Today is June 19, 2026. If your SSL certificate was issued or renewed any time in March 2026, its 199-day validity expires in the first two weeks of October 2026. That is approximately 14 weeks from today. Sectigo’s Chief Compliance Officer Tim Callan predicted publicly in TechRadar on March 30, 2026 that the week of October 1 will see widespread outages as this first wave of 200-day certificates expires simultaneously.
The Prediction: Sectigo’s CCO Speaks Directly
Tim Callan, Sectigo’s Chief Compliance Officer, published a warning in TechRadar on March 30, 2026 that named the exact date:
“For organizations that issue certificates in March 2026, their maximum 6-month (approx. 200-day) term will expire in early October 2026. On the week of October 1, 2026, we expect to see headlines about unexpected outages as the wave of these first short-lived certificates begin to expire.”
Tim Callan, Chief Compliance Officer, Sectigo (TechRadar, March 30, 2026)
Callan went on to note that while large enterprises with automation may weather this, smaller organizations with fewer resources will face the full impact. The outages won’t be isolated to main websites. An expired certificate on an API, an internal service, or a third-party vendor’s system causes revenue loss or compliance failures , often from systems nobody was monitoring because they “just worked.”
The Exact Expiry Window: Who Is at Risk
The new 199-day maximum certificate validity took effect March 15, 2026. Any certificate issued on or after that date expires 199 days later. The arithmetic:
| Certificate issued | Expiry date | Days remaining from June 19, 2026 |
| March 15, 2026 | October 1, 2026 | 104 days |
| March 16-22, 2026 | October 2-8, 2026 | 105-111 days |
| March 23-31, 2026 | October 9-17, 2026 | 112-120 days |
| April 1-15, 2026 | October 18-31, 2026 | 121-134 days |
| April 16-30, 2026 | November 1-14, 2026 | 135-148 days |
| May 1-31, 2026 | November 17 – December 16, 2026 | 151-180 days |
| June 1-19, 2026 | December 17, 2026 – January 5, 2027 | 181-200 days |
The October 1-17 window is the concentrated risk period because March 15-31 was the first window under the new rule. Organizations that renewed in that first two-week window are the ones Callan is warning about. Every single certificate issued in that period expires in a 17-day window starting October 1.
The Three Groups Most at Risk
Group 1: Organizations that renewed manually in March 2026 without setting new reminders
Until March 2026, certificate renewals happened once a year. Many organizations had annual renewal reminders set on their calendars from previous years. When the 200-day rule hit in March, the certificate was reissued for 199 days, but the renewal reminder may still be pointing to the old annual date , October 2027. The actual expiry is October 2026. The reminder fires a year late.
Check your certificate’s actual expiry date today. Do not rely on a reminder you set when the certificate was last on annual validity.
Group 2: Multi-year subscription holders who received a silent reissuance
Organizations that purchased 2-year or 3-year subscriptions before March 2026 may have received a certificate reissuance as part of the transition to 199-day validity. Resellers handled this automatically for many subscribers: the subscription continues, but each certificate issued under it is now 199 days. If the reissuance happened in March 2026 to align with the new validity rule, the certificate expires in October 2026 regardless of when the subscription was originally purchased.
If your subscription was purchased before March 2026 but you received any certificate reissuance or renewal communication in March 2026, verify the actual certificate expiry date, not the subscription end date.
Group 3: Developers whose non-production certificates were issued on the same schedule
Staging environments, internal APIs, developer tools, and CI/CD pipeline certificates frequently get renewed at the same time as production certificates, often in the same batch during an annual maintenance window. If that maintenance window was in March 2026, all of these certificates expire in October 2026 simultaneously. The main website may have automated renewal set up. The staging API and the internal service monitoring tool may not.
The outages Callan describes are precisely this type: the main website stays up, but a payment API, an authentication endpoint, or an inventory service goes down because its certificate was renewed manually on the same March schedule and nobody monitored it for expiry.
The hidden risk is the certificate nobody remembers. Certificate inventories at most organizations are incomplete. A Sectigo study found that 81% of companies experienced at least one certificate-related outage in the last year. The ones that caused outages were rarely the high-visibility production certificates that have monitoring. They were the certificates on secondary services, older subdomains, and vendor-managed systems that “just work” until they don’t. The October 2026 wave will surface exactly this category.
How to Check Your Certificate Expiry Right Now
Three methods, from fastest to most thorough:
Method 1: Browser check (30 seconds)
Navigate to your website in Chrome. Click the padlock or tune icon in the address bar. Select Connection is secure, then Certificate is valid. The dates shown include the expiry date. If it shows any date in October 2026, you are in the risk window.
Method 2: OpenSSL command (accurate, works for any domain)
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
The output shows notAfter= with the exact expiry date. Any notAfter= in October or November 2026 puts you in the renewal window that should already be in progress.
Method 3: SSL Labs full audit (comprehensive)
Navigate to ssllabs.com/ssltest and run a full scan of your domain. SSL Labs shows certificate expiry prominently and flags certificates expiring within 60 days. If your certificate appears in the expiring-soon category, act immediately.
