Forum Discussion

Zohaib_Yousuf's avatar
Jul 07, 2026

Impact of Reduced DigiCert SSL Certificate Validity on Exchange Hybrid Environment

DigiCert is reducing certificate validity periods because of new industry requirements approved by the CA/Browser Forum. This is not a DigiCert-only decision all public Certificate Authorities must follow these limits.

DigiCert is making this change to align with the CA/Browser Forum’s Ballot SC081v3: Introduce Schedule of Reducing Validity and Data Reuse Periods. This ballot sets a timeline for all Certificate Authorities (CAs) to reduce TLS certificate validity from 398 days to 200 days in 2026, 100 days in 2027, and 47 days in 2029.

Impact on Microsoft Exchange Hybrid

 

For environments like Hybrid (Exchange Server SE Hybrid with Edge servers):

  • You'll need to renew your public SSL certificate more frequently.
  • Manual renewal processes will become increasingly difficult.
  • Consider implementing certificate lifecycle automation where supported.
  • Existing certificates remain valid until they expire; the new limits apply to newly issued or renewed certificates.

 

In Hybrid environment (Exchange Server SE, Exchange Hybrid, multiple Mailbox servers, Edge servers, and DigiCert public SSL certificates):

 

  • No need to rerun the Hybrid Configuration Wizard (HCW) solely because you renewed the SSL certificate, provided the renewed certificate uses the same subject name/SANs and is assigned to the required Exchange services.
  • The primary impact is operational: you'll need a robust and preferably automated certificate renewal and deployment process across your Mailbox servers, Edge servers, and any load balancers to keep pace with the shorter certificate validity periods.

1 Reply

  • Hi, good question. For Exchange hybrid, the shorter public certificate lifetime mostly changes your renewal planning, not the basic hybrid design.

     

    The main things I would watch are:

     

    1. The certificate bound to IIS on the Exchange hybrid server.

    2. The certificate used by the Hybrid Configuration Wizard / send and receive connectors.

    3. Any reverse proxy, load balancer, or application gateway certificate in front of Exchange.

    4. Any monitoring that still assumes a one-year renewal cycle.

     

    I would make renewal automation and alerting the priority here. If the certificate is replaced cleanly and the same names are covered, hybrid mail flow should not care that the public cert lifetime is shorter.