approximately 4 reissuances. Each reissuance produces a new certificate valid for 199 days. The subscription does not expire until the purchased term ends.
The Exact Math: Cost Per Year and Reissuance Count by Plan
The example below uses Certera’s Sectigo PositiveSSL DV pricing, verified in June 2026. The same calculation applies to any reseller; substitute the actual prices from the reseller’s checkout page.
| Plan | Certera price (June 2026) | Total paid | Reissuances during term (at 199-day validity) | Certificates issued | Cost per certificate issued | Annual effective cost |
| 1 year | $4.99 | $4.99 | ~1 (at month 6, one reissuance before expiry) | 2 certificates | $2.50 each | $4.99/year |
| 2 years | $7.98 ($3.99/year) | $7.98 | ~3 reissuances | 4 certificates | $2.00 each | $3.99/year (20% saving vs annual) |
| 3 years | $10.47 ($3.49/year) | $10.47 | ~5 reissuances | 6 certificates | $1.75 each | $3.49/year (30% saving vs annual) |
Reissuance counts use 199-day validity and a 3-year term of 1,095 days. Number of 199-day periods in 1,095 days: 1,095 divided by 199 equals approximately 5.5, meaning 6 certificates are required to cover the full 3-year term with no gaps. The first certificate issues at purchase. Five subsequent reissuances cover the remainder. All five reissuances are free within the subscription.
The reissuance count in the table uses current 199-day validity. This will change. From October 2026 (per DigiCert’s FAQ) or March 2027 (per CA/B Forum Ballot SC-081v3), validity drops to approximately 100 days. A 3-year subscription purchased today will require more reissuances per year starting in 2027. The subscription price does not change. Only the reissuance frequency increases. This is addressed in the 47-day trajectory section below.
How the Reissuance Process Actually Works
Buyers worried about the reissuance requirement often imagine it involves buying again, contacting support, or waiting days for validation. The actual process at most resellers for a DV certificate takes under 15 minutes.
The Certera reissuance process, documented in their March 2026 knowledge base:
- Day 165 to 180 of each 199-day certificate: log in to the reseller account. Navigate to the certificate order. Click Reissue.
- Generate or paste a new CSR: if the server’s private key has not changed, the same CSR can be reused. If the server was migrated or keys were rotated, generate a new CSR first.
- Complete domain control validation: under current DCV reuse rules effective March 2026, DCV data can be reused for up to 198 days. If less than 198 days have passed since the last DCV event, the reissuance may complete without repeating domain validation. If more than 198 days have passed, a new DNS CNAME or HTTP file validation is required. DNS validation takes under 10 minutes.
- Download and install: the new certificate files arrive within minutes for DV. Replace the certificate on the server. Reload the web server.
Total active time for a DV reissuance with fresh DCV: approximately 10 to 20 minutes. Total active time if DCV reuse still applies: approximately 5 minutes. Neither requires a new purchase.
Set a calendar reminder for day 165 of each certificate validity period. Reissue before day 180 to give installation time before the current certificate expires at day 199. Waiting until day 190 is technically fine but leaves a 9-day window in which a failed validation or server issue could cause certificate expiry. 15 days of buffer is the practical standard.
Why Annual Renewals Carry a Risk That Multi-Year Subscriptions Do Not
Renewing annually means making a new purchase every 12 months. Each annual purchase is subject to the price in effect at that time. Three risks compound:
- Price increases: reseller pricing adjusts with market conditions, CA wholesale rate changes, and currency fluctuations. A certificate priced at $4.99 today may cost $6.99 in 12 months. A 3-year subscription purchased at $3.49 effective annual rate locks that price for the full term regardless of subsequent price changes.
- Promotional pricing expiration: many resellers offer discounted first-year pricing. The renewal rate is higher. A reseller offering $2.99 in year one may charge $6.99 at year two renewal. Multi-year plans price the full term at a consistent rate without introductory discount mechanics.
- Lapse risk: each annual renewal is a separate transaction that can fail. A credit card that expires, a billing email missed, or a domain change that breaks the automated renewal flow results in a certificate lapse. A 3-year subscription reduces the number of renewal transactions from 3 to 1. Fewer transactions means fewer failure points.
GoDaddy cut its auto-renewal refund window from 30 days to 7 days in February 2025. Annual renewal customers who miss a GoDaddy renewal charge within 7 days lose the refund opportunity. This asymmetry (instant charge, 7-day reversal window) is specific to GoDaddy but illustrates the operational exposure that comes with annual renewal transactions. A multi-year subscription eliminates this exposure for the full subscription term.
The 47-Day Trajectory: Why Multi-Year Is More Valuable as Validity Shrinks
The CA/B Forum’s Ballot SC-081v3, approved April 2025, schedules TLS certificate validity reductions in three stages:
- Current (March 2026 to approximately October 2026 for DigiCert, March 2027 for CA/B Forum): 199 days maximum
- Stage 2 (approximately March 2027): 100 days maximum
- Stage 3 (March 2029): 47 days maximum
A 3-year subscription purchased today at the current per-year price will span all three stages if it begins in mid-2026. The reissuance count increases at each stage, but the subscription price does not change. This is the price lock benefit that compounds over time.
