Certificate management is the practice of discovering, issuing, renewing, monitoring, and revoking the digital certificates that secure an organization’s systems and communications. Strong certificate management rests on three capabilities: continuous discovery for visibility, governance for control, and automation for scale. With publicly trusted TLS certificate lifetimes now capped at 200 days in 2026 and heading toward 47 days by 2029, these capabilities have moved from good practice to operational necessity.
Certificate management has moved from a routine administrative task to a core cybersecurity function. As organizations expand cloud footprints, adopt DevOps practices, and connect more services, the number of digital certificates deployed across the enterprise continues to grow apace. At the same time, shrinking certificate validity periods are forcing organizations to rethink how digital trust is managed and maintained.
One of the most significant changes in recent years is the CA/Browser Forum‘s decision to reduce the maximum validity period for publicly trusted TLS certificates. Since March 15, 2026, publicly trusted TLS certificates have been issued for a maximum of 200 days, down from 398 days. The ceiling drops again to 100 days on March 15, 2027, and to just 47 days on March 15, 2029. These changes reduce exposure to compromised keys and outdated cryptography, but they also increase operational frequency and complexity.
Organizations that still rely on spreadsheets, manual renewal reminders, and fragmented inventories will struggle to keep pace. Maintaining security, compliance, and operational resilience now requires a certificate management strategy built on three foundational pillars: discovery, governance, and automation.
This article walks through seven certificate management best practices that can help organizations adapt to shorter certificate lifetimes while improving visibility, compliance, and security. It also explains what the new CA/Browser Forum requirements do and do not apply to, helping teams plan proactively rather than responding to certificate-related disruptions after they occur.
How Short will TLS Certificates Get, and When
The schedule was set by Ballot SC-081v3, which the CA/Browser Forum approved on April 11, 2025. It defines a phased reduction in both the maximum validity of publicly trusted TLS certificates and the period for which domain control validation (DCV) data can be reused. The first phase is already in effect: since March 15, 2026, no publicly trusted certificate authority issues a TLS certificate valid for more than 200 days. Certificates issued before that date under the 398-day maximum remain valid for their original term; the 200-day ceiling applies only to certificates issued on or after 15 March 2026.
| Effective date | Maximum TLS certificate validity | Maximum DCV reuse period |
|---|---|---|
| Until March 14, 2026 | 398 days | 398 days |
| From March 15, 2026 | 200 days | 200 days |
| From March 15, 2027 | 100 days | 100 days |
| From March 15, 2029 | 47 days | 10 days |
Two details are particularly important for planning. First, certificate validity and DCV reuse are separate timelines. By 2029, a certificate will need to be replaced approximately every 47 days, while domain ownership must be revalidated roughly every ten days. Automating certificate renewal alone is therefore insufficient if domain validation still depends on manual processes. Second, some certificate authorities issue slightly below each ceiling to avoid edge cases at the second boundary, so renewal cadences should carry a comfortable buffer rather than sit at the limit.
One point is frequently misread. The schedule applies only to certificates intended to authenticate servers reachable on the public internet. Certificates issued from an organization’s own private PKI, used for internal services, device authentication, VPN, and similar cases, are not governed by these CA/Browser Forum rules. Internal certificates can still carry longer lifetimes where appropriate, although shorter private lifetimes remain a sound security practice. Understanding this boundary helps teams scope the work correctly and avoid either over-engineering or overlooking parts of the estate.
Seven Certificate Management Best Practices
1. Establish Continuous Certificate Discovery Across All Environments
The foundation of effective certificate management is visibility. An organization cannot secure or renew certificates it does not know exist. Inventories are often incomplete because modern infrastructure is dynamic, with certificates created, deployed, replaced, and retired across cloud platforms, containers, APIs, development environments, and third-party services.
Many teams still depend on periodic audits or manually maintained spreadsheets. These methods were still considered adequate when certificate estates were small and changed slowly. In cloud-native environments, where resources are provisioned automatically and short-lived workloads can exist for minutes, a spreadsheet is out of date the moment it is saved.
