RSS

When are TLS certificates renewed, and how often after expiration?

rellem1 pts0 comments

When are TLS certificates renewed, and how often after expiration? | CertObserver

When are TLS server certificates renewed, and how often does renewal happen only after expiration?

We have looked at Certificate Transparency data to try to find out.

Our final cohort included 316,576,332 publicly trusted TLS certificates that expired in May 2026.<br>Of those, 3,875,280 certificates (1.2%) had a matching renewal issued in the first five days after expiration.

This post explains how we measured renewal timing and what we found, and it includes an interactive renewal timing chart.

Certificate Transparency data

Certificate Transparency (CT) is a public logging system for publicly trusted TLS certificates.<br>It makes certificate issuance visible, so domain owners, security researchers, and others can monitor which certificates have been<br>issued by publicly trusted certificate authorities (CAs).

CT was developed after a series of CA failures,<br>including the 2011 DigiNotar compromise,<br>in which attackers were able to issue hundreds of unauthorized certificates.

Major browsers now require publicly trusted TLS server certificates to be accompanied by proof that the certificate has been<br>submitted to multiple recognized CT logs.<br>This proof comes in the form of Signed Certificate Timestamps (SCTs).<br>SCTs can be delivered in several ways, but they are most often embedded directly in the certificate by the issuing CA.

Data from CT logs is what makes it possible for us to do this analysis.<br>Note, however, that the data only tells us that certificates were issued, not whether they were deployed.

How we measured renewal timing

We used data from Chrome-recognized Certificate Transparency (CT) logs.

We grouped certificates by their exact Subject Alternative Name (SAN) list.<br>A later certificate with the same SAN list was treated as a renewal candidate only if it expired after the earlier certificate.<br>Note that if a replacement certificate adds a SAN name, for example, then the expiring certificate will be counted as not having<br>been renewed.

We primarily used the earliest CT log timestamp as the issuance time, since notBefore is allowed to be backdated by up<br>to 48 hours.

For each certificate in the final May 2026 cohort, we looked for the earliest matching renewal issued after the original certificate<br>was issued and no later than five days after the original certificate expired.

See the Methodology section for the full filtering and matching rules.

Findings

3.8 million matching renewals were issued after expiration

Our final cohort contained 316,576,332 certificates that expired in May 2026.<br>Of those, 3,875,280 certificates (1.2%) had a matching renewal issued in the first five days after expiration.<br>Another 5,533,764 certificates (1.7%) had a matching renewal issued in the final three days before expiration.

The most common renewal time was about one month before expiration.

We did not identify a matching renewal within the five-day lookahead window for 87,646,879 certificates (27.7%).<br>Many of these may have been renewed with a changed SAN list.

Renewals after expiration were more common for longer-lived certificates

Shorter-lived certificates are likely renewed automatically more often than longer-lived certificates,<br>which should reduce the risk of late renewals.

That matches the data.<br>Certificates valid for 360–398 days and 101–200 days were renewed after expiration much more often than certificates valid for<br>90–100 days.

0–7 days is the main exception.<br>However, its high late-renewal rate is almost entirely due to one-day certificates issued by GlobalSign nv-sa for a single security<br>product.

Renewals after expiration for most common validity periods

Validity period<br>Renewed after expiration<br>Notes

360–398 days<br>6.0% (1,714,153)

101–200 days<br>6.0% (766,110)

0–7 days<br>3.7% (218,447)<br>The high late-renewal rate is almost entirely due to one-day certificates issued by GlobalSign nv-sa for a single security<br>product.

90–100 days<br>0.4% (1,172,851)

90-day certificates were by far the most common

Most certificates in the cohort were valid for 90–100 days, with 90-day certificates making up most of that group.

Most common validity periods

Validity period<br>Share of cohort<br>Notes

90–100 days<br>84.6%<br>Mostly 90-day certificates

360–398 days<br>9.0%

101–200 days<br>4.0%

0–7 days<br>1.9%

Other<br>0.5%

Related:<br>Max TLS server cert validity drops to 47 days by 2029

Let's Encrypt issued over half of the cohort

The table below shows the largest issuers in the final cohort.<br>We use the issuer organization names as recorded in the certificates, without normalization.

Top issuer organizations

Issuer<br>Share of cohort<br>Most common validity periods

Let's Encrypt<br>52.6%<br>90–100 days: 99.8%

Google Trust Services<br>16.9%<br>90–100 days: 98.5%

GoDaddy.com, Inc.<br>7.8%<br>360–398 days: 54.1%, 101–200 days: 23.6%

ZeroSSL<br>7.4%<br>90–100 days: >99.9%

Sectigo Limited<br>4.3%<br>90–100 days: 93.9%

DigiCert Inc<br>3.9%<br>360–398 days: 56.9%, 90–100 days:...

certificates days certificate after renewal expiration

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.