We include risks in Hexiosec ASM, which help you identify certificates with a validity period longer than the current recommendation.

As of 15th March 2026, the industry standard for web browsers is to enforce a validity period of 200 days for TLS certificates. If certificates fail the validity period check, it means that someone browsing to a web site using this certificate would be presented with a security warning.

The CA/Browser forum have agreed a plan to reduce the maximum lifespan of certificates in steps. The aim of this is to improve online security by encouraging more frequent certificate renewals:

From 15 March 2027, the maximum is 100 days.

From 15 March 2029, the maximum is 47 days.

To help you prepare, Hexiosec ASM raises a medium severity risk if a certificate is identified with a validity period of over 200 days. New risks will be added over time as the maximum lifetime is reduced.

This makes it is easy to identify these certificates and take action to reduce their validity period. The best approach for this is to use an automated certificate lifecycle management tool, which automatically creates and deploys new certificates on a regular basis.

EPSS Scoring of Risks

TLS Certificate Risks

EPSS

Backport Resolvable Risks

Hexiosec ASM

Hexiosec ASM (Public)

Organisation and Group Roles

Using Groups

MFA and session expiry

Password Policy

Changing email address

Changing ownership

User and Group Management

Scan Types

Scan Allowances

Seeds and IPs

Scan Limiting

Deleting Scans

Scan Notifications

Managing Scans

Report Terminology

Scan Reports

Health Scores

Managing Actions

Risk Severity Ratings

SPF Hard Fail risks

Managing Risks

Managing Domains and IPs

Graph view

Managing CDNs and Shared IPs

Cloud Asset Discovery

Exporting Scan Results from the ASM API

Link Changes Endpoint

Creating a scan using the API

Paginating the API Requests

Managing API Keys

Using the Public API

Hexiosec ASM mobile

Upgrade Recommendations

Contacting Support

Hexiosec ASM User Guides

What is the 'Update pending' notification?

I've accepted an invite, why can't I see anything?

What version is Hexiosec ASM?

Which SSO protocols does ASM support?

Which domains need security.txt files?

Why is my IP's geographic location not showing, or incorrect?

What are primary and secondary assets?

What is a Stale domain?

Does ASM validate the DKIM public key?

Why do I have a risk against client-side React?

I don't think this vulnerability applies to me?

I've fixed a risk, why has it not been resolved?

Will Hexiosec ASM find Malware?

Will the latest CVE be found?

Can I run scans without permission?

Why are secondary assets included in my IP/domain count?

Frequently Asked Questions

MSP Specific Guidance