Have you updated your code signing certificates yet?
The trend of shrinking certificate lifecycles isn’t just for SSL/TLS certificates anymore. The CA/B Forum’s mandate for shorter lifetimes is spreading across certificate types, and it’s code signing’s turn.
The CA/B Forum’s Big Push Toward Shorter Lifetimes
The CA/Browser (CA/B) Forum has been steadily dialing back the validity period for certificates. Historically, certificate lifespans have progressively decreased and that trend is only accelerating.
In April 2025, the CA/B Forum passed a ballot to reduce the maximum validity of SSL/TLS certificates to just 47 days by 2029, seeking to enhance online security, drive automation in certificate management, and prepare systems for quantum computing challenges.
The reasoning is clear. When a certificate’s private key is compromised, the blast radius is directly tied to how long that certificate remains valid. With 47-day certificates, that exposure window shrinks dramatically.
Code Signing Certificates: A Specific and Urgent Challenge
Starting March 1, 2026, publicly trusted code signing certificates are limited to a maximum validity of 460 days (roughly 15 months), down from the previous 39-month maximum.
That might sound like plenty of time, but for many development teams, the impact is immediate and significant. What was once a multi-year “set it and forget it” workflow is now an annual obligation that must be deliberately managed.
The challenges compound quickly: developers often store signing keys in insecure locations — on workstations, build servers, or hardware tokens that can be lost. Approval workflows are inconsistent. Visibility into which certificates exist across an organization, when they expire, and who owns them is frequently nonexistent. And, as renewal cycles shorten, these gaps become increasingly dangerous.
There’s also a build pipeline concern. A signing certificate expiring mid-release cycle isn’t just an inconvenience — it can halt software delivery entirely, delay patches, and erode trust with end users whose operating systems flag unsigned or improperly signed software.
And this is just the first reduction. If TLS lifetimes are any indication, code signing certificates will face further restrictions in the years to come.
What Organizations Should Do Now
The shortening of the validity period creates a perfect sense of urgency for organizations to sure up their code signing processes. Even if you’ve already renewed your certificates, here are some practical steps to further increase your security and efficiency.
Take inventory first. You can’t manage what you can’t see. Audit every code signing certificate across all products, pipelines, and environments. You need to know who issued it, when it expires, and where the private key lives. This baseline visibility is the foundation of security for every certificate in your organization.
Move keys to hardware. Private signing keys should never reside on file systems or developer workstations. Storing them in a hardware security module (HSM), whether on-premises or cloud-based, is both a security best practice and, increasingly, a compliance requirement.
Automate your signing workflows. Manual certificate renewal is error-prone, inefficient, and doesn’t scale. By automating certificate renewal, you can not only eliminate the risk of a missed renewal halting a release but also save your most precious resources: time and money.
Plan for future reductions. SSL/TLS certificate lifetimes have fallen from five years to one year to 200 days, with more reductions scheduled. Code signing certificates are now on the same path.
Now is the time to implement new, more resilient processes.
Securing Code Signing at Scale
This change is exactly the kind of challenge Keyfactor is built to solve.
Keyfactor Signum centralizes management of code signing certificates, policies, and permissions in a single dashboard, and simplifies audits with a complete event log of usage and access to code signing private keys. Private keys are generated and stored in a FIPS 140-2 certified HSM, so they never leave the secure enclave. Simultaneously, developers retain the ability to sign code from wherever they work, using native tools they already know.
Granular access controls govern who can sign, which devices and tools are authorized, and during what time windows. This makes it straightforward to enforce security policies without creating bottlenecks in the development process, all with a full audit trail.
When the CA/B Forum shortens lifetimes again (and it will), organizations running on Keyfactor won’t be scrambling to adapt.