Check every domain you manage, not just the primary website. Subdomains (api.yourdomain.com, mail.yourdomain.com, app.yourdomain.com), internal service endpoints accessible over HTTPS, and any staging or development domains that use trusted certificates all need verification. The certificate that causes an October outage is rarely the main website , it is the one nobody thought to check.
What to Do If Your Certificate Expires in October 2026
Action 1: Renew now, not in September
If your certificate expires in the October 2026 window, initiate renewal in the next two weeks. Do not wait until September. Certificate renewals that happen in mid-to-late September, when every other organization with a March 2026 certificate is also renewing, create processing delays, validation queues, and deployment stress that cause the outages Callan describes. Renewing in June or July gives a full buffer for validation, delivery, installation, and testing. The new certificate will have a 199-day validity from the issuance date, not from the old expiry date, so early renewal does not waste the remaining validity on the old certificate.
Action 2: Set up automated renewal before October
For any domain where manual renewal is the current process, set up ACME automation before October. Certbot with Let’s Encrypt, or an ACME client configured to Sectigo’s endpoint, handles renewal automatically without human intervention. The setup time is a few hours. The payoff is elimination of the manual renewal queue that creates the October wave in the first place.
For organizations that need commercial OV or DV certificates rather than Let’s Encrypt, Sectigo ACME-compatible endpoints support automated OV renewal (from SSL2BUY at $90/year) and DV renewal (via ACME). The automation configuration is the same as Let’s Encrypt once EAB credentials are set up.
Action 3: Buy a multi-year managed renewal subscription before October
For organizations that prefer not to manage ACME automation, a multi-year certificate subscription from an authorized reseller provides reseller-managed reissuance on the 199-day schedule. Under a multi-year subscription, the reseller handles reissuance automatically at each 199-day expiry. The subscriber pays once per year (or per multi-year period) and receives timely reissuance notifications with no manual renewal process.
Pricing from authorized resellers at current rates:
- DV single-domain: $4.99/year from Certera (Sectigo). Multi-year rate stays fixed for the subscription term.
- OV single-domain: $49/year from Certera. Includes annual organizational re-verification management.
- Wildcard DV: approximately $35/year from Certera.
The key deadline: if you are not already in a managed renewal subscription and your certificate expires in October 2026, purchase a new subscription now. A new multi-year subscription issued in June 2026 will issue a fresh certificate valid for 199 days from June, with automatic reissuance in December 2026. You leave the October wave permanently.
October 2026 Is a Preview of What Happens Every 47 Days Starting 2029
The October 2026 wave is not a one-time event. It is the first instance of a phenomenon that will recur with increasing frequency as certificate validity periods continue to shorten.
| Certificate validity period | Effective date | Renewals per domain per year | Simultaneous expiry waves |
| 199 days (current) | March 15, 2026 | ~2 per year | ~2 per year |
| 100 days | March 15, 2027 | ~4 per year | ~4 per year |
| 47 days | March 15, 2029 | ~8 per year | ~8 per year |
At 47-day validity in 2029, organizations that manage certificates manually will face an expiry wave approximately every 47 days. Missing one renewal at 47-day validity means the site goes down on a Friday afternoon with no 30-day grace period. The October 2026 wave is the industry’s first test of whether organizations are ready for this cadence.
Organizations that solve the October 2026 problem by setting up ACME automation or moving to a managed renewal subscription solve the 2027 and 2029 problem at the same time. The organizations that miss October 2026 and scramble to renew in September will face the same scramble in March 2027, then again every 47 days from 2029 onward until they automate.
Frequently Asked Questions
If I renew in June instead of October, do I lose the remaining days on my current certificate?
The remaining validity on your current certificate is not transferable to the new certificate. When you renew early, the new certificate is issued for 199 days from the issuance date. The old certificate continues to work until its October expiry date, at which point it is superseded by the new certificate already installed. Early renewal does not shorten your total coverage period in any meaningful way: you get the new certificate active early with full 199-day validity, replacing the old certificate that would have expired in October. The benefit of early renewal is entirely operational: you avoid the September rush and have weeks to verify the new certificate is correctly installed before the old one expires.
My certificate does not expire until November or December 2026. Do I still need to act now?
November and December certificates are outside the October 1 concentrated wave but still expire within 6 months. Sectigo’s operational recommendation is to renew at the 180-day mark, providing a 19-day buffer before the 199-day hard limit. For a November expiry, the 180-day renewal point is approximately late May 2026 , already past. For a December expiry, the recommended renewal window is June 2026. If your certificate expires in November or December 2026, you are already in the recommended renewal window. Acting now is correct.
We have 50 certificates and some expire in October, some in November, some later. How do we prioritize?
October expiries are the most urgent. November and December follow. The practical answer for 50 certificates is to move them all to ACME automation simultaneously rather than managing 50 different expiry dates manually. With ACME automation, all 50 certificates renew automatically at their respective expiry windows without requiring any human action. The setup time per certificate is minimal once the ACME client is configured. For organizations with more than 10 certificates, ACME automation is more time-efficient than managing individual expiry calendars at 199-day validity intervals.
