Understanding the Certificate Lifespan Policies

The CA/BF has implemented a phased approach to shortening the maximum allowed certificate lifespan, which will affect how often certificates need to be rotated. The new policies are as follows: the maximum lifespan is 398 days until March 15, 2026, then 200 days as of March 15, 2026, 100 days as of March 15, 2027, and finally 47 days as of March 15, 2029.

For more information on the security keys policy and rotation, refer to the Salesforce help article.

Challenges with Custom Email Link Certificates

Teams running Email Studio may find it odd that clients have to manage their own certificate for custom email links, especially since similar functionality in MCE or send domains do not require this. Additionally, the frequent rotation of certificates will pose a challenge for many businesses.

The root cause of the issue is the new certificate lifespan policies, which require more frequent rotation of certificates, making it challenging for businesses to manage their custom email links.

Some businesses may also be advised against using the default cdn domain, as it may not be the same as the root domain of the destination URL, which can lead to link clickthrough issues when connected to a network.

Managing Custom Email Link Certificates

To manage custom email link certificates effectively, it is essential to understand the new certificate lifespan policies and plan accordingly. This may involve rotating certificates more frequently and ensuring that the correct certificates are used for custom email links.

certificate_rotation.js

// Sample code for rotating certificates// This is a basic example and may need to be modified to fit your specific use case

Heads up: Make sure to test your custom email links after rotating certificates to ensure they are working correctly.

Best Practices for Custom Email Link Certificates

Checklist for Managing Custom Email Link Certificates

• Understand the new certificate lifespan policies and plan accordingly
• Rotate certificates frequently to avoid expiration
• Use the correct certificates for custom email links
• Test custom email links after rotating certificates
• Consider using a certificate management tool to simplify the process
• Ensure that the default cdn domain is not used, as it may cause link clickthrough issues

What is the maximum lifespan of a certificate as of March 15, 2026?

The maximum lifespan of a certificate as of March 15, 2026, is 200 days.

Why do clients need to manage their own certificate for custom email links?

The reason for this requirement is due to the security policies in place for custom email links, which require a unique certificate for each client.

Can I use the default cdn domain for custom email links?

It is not recommended to use the default cdn domain, as it may cause link clickthrough issues when connected to a network.

How often should I rotate my certificates?

The frequency of certificate rotation depends on the certificate lifespan policies in place, but it is recommended to rotate certificates frequently to avoid expiration.