How to Manage Domain Validation Under the 200-Day DCV Reuse Policy

Abstract: As of March 15, 2026, the CA/Browser Forum requires that domain validation records for publicly trusted SSL/TLS certificates expire after 200 days, cutting the previous limit in half.

This guide walks you through how to find your domain validation dates in your SSL account, how to keep DCV records aligned with your renewal schedule, and what to do if a validation lapses mid-renewal. It also covers how SSL’s ACME protocol support can automate the process entirely as certificate lifespans continue to shorten. Since March 15, 2026, the CA/Browser Forum’s updated Baseline Requirements limit domain validation reuse at 200 days, down from the previous 398-day limit. If you hold SSL/TLS certificates issued by SSL and manage your own renewals, this change affects how long a completed Domain Control Validation (DCV) remains usable and, by extension, how much lead time you have before re-validation is required. 

This guide walks you through which certificates are affected, how to locate your domain validation dates in your SSL account, and exactly what to do if a DCV record is at risk of expiring during an active renewal.

Which Certificates Are Affected

The 200-day DCV reuse limit applies to all publicly trusted SSL/TLS certificates regardless of validation level:

• Domain Validation (DV) certificates
• Organization Validation (OV) certificates
• Extended Validation (EV) certificates
• Any certificate type that includes one or more domain names or IP addresses as Subject Alternative Names (SANs)

Note that this rule specifically governs domain and IP address validation reuse. Organization/identity information (Subject Identity Information, or SII) for OV and EV certificates operates under a separate timeline and is capped at 398 days under the same March 15, 2026 rule set.

Certificates that do not contain public domain names (for example, private PKI certificates issued under SSL’s Private CA solutions) are governed by your organization’s own CA policy and are not subject to the CA/Browser Forum’s public TLS requirements.

Step 1: Understand What the 200-Day Window Actually Means

Domain Control Validation is the process by which SSL confirms that you have authority over a domain before issuing a certificate for it. That confirmation has an expiration date. Under the new policy:

• A completed DCV is valid for 200 days from the date it was performed.
• Any certificate issued using that DCV record must be issued within that 200-day window.
• If the window closes before issuance is complete, the DCV must be performed again from scratch before the certificate can be issued.

This matters most in two scenarios: (1) when you renew or reissue a certificate after a long delay, and (2) when you order a multi-year certificate package and your first-year certificate is nearing the end of its term. In both cases, the question is not just “when does my certificate expire?” but “when did I last validate my domain?”

Step 2: Check Your Domain Validation Dates in Your SSL Account

To see when your domain validations were performed and when they will expire, log in to your SSL account at secure.ssl.com and follow these steps:

1. From the main dashboard, navigate to Account and select Domains (or access the domain list from within a specific order).
2. Locate the domain in question. The list view displays each domain alongside its current validation status.
3. Click on a specific domain to open its detail view. Here you will find the validation completion date and the calculated expiration date of the domain validation record.
4. If the expiration date falls within the next 30 days, treat it as expiring soon and proceed to Step 4.
   

Tip: If you manage a large number of domains, SSL’s REST API provides programmatic access to validation records. You can query domain status using the /domain endpoint and build automated alerts into your monitoring pipeline. See the SSL Web Services (SWS) API documentation for details.

Step 3: Align Your Renewal Schedule to the 200-Day Window

Because certificates are now capped at 200 days, the practical renewal cycle is shorter than many teams are used to. Here is how to keep your schedule synchronized with your DCV records:

• Revalidate domains proactively. Rather than waiting until a certificate is about to expire, kick off domain revalidation before the 200-day DCV window closes. Completing a fresh DCV resets the clock and gives you a full 200-day runway for the next issuance.
• Account for processing time. DNS-based DCV methods (CNAME or TXT record) can take minutes to propagate or, in some enterprise DNS environments, several hours. Build in a buffer of at least 24 to 48 hours between initiating DCV and when you need the certificate issued.
• Track domain validation dates separately from certificate expiration dates. These are two distinct deadlines. A certificate can expire while the domain validation is still current, and a domain validation can lapse while the certificate is still technically valid. Both must be monitored independently.
• For wildcard certificates, the single DCV record covers the base domain (e.g., *.example.com validated via example.com). If you use the same domain validation for multiple wildcard or SAN certificates across your environment, a single lapsed DCV record can block multiple issuances simultaneously. Flag wildcard domain validations as high-priority in your monitoring.
  

Step 4: What to Do If DCV Expires Mid-Renewal

If you are in the middle of a renewal and discover that your domain validation has already expired or is about to expire before the certificate can be issued, here is the recovery path:

If the DCV has expired:

1. Log in to your SSL account and open the affected order or domain.
2. Initiate a new DCV for each domain on the certificate. SSL supports three methods: email, CNAME DNS record, and HTTP file lookup. Choose the method that fits your current infrastructure access.
3. Complete the validation challenge. DNS and HTTP methods are typically fastest for most environments.
4. Once validation is confirmed, SSL will mark the domain as validated with a new 200-day window, and certificate issuance can proceed.
   

If the DCV is expiring within the next few days:

1. Do not wait for expiration. Initiate a new DCV immediately and complete it before the current record lapses.
2. Even if a certificate is currently in process, refreshing DCV now will not interrupt an active issuance. The new validation record will simply replace the outgoing one.
   

If you are mid-renewal on an annual certificate package:

SSL’s multi-year certificate packages allow you to lock in pricing across multiple years, but each certificate issued within that package must be issued within a valid 200-day DCV window. If the window has lapsed between your first and second-year certificate, you will need to complete a fresh DCV before SSL can issue the next certificate in the series. Contact SSL support if you need assistance confirming where a package order stands.

Step 5: Automate DCV and Renewal with ACME

If your environment requires you to track DCV expiration dates manually across multiple domains and certificates, that workload will only grow as the industry moves toward 100-day certificates in 2027 and 47-day certificates by 2029. The most reliable way to stay ahead of both certificate and domain validation deadlines is to use SSL’s ACME protocol support.

ACME automates the full certificate lifecycle, including:

• Automatic domain validation at renewal time, so DCV records are always refreshed before they lapse
• Scheduled certificate issuance ahead of expiration, with no manual CSR generation or installation required
• Integration with common infrastructure including cPanel, Plesk, Kubernetes, Nginx, and Apache
  

With ACME configured, the 200-day DCV window becomes a background concern rather than an active scheduling task. SSL’s ACME implementation supports all publicly trusted certificate types and can be configured through your SSL account dashboard or via our REST API.

Quick Reference: DCV Reuse Policy at a Glance

Policy Item	Before March 15, 2026	After March 15, 2026
Max domain validation reuse	398 days	200 days
Max certificate validity	398 days	200 days
OV/EV org info (SII) reuse	825 days	398 days
Next scheduled reduction	N/A	March 15, 2027 (100 days)

Need Help?

If you have questions about your domain validation status, need to revalidate a domain on an existing order, or want to get started with ACME-based automation, the SSL support team is available to assist.

Visit ssl.com/contact_us or open a ticket directly from your account dashboard.