SSL/TLS certificate lifespans are getting shorter. After years of Google advocating for shorter lifespans such as 90 days, and Apple setting a 398-day limit in Safari, the industry believed things had settled. Then Google suggested 90-day certificates through their “Moving Forward Together” program. In October 2024, Apple surprised everyone with a GitHub ballot proposing 45-day certificates. The responses were mixed, but the final 47-day certificate ballot passed the CA/B Forum in April 2025 and became official on May 11. By 2029, TLS certificates will last only 47 days, down from over a year today.
How it affects the industry
The change to 47-day certificate lifespans brings major operational challenges that will change how organizations handle their digital infrastructure. Manual processes that used to work well with yearly renewals could now lead to widespread outages. IT teams struggle to keep up with certificates expiring every six to seven weeks. The complexity of integration grows when organizations need to coordinate certificate renewals across many systems and services in such short timeframes. Legacy systems that weren’t built for regular certificate updates cannot keep up with this new reality.
For organizations, automation is now essential because manual certificate management is not only inefficient but also risky. Hence, companies need to invest significantly in automated certificate lifecycle management tools and improve their monitoring infrastructure to ensure that no certificates go unnoticed. The financial impact is significant. Organizations need to quickly invest in new certificate management systems. Certificate authorities must also expand their infrastructure to manage nearly eight times the current issuance volume. Organizations with strong automation practices will gain important advantages. Meanwhile, those that are slow to change may lose customers because of reliability problems.
The Key Solution: Automation
As certificate lifespans shrink to 47 days or even less, managing them manually becomes impractical and risky. Automation is now critical for maintaining security, uptime, and scalability in modern digital infrastructure. Here is how automation will play a significant role in adapting to the change:
Automated systems remove the main risk by renewing certificates well before they expire. This prevents unexpected outages from missed deadlines that could cripple business operations. This proactive method eliminates human error and ensures continuous service availability.
Continuous monitoring capabilities provide real-time tracking of certificate status and health across the entire infrastructure. Teams receive instant alerts when issues arise instead of finding problems after they happen. This enables a quick response to possible security threats.
The benefits of deployment are just as strong. Automation allows for the immediate rollout of new certificates to all relevant endpoints. This removes the manual errors found in traditional certificate management and reduces downtime during certificate updates.
Policy enforcement becomes smooth with automated systems that consistently apply organizational standards and regulatory requirements. This removes the inconsistencies from manual processes and ensures compliance for all certificate deployments.
Automating your PKI infrastructure
End-to-end automation of your PKI infrastructure needs careful thought and planning to achieve smooth implementation without hurting security or operations. Although the transition involves many complex factors, there are key steps that offer a simple base for any organization wanting to update their certificate lifecycle management. These basic steps can be modified and further extended to meet your specific infrastructure needs and security requirements; by taking a structured approach, organizations can set up reliable automated processes that manage the upcoming 47-day certificate challenge while building a strong foundation for future PKI needs.
- Use certificate discovery tools to fetch all certificates existing in the infrastructure.
Deploy discovery tools that can scan your entire network infrastructure, including web servers, load balancers, APIs, and databases, to find all existing certificates. These tools should produce detailed inventory reports that show certificate locations, expiration dates, and issuing authorities. They should also identify any shadow IT certificates that may have been deployed without proper oversight. -
Use Certificate Lifecycle Management solutions to centralize issuance, renewal and revocation.
Implement a centralized CLM platform that acts as the single source of truth for all certificate operations in your organization. This solution should connect with multiple Certificate Authorities, support different certificate types, and offer role-based access controls. It should also keep detailed audit trails for compliance needs. - Set up renewal agents to handle CSR generation, submission to CAs, and automatic renewal for the required endpoints.
Configure intelligent renewal agents that can automatically create Certificate Signing Requests with the right key strengths. They should submit these requests to the correct Certificate Authorities and manage the entire renewal process without human help. -
Use deployment automation tools or renewal agents to push renewed certificates to endpoints and reload dependent services automatically.
Establish automated deployment pipelines that can securely distribute renewed certificates to all relevant endpoints, including web servers, load balancers, and container platforms. The system should automatically handle service restarts and implement rollback options in case of deployment failures to ensure continuous service availability. -
Implement monitoring systems to track certificate health, issue timely alerts for expiring or misconfigured certificates, and maintain audit logs for compliance.
Deploy monitoring solutions that continuously check certificate chain integrity, verify revocation status, and monitor SSL/TLS configuration health at all endpoints. The system should offer customizable alerting thresholds for different certificate types and keep detailed logs for regulatory compliance and security review. -
Use policy enforcement to ensure certificates meet cryptographic standards and apply access controls.
Establish automated policy enforcement to check all certificates against your security standards. This includes minimum key lengths, approved Certificate Authorities, and necessary cryptographic algorithms. The system should automatically reject certificates that do not meet these standards and offer role-based access controls to manage certificate operations.
How can Encryption Consulting help?
CertSecure Manager by Encryption Consulting provides automated certificate renewal for multiple endpoints, including IIS web servers, Apache web servers, F5 load balancers, and many more. CertSecure Manager’s renewal agents fully automate certificate renewal, revocation, and deployment for all of your SSL/TLS endpoints. This automation reduces manual work, prevents configuration errors, and ensures secure certificate deployment across your infrastructure, helping you stay compliant and avoid downtime caused by expired certificates during short renewal cycles.
Beyond certificate lifecycle automation, Encryption Consulting also provides PKI-as-a-Service (PKIaaS) and expert PKI consulting to build, manage, and optimize secure, scalable PKI environments tailored to your needs: on-prem, hybrid, or cloud.
Conclusion
The move to 47-day SSL/TLS certificate lifespans by 2029 represents a key change in managing digital infrastructure. Organizations can no longer rely on manual processes; automation is now vital for survival in this new environment. Although the operational and financial challenges are considerable, early adopters of complete PKI automation will achieve significant competitive advantages.
The message is clear: change now or face widespread outages and security risks. Companies that use automation today will create stronger, more secure systems. Those that wait will have reliability problems and will lose customer trust. The 47-day certificate era is not just a compliance issue; it’s a chance to modernize and prepare your digital operations for the future.
