Code signing certificate lifespans are shrinking again, now what?

TL;DR: Code signing certificates have been reduced to a 460-day maximum for publicly trusted issuance from March 1, 2026, extending the CA/B Forum’s broader move toward shorter certificate lifetimes and making renewal, ownership, and key storage problems more urgent, according to Keyfactor. The governance issue is no longer renewal cadence alone, but whether teams can maintain control of non-human identities when validity windows keep compressing.

NHIMG editorial — based on content published by Keyfactor: Shorter Certificate Lifespans Are Coming for Code Signing

By the numbers:

• Starting March 1, 2026, publicly trusted code signing certificates are limited to a maximum validity of 460 days.
• The CA/B Forum passed a ballot to reduce the maximum validity of SSL/TLS certificates to just 47 days by 2029.
• SSL/TLS certificate lifetimes have fallen from five years to one year to 200 days.

Questions worth separating out

Q: How should security teams handle shorter code signing certificate lifespans?

A: Security teams should treat code signing certificates as governed NHI assets, not occasional admin tasks.

Q: What breaks when code signing certificates are left to manual renewal?

A: Manual renewal breaks when expiry windows become shorter than human workflows can reliably manage.

Q: How do you know if code signing controls are actually working?

A: They are working if every certificate is discoverable, every private key is stored in a controlled enclave, and renewals happen before expiry without release disruption.

Practitioner guidance

• Inventory every code signing certificate Build a complete register across products, pipelines, and environments that records issuer, owner, expiry date, and private key location.
• Move private signing keys into hardware-backed storage Store signing keys in an HSM rather than on workstations, build servers, or removable tokens.
• Automate renewal and approval workflows Remove manual renewal from the critical path by triggering certificate replacement through pipeline-integrated workflows, with approvals tied to ownership and expiry thresholds rather than ad hoc reminders.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• The article's walkthrough of the CA/B Forum timeline and the specific certificate lifetime changes affecting code signing.
• Keyfactor's discussion of its Signum workflow for centralizing signing policies, permissions, and audit logs.
• The vendor's explanation of how hardware-backed signing keys are stored in a FIPS-certified HSM.
• The operational view of granular access windows for signing devices and tools in development pipelines.

👉 Read Keyfactor's analysis of shorter code signing certificate lifespans →

Code signing certificate lifespans are shrinking again, now what?

Explore further

View Full Forum →  |  NHI Foundation Course →