Continuous discovery gives an organization a live inventory of every certificate across its environment. Beyond locating certificates, discovery should capture expiration dates, issuing authorities, deployment locations, certificate types, ownership, and cryptographic details such as key size and signature algorithm. This metadata is what lets security teams identify risk, assign accountability, and prepare renewals well ahead of expiry.
As validity periods shrink, an accurate and continuously updated inventory becomes the difference between planned renewals and unplanned outages.
2. Implement Unified Governance Across the Certificate Lifecycle
Visibility alone does not guarantee control. Organizations also need governance policies that define how certificates are requested, approved, issued, renewed, and revoked.
Without centralized governance, certificate sprawl is almost inevitable. Different teams acquire and manage certificates independently, processes drift apart, and shadow PKI certificates emerge outside the view of security. Over time, ownership becomes unclear and policy enforcement fragments.
A mature governance framework sets consistent standards across every certificate operation. It defines who can request certificates, which approval workflows apply, how requests are validated, and which cryptographic requirements must be met before deployment. Governance should also incorporate role-based access controls tied to enterprise identity systems, so only authorized personnel can perform certificate-related actions.
A comprehensive audit trail is equally important. Every issuance, renewal, modification, and revocation should be logged automatically to support compliance and security investigations. Centralized governance reduces operational risk and keeps certificate practices aligned with security policy and regulatory obligations.
Encryption Consulting’s CertSecure Manager is built around the same three pillars this article describes. It performs network, cloud, and endpoint discovery to maintain a live inventory, enforces request and approval policy with role-based access and audit logging, and automates issuance, renewal, and provisioning across multiple certificate authorities using protocols such as ACME.
3. Automate Certificate Renewal and Lifecycle Operations
Shorter validity periods have changed the economics of certificate management. A task that was once annual will soon recur several times a year for every certificate.
For organizations managing hundreds or thousands of certificates, manual renewal does not scale. Even capable teams struggle to track expirations, coordinate renewals, obtain approvals, and deploy updated certificates on time. Consider a single web certificate that an administrator renews by hand: at an annual cadence it is a minor task, but at a six-week cadence it becomes a recurring source of error across the whole estate.
Automation is now a requirement rather than a convenience. Certificate lifecycle management platforms integrate directly with certificate authorities and support protocols such as ACME, allowing certificates to be requested, renewed, deployed, and rotated without manual intervention. Policy-driven workflows replace reminder emails and manual tickets.
The benefits extend beyond efficiency. Automation ensures certificates are replaced consistently and on schedule, reduces the chance of outages, and allows certificate operations to scale without proportional growth in headcount. As lifetimes fall toward 47 days, automation becomes the defining characteristic of a workable program, since manual renewal every few weeks is not sustainable at enterprise scale.
4. Solve the Domain Revalidation Problem, Not Just Renewal
Renewal automation addresses only half of the new reality. The shrinking DCV reuse period means domain ownership has to be proven far more often, reaching roughly every ten days by 2029.
This is where wildcard and multi-domain certificates create friction. Automated issuance with ACME validates control per domain, and wildcard certificates generally require DNS-based validation with programmatic access to the DNS provider. A multi-domain certificate also concentrates risk, since a single validation or revocation event can affect every name on the certificate. Teams that rely heavily on wildcard certificates to reduce certificate counts may find that choice works against automation as validation frequency rises.
The practical fix is to ensure domain validation is itself automated, typically through DNS integration or an ACME workflow that revalidates without human steps. Reserve wildcards for cases where they genuinely help, such as edge proxies, and prefer dedicated certificates where per-domain automation is cleaner.
Preparing these workflows now, while the cadence is still 200 days, avoids a scramble when the window narrows further.
5. Strengthen Monitoring and Risk-Based Prioritization
Strong discovery and automation still require continuous monitoring. Teams need real-time visibility into certificate health and risk exposure to catch problems before they reach production.
Monitoring should surface expiration status, deployment health, cryptographic strength, validation status, and ownership. Together these signals allow issues to be addressed before they affect critical services.
As estates grow, many organizations adopt a risk-based approach rather than treating every certificate equally. Remediation is prioritized by business impact, internet exposure, application criticality, and compliance relevance. A certificate protecting a customer-facing payment service warrants closer attention than an internal development certificate.