The reissuance count across a 3-year subscription that spans the validity reduction schedule:
| Period within 3-year subscription | Validity in effect | Certificates required for that period | Reissuances required |
| Months 1 to 9 (approx. to March 2027) | 199 days | 2 certificates | 1 reissuance |
| Months 9 to 24 (approx. March 2027 to March 2029) | 100 days | 5 to 6 certificates | 4 to 5 reissuances |
| Months 24 to 36 (approx. March 2029 to mid-2029, if subscription extends) | 47 days | 8+ certificates | 7+ reissuances |
| Total across full 3-year term spanning all stages | Mixed | ~15 to 20 certificates | 14 to 19 reissuances |
All reissuances remain free within the subscription. The buyer who purchased a 3-year subscription at the 199-day price point gets all certificates at the price paid, regardless of how many reissuances the validity reduction schedule requires. The buyer making annual purchases at each stage faces whatever price is in effect at each annual renewal.
From March 2027 at 100-day validity, DCV reuse periods also shorten. Domain validation data can currently be reused for 198 days. At 100-day validity, domain revalidation will be required more frequently, meaning each reissuance may require a new DNS CNAME validation event rather than using cached validation. This is a 10-minute task, not a day-long process, but buyers should anticipate more frequent DCV completions as validity decreases. Automation via ACME clients eliminates this overhead entirely for buyers comfortable with command-line tools.
OV and EV Multi-Year: The Validation Reuse Dimension
For DV certificates, the multi-year math above applies cleanly. For OV and EV certificates, an additional factor applies: organization validation data reuse.
From March 15, 2026, under CA/B Forum Ballot SC-081v3, OV and EV organization information (the verified legal entity name, address, and phone number) can only be reused for 398 days. Previously, this data could be reused for 825 days. This means that during a 3-year OV or EV subscription, the buyer will need to re-verify their organizational information at least once, regardless of the certificate reissuance schedule.
The re-verification process for existing OV/EV customers is faster than initial validation. The CA already has the organization’s records on file. Re-verification typically requires confirming that the details have not changed and completing a phone callback. For most returning customers, re-verification completes in 1 to 2 business days compared to 1 to 5 days for first-time applicants.
Multi-year OV and EV subscriptions remain the better value. The re-verification step is not an additional purchase; it is a validation refresh within the existing subscription. The price lock and reduced purchase transaction count benefits apply equally to OV and EV as to DV.
Decision: Which Plan to Buy Based on Your Situation
| Your situation | Recommended plan | Reason |
| Testing a new site or not sure it will persist past year one | 1-year | Flexibility to abandon or switch resellers without locked funds |
| Established site, stable server, cost is primary concern | 3-year | Lowest effective annual cost, maximum price lock against future validity reduction pricing changes |
| Established site but may migrate servers or change CA | 2-year | Lower cost than annual, shorter lock-in than 3-year if migration planned |
| Site is growing and switching to OV in the near future | 1-year DV now; OV multi-year when ready | Buy 1-year DV to launch. Switch to OV on a 3-year subscription once the business case is clear. |
| Automation already set up (Certbot, ACME) | Let’s Encrypt free via ACME | If ACME automation is in place and working, paid multi-year adds cost for no operational benefit. |
The One Reason to Prefer Annual Over Multi-Year
A multi-year subscription locks the buyer into the reseller and CA for the subscription term. If the reseller goes out of business, changes its pricing structure, or provides poor support, the buyer is committed. If a better reseller or CA option appears mid-term, switching means either waiting until the subscription expires or forfeiting the remaining subscription value.
For buyers purchasing from established, well-reviewed resellers (Namecheap, SSL Dragon, Certera, SSLs.com), this risk is low but real. The 30% saving over 3 years on a certificate priced at $4.99 annually is approximately $4.50 in absolute terms , a small amount. The decision weight shifts from financial to operational: is 30% off $15 worth 3 years of commitment to one vendor? For most buyers the answer is yes. For buyers who expect significant infrastructure changes in the next 2 to 3 years, the flexibility of annual purchase has value.
Frequently Asked Questions
I bought a 3-year subscription but the certificate shows it expires in 199 days. Did I get scammed?
No. This is correct and expected behavior under 2026 CA/B Forum rules. The certificate validity period (199 days) is distinct from the subscription term (3 years). You paid for 3 years of coverage delivered through a series of 199-day certificates, each reissued free within the subscription. Log in to your reseller account around day 165 to 180. Click Reissue, complete domain validation if required, download the new certificate, and install it. Your 3-year subscription remains active and covers the full term.
Does reissuance require paying again?
No. Reissuance within an active multi-year subscription is always free. The subscription price covers all certificate issuances required during the term, regardless of how many the validity reduction schedule requires. The only scenario in which reissuance incurs a cost is if the subscription has expired and the buyer is starting a new purchase.
Will the 3-year price I pay today still cover the higher reissuance frequency when validity drops to 47 days?
Yes. The subscription covers all reissuances until the subscription term expires, regardless of validity period changes. A 3-year subscription purchased today for $10.47 covers all reissuances required as validity drops from 199 days to 100 days and eventually to 47 days during the subscription term. No additional payment is required for the increased reissuance frequency. This is the primary reason multi-year subscriptions become more valuable as the 47-day deadline approaches.
