Public Sector TLS Trends, Week of 2026-05-17
Bill Church
May 18, 2026
Three civilian agency sites that had been carrying long-validity grandfathered leaves rotated this week to fresh DigiCert leaves at 198-day validity. They are the first wave of federal civilian sites in the dataset to step off the pre-SC-081v3 long-validity cohort and land cleanly under the 200-day cap. The validity-over-200-days bucket moved by 3, the largest single-week drop since Issue 0.
Headline numbers
| Metric | Prior week | This week | Delta |
|---|---|---|---|
| Reachable hosts | 104 | 104 | +0 |
| OCSP URL present | 65 | 66 | +1 |
| CRL URL present | 101 | 101 | +0 |
| Let's Encrypt leaves | 35 | 34 | -1 |
| Validity > 200 days | 42 | 39 | -3 |
| Validity <= 100 days | 50 | 50 | +0 |
The validity-window shift is the load-bearing change this week. Three legacy 364- and 378-day DigiCert leaves were replaced with 198-day DigiCert leaves from the same issuer family; no rotation moved in the other direction. OCSP URL coverage ticked up by 1 as a civilian legislative site migrated off Let's Encrypt and onto Google Trust Services, picking up an AIA OCSP URL with the new issuer. The Let's Encrypt share shrank by 1 for the same reason. Comparison window: 2026-05-11 to 2026-05-17. The Issue 0 trendline of OCSP attrition still holds across the four-week window, but this is the first weekly capture in which OCSP coverage did not move down.
What rotated this week
Seven leaves rotated in the seven days between captures.
- Three civilian agency sites rotated from 364-day or 378-day DigiCert leaves to 198-day DigiCert leaves. Same issuer family, identical OCSP and CRL posture across the rotation, validity window cut to roughly half. Each was within four weeks of natural expiry, so the rotation was forced; the choice operators made was to renew at the SC-081v3-compliant 198 days rather than at the legacy 364-day default.
- One civilian legislative site migrated from Let's Encrypt onto Google Trust Services. Validity moved from 89 days to 90 days, key and chain length unchanged, an AIA OCSP URL appeared on the new leaf. This rotation alone is what kept the OCSP URL counter flat-positive instead of flat-negative this week.
- One .mil site rotated within the Let's Encrypt issuer family. No posture change. Expiry shifted out by about ten weeks.
- One DIB prime rotated within the GlobalSign DV issuer family at 89 days. OCSP and CRL posture unchanged across the rotation.
- Fastly rotated its corporate leaf within the 29-day Certainly profile, consistent with prior weeks. Fastly remains the only host in the dataset rotating at that cadence.
The remaining 103 hosts held their existing certs.
Tailwind Assessment: Three civilian renewals landing cleanly at 198 days is the first weekly capture showing the SC-081v3 calendar producing visible operator-side behavior change rather than only CA-side policy. Operators with renewals due before the end of June should plan for the 198-day target now; the compliant issuance profile is already available from every major CA in the dataset, and the cost of holding to 364-day defaults grows every month.
Expirations and renewals
Two leaves in the dataset expire inside the next 14 days. One is a DIB prime corporate site on a 364-day DigiCert leaf expiring 2026-05-19. It is one of the longest-running grandfathered leaves still in the dataset, and its renewal will be one of the cleanest signals of whether the SC-081v3 cap is propagating into the DIB cohort the way it visibly has into the civilian cohort this week. The second is a Fastly-fronted DIB site on a 30-day Certainly leaf; that one will refresh routinely.
The cluster of 11 .mil hosts sharing a 2026-06-03 expiration is now 17 days out, just past the two-week horizon. None have rotated. A synchronous rotation in the next refresh window strengthens the single-CDN-tenant batch-issuance framing from the OCSP deep-dive. A staggered rotation softens it.
A small number of long-validity Entrust leaves at civilian cabinet-tier sites remain unrotated since before March 15, 2026. They are the longest-duration grandfathered certs left in the dataset. Their next renewal is the bellwether for whether the Entrust root-program situation pushes those operators off Entrust before natural expiry, or whether they renew in place and ride the cert until the new validity window forces another decision.
What to watch next week
- The DIB prime corporate leaf expiring 2026-05-19. A 198-day renewal extends this week's civilian pattern into the DIB cohort. A 364-day renewal would say the DIB still sees the legacy default as acceptable.
- The 11 .mil hosts sharing the 2026-06-03 expiration. A batch rotation strengthens the OCSP deep-dive framing; a staggered one softens it.
- Any second public CA in the dataset following Let's Encrypt and dropping OCSP URLs from its default issuance profile. None has yet.
Methodology in Issue 0.