Monitoring strategy should also reflect shorter lifetimes. Thresholds calibrated for annual renewals will not provide enough response time when certificates expire every few months, so alerting needs to trigger earlier and route to clearly accountable owners.
6. Begin Preparing for Post-Quantum Cryptography
Alongside shorter lifetimes, organizations must prepare for a transformation that will reshape PKI: the move to post-quantum cryptography.
Advances in quantum computing threaten the public-key algorithms that underpin today’s PKI and digital certificates, including RSA and ECC. Large-scale quantum attacks are not yet practical, but the planning horizon is already taking shape. NIST’s draft transition roadmap, NIST IR 8547, which remains an Initial Public Draft following its November 2024 release, proposes that quantum-vulnerable algorithms such as RSA and ECDSA be deprecated after 2030 and disallowed after 2035.
These dates bind the federal systems within IR 8547’s scope, but the report has become the primary reference point industry uses to plan its own PQC migration. As defined in NIST SP 800-131A, deprecated means the algorithm may still be used, but its use carries some security risk that the data owner must assess and accept, while disallowed means it may no longer be used for the stated purpose.
Harvest-now-decrypt-later collection, where encrypted data is captured today for decryption once quantum hardware matures, makes the timeline relevant for long-lived data now rather than later.
Preparation starts with understanding cryptographic dependencies. Organizations should inventory the algorithms in use, identify business-critical systems that rely on them, and assess whether their certificate authorities, applications, and tools are ready to support the quantum-resistant standards NIST finalized on August 13, 2024:
- ML-KEM for key encapsulation, standardized from the CRYSTALS-Kyber submission (FIPS 203).
- ML-DSA for digital signatures, standardized from the CRYSTALS-Dilithium submission (FIPS 204).
- SLH-DSA, a stateless hash-based signature option standardized from the SPHINCS+ submission (FIPS 205).
These are final standards, unlike the IR 8547 transition timeline, which is still in draft. A cryptographic inventory is a prerequisite, since an algorithm that is not visible cannot be migrated.
The transition is expected to occur gradually through hybrid deployments that combine classical and quantum-resistant algorithms, which makes algorithm agility and large-scale testing essential. Organizations in regulated or national security contexts should also track NSA’s CNSA 2.0 guidance, which sets earlier adoption expectations for national security systems than the civilian IR 8547 timeline and specifies parameter sets such as ML-KEM-1024 and ML-DSA-87.
Under CNSA 2.0, new national security systems must support quantum-resistant algorithms from January 2027, with category-specific exclusive-use deadlines spanning 2030 to 2033 and full migration expected by 2035. The same disciplines that make short-lived certificates manageable, a complete inventory, automated deployment, and policy enforcement, are precisely the disciplines a PQC migration requires.
7. Integrate Certificate Management with Cloud and DevOps Ecosystems
Modern infrastructure is built for speed. Applications ship through CI/CD pipelines, containers are created and destroyed dynamically, and cloud resources scale on demand. Certificate management must operate inside these workflows rather than beside them as a separate process.
Integration with cloud and DevOps platforms lets certificates become part of automated provisioning. Whether resources are deployed through Kubernetes, Terraform, cloud-native services, or other infrastructure-as-code frameworks, certificate issuance and renewal should occur automatically as services come online. Native integration with cloud key stores and tools such as cert-manager keeps this consistent across environments.
Without integration, blind spots form where certificates exist outside centralized management. These unmanaged certificates create security risk, complicate compliance, and raise the likelihood of unexpected outages.
Embedding certificate management into cloud and DevOps workflows improves visibility, increases operational efficiency, and keeps certificates aligned with infrastructure that changes constantly.
Common Mistakes That Lead to Certificate Outages
Despite greater awareness, outages caused by expired or mismanaged certificates remain common across industries. Many organizations still rely on manual renewals, incomplete inventories, and unclear ownership.
Other recurring mistakes include failing to plan for shorter validity periods, overlooking certificates in cloud environments, using self-signed certificates in production, and delaying renewals until certificates are close to expiry. These issues often appear minor until they cause service disruption, customer-facing outages, or compliance failures.
The consequences are well documented. In July 2024, the Bank of England reported a 91-minute disruption to CHAPS settlement caused by an expired certificate within its infrastructure, affecting a system that settles high-value sterling payments. The risk is not limited to availability.
