TL;DR: The CA/B Forum will reduce maximum code signing certificate validity from 39 months to 460 days on 1 March 2026, and GlobalSign says it will stop issuing 2-year and 3-year code signing certificates after 26 December 2025. Shorter lifetimes tighten compromise windows but increase renewal and inventory pressure across software supply chains.
NHIMG editorial — based on content published by GlobalSign: the update on shorter code signing certificate lifetimes
By the numbers:
- The CA/B Forum has ordered the maximum validity for code signing certificates to be reduced from 39 months to 460 days.
Questions worth separating out
Q: What breaks when code signing certificate lifetimes are shortened without automation?
A: Renewal deadlines become operational failure points, and expired certificates can block releases or force rushed reissuance.
A: Prioritise renewal controls first when certificate expiry, ownership, and deployment dependencies are unclear.
Q: What do security teams get wrong about shorter certificate validity windows?
A: They often treat expiry as a security control on its own.
Practitioner guidance
- Map every signing certificate to an owner and expiry path Create a live inventory of code signing certificates, tied to application, repository, pipeline, business owner, and next renewal date.
- Automate renewal and reissuance workflows Replace manual calendar reminders with certificate management automation that can trigger renewal, reissue, validation, and deployment before expiry.
- Protect signing keys as privileged secrets Store code signing keys in hardened systems, restrict access to release operators, and separate key use from general admin access.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- The specific dates that affect new issuance, renewals, and the sunset of 2-year and 3-year code signing certificates.
- The provider-facing transition details for existing certificates that remain valid until their original expiry date.
- The practical guidance GlobalSign gives customers for certificate inventory review and renewal preparation.
- The policy context behind the CA/B Forum timetable and how it aligns with broader certificate-lifetime reductions.
👉 Read GlobalSign's update on code signing certificate validity changes →
Code signing certificates: are your renewal controls ready for 460 days?
Explore further
Certificate lifetime compression is a governance change, not a PKI footnote. Shorter validity windows force organisations to prove they can discover, assign, renew, and retire signing certificates without relying on manual memory or tribal knowledge. That shifts the control burden from occasional issuance to continuous lifecycle management. For IAM and security teams, the real question is whether certificate governance is integrated with identity ownership and offboarding discipline.
A question worth separating out:
Q: Who is accountable when a trusted signing certificate is misused?
A: Accountability sits with the team that owns the signing identity, the release process, and the key protection model, not just the certificate issuer. Governance frameworks such as NIST SP 800-53 and Zero Trust expect clear control ownership for authentication, access, and system integrity.
👉 Read our full editorial: Code signing certificate lifetimes are shortening to 460 days