Skip to main content
Question

SSL Certificate Validity Changes (2026–2029) – How Will Docebo Handle This?

  • March 10, 2026
  • 2 replies
  • 127 views
M

The CA/Browser Forum has approved a phased reduction in SSL/TLS certificate validity periods:

• Mar 2026 – 200 days
• Mar 2027 – 100 days
• Mar 2029 – 47 days

For customers using custom domains on Docebo, SSL certificates currently need to be uploaded and managed manually (certificate, private key, intermediate chain).

Many enterprise clients are using OV certificates from providers such as DigiCert, Sectigo and GlobalSign. With these upcoming changes, certificates eventually need to be replaced every 47 days by 2029.

This raises a concern for many admins managing multiple LMS platforms:

Manual certificate rotation at that frequency will become operationally challenging and may introduce risk of service disruption if certificates expire.

A few questions for the Docebo team and community:

• Is Docebo planning to introduce automated SSL lifecycle management?
• Will there be support for automated certificate provisioning (e.g. ACME)?
• Is platform-managed SSL for custom domains on the roadmap?

It would be helpful to understand how Docebo plans to support customers as the industry moves toward much shorter certificate lifetimes.

Would also be interested to hear how other Docebo admins are planning to handle this change.

__

Zairil

    2 replies

    M
    Helper III
    Forum|alt.badge.img+4
    • mzirnhelt
    • Helper III
    • March 10, 2026

    I know that Docebo says that their managed SSL certificates are supposed to be an interim solution, but I’ve had IT-challenged companies use them them for long periods of time.  I don’t think it would probably take much to update it in a way that it’s “officially” a long-term option.

    guido.pili
    Docebian
    • guido.pili
    • Docebian
    • April 2, 2026

    Thanks for raising this – the upcoming CA Forum changes are definitely important to plan for.


    From a Docebo platform perspective, nothing changes for the standard *.docebosaas.com domains. Those TLS certificates are fully managed by Docebo and will continue to be rotated automatically in line with the new maximum validity periods, so there’s no additional action required on your side for those domains.


    For custom domains, there are two main scenarios:

    1. Platform-managed certificates (Domain Validated): The platform already supports managed TLS certificates for custom domains using Let’s Encrypt. In this model, certificate issuance and renewal (including handling of shorter validity windows) are fully automated by the platform.
    2. Customer-managed OV/EV certificates: Today, if you require OV/EV certificates from providers such as DigiCert, Sectigo or GlobalSign, those still need to be uploaded and renewed manually in Docebo. Introducing fully automated lifecycle management for OV/EV is significantly more complex because these certificate issuance and organizational validation are controlled by the customer and their Certificate Authority of choice. While deployment and expiry monitoring can be automated, renewal requires external actions that are outside the platform’s control.

    In practice, if your policies allow DV, moving to the platform-managed TLS option is the best way to insulate yourself from the operational impact of these upcoming validity changes. If you must stay on OV/EV, we’d recommend planning for more frequent rotations on your side; we’re aware of the burden this creates and are actively discussing how we can better support that use case going forward.

    Terms & ConditionsCookie settingsAccessibility statement