In the 2017 Equifax breach, a network monitoring device had been inactive for around 19 months because of an expired certificate, which allowed intruders to operate undetected for 76 days and exfiltrate data on roughly 147 million people, an incident that later led to a settlement of up to 700 million dollars. Preventing these outcomes requires the same foundation of visibility, governance, and automation described throughout this article.
Security Best Practices for Long-Term Success
Strong certificate management extends beyond renewal. Organizations should protect private keys using Hardware Security Modules, enforce least-privilege access controls, conduct regular audits, and continuously scan for unmanaged certificates across the environment. For high-assurance use cases, look for HSMs validated to FIPS 140-3, with the validation level chosen to match the sensitivity of the keys being protected.
Clear policies for development and testing environments help prevent production key reuse and remove unnecessary risk. Where public certificates have been used for internal authentication, replacing them with certificates from a managed private PKI is usually the better long-term choice.
These practices reduce the likelihood of certificate compromise while supporting compliance and operational resilience.
How Encryption Consulting Can Help
The seven practices in this article map to a single operating model built on discovery, governance, and automation. Encryption Consulting delivers that model through a combination of platform capability and advisory expertise, so organizations can move from fragmented, manual processes to a managed program before shorter validity periods take full effect.
CertSecure Manager is the certificate lifecycle management platform that performs continuous discovery across network endpoints, cloud platforms, and local certificate stores to maintain a live inventory, capturing expiration dates, issuing authorities, key sizes, and signature algorithms for every certificate it finds. This addresses the visibility gap that makes both renewal automation and post-quantum planning impossible without it.
On the governance side, CertSecure Manager enforces policy at the point of request. It defines which authorities and certificate profiles are permitted for each use case, applies role-based access controls tied to enterprise identity, routes requests through approval workflows, and records every issuance, renewal, and revocation in a tamper-evident audit trail. Non-compliant requests are blocked rather than corrected after the fact, which keeps shadow PKI from forming.
For automation, the platform integrates directly with multiple certificate authorities and supports protocols such as ACME, so issuance, renewal, provisioning, and revocation can run without manual steps. It connects to cloud key stores and DevOps tooling, which allows certificates to be deployed as part of normal provisioning rather than as a separate task. Lightweight agents extend the same automation to legacy systems that do not speak modern protocols, which is what makes a 47-day renewal cadence operationally realistic.
Private PKI is governed by your own rules rather than the CA/Browser Forum schedule, but it still needs structure. EC’s PKI-as-a-Service provides a managed private trust hierarchy for internal services, device and user authentication, and workload identity. At the same time, HSM-as-a-Service protects the underlying private keys in dedicated hardware. Together, they give internal certificates the same discipline applied to public ones.
For the longer transition ahead, CBOM Secure builds a cryptographic bill of materials that records which algorithms are in use across the estate, the algorithm-level visibility that any post-quantum migration depends on. EC’s PQC Advisory Services then translate that inventory into a phased migration plan, including where hybrid classical and quantum-resistant deployments make sense during the transition.
For organizations that are uncertain about their current readiness, EC’s Encryption Advisory Services can assess the certificate estate, quantify the operational impact of shorter lifetimes, and define a roadmap toward discovery, governance, and automation. The objective is to build a sustainable certificate management program that scales efficiently as renewal cycles accelerate, rather than reacting to each new deadline under pressure.
Conclusion
The certificate management landscape is changing quickly. With publicly trusted TLS validity already capped at 200 days and continuing to fall toward 47 days by 2029, manual processes and fragmented visibility no longer keep an organization safe.
Success now depends on a strategy focusing on continuous discovery, strong governance, and comprehensive automation, with domain validation automated alongside renewal. Organizations that establish these foundations will be ready for more frequent renewals, will prevent costly outages, and will be positioned for the longer transition to post-quantum cryptography.
The shift to short-lived certificates is already underway. A practical first step is to build a complete, continuously updated inventory of every certificate you hold, then use that visibility to prioritize automation where renewal frequency and business impact are highest. To assess where your certificate program stands today and what shorter lifetimes will require, reach out to the team at Encryption Consulting.
