Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

PKI-as-a-Service: Why Managed PKI Matters as Certificate Lifetimes Shrink to 47 Days

PKI

Public TLS certificates are about to renew far more often than most Public Key Infrastructure (PKI) teams have ever planned for. The CA/Browser Forum’s Ballot SC-081v3, approved in April 2025, cuts the maximum validity of publicly trusted TLS certificates in stages: from 398 days down to 200 days effective March 2026, then to 100 days in March 2027, and finally to 47 days by March 2029. That is roughly an eightfold increase in how often a certificate needs to be reissued compared to today.

Here’s a more natural, human-sounding version with shorter sentences:

This change fundamentally changes how PKI needs to operate. When certificates lasted a year or more, many organizations relied on annual renewals, manual tracking, and the occasional spreadsheet review. It was not ideal, but it usually got the job done. With certificates lasting only 47 days, that approach no longer works. The chances of missing a renewal and causing an outage become much higher. That is why PKI-as-a-Service matters. It is not just a cloud-hosted service. It is an operating model designed to keep up with frequent certificate renewals.

What Shrinking Certificate Lifetimes Actually Demand

A 47-day validity period does not just mean “renew more often.” It changes the entire operational profile of a PKI program in a few specific ways.

First, automation stops being optional. A process that depended on a person remembering to act, even a well-run one, cannot keep pace with renewals happening roughly eight times more frequently than today. Issuance, renewal, and revocation all need to happen through automated workflows triggered by policy and expiry, not by someone checking a calendar.

Second, visibility has to be continuous rather than periodic. If you do not have an accurate, current inventory of every certificate in your environment, the systems that depend on it, and when each one expires, a 47-day cycle will surface that gap as an outage rather than as a finding in next quarter’s audit.

Third, the enrollment protocols a PKI environment supports start to matter more directly. Manual certificate signing requests do not scale to this frequency. Standardized, automatable protocols, the kind that integrate cleanly with existing infrastructure and certificate management tooling, become the baseline requirement rather than a nice-to-have.

None of this is a reason to panic. It is a reason to treat PKI operations as infrastructure that needs to run continuously and automatically, which is exactly the gap PKI-as-a-Service is built to close.

What a Fully Managed PKIaaS Actually Provides

Encryption Consulting’s PKIaaS is built around the idea that an organization should not have to choose between owning its PKI and avoiding the operational burden of running one.Our service is designed to remove operational complexity while keeping certificate issuance tied to verified identity and strong key protection throughout.

Identity-Bound Issuance

Every certificate should be issued only after the identity of the requesting user, device, or workload has been verified. Automating this identity validation ensures that certificates are consistently issued according to organizational security policies, even when certificates need to be renewed much more frequently.

Strong Protection for CA Keys

The security of a PKI ultimately depends on protecting the certificate authority’s private keys. Enterprise PKIaaS platforms typically secure these keys using hardware security modules (HSMs), enforce multi-factor authentication for privileged operations, and implement strict access controls to reduce the risk of compromise.

Automated Certificate Lifecycle Management

One of the biggest advantages of PKIaaS is automation. Certificate issuance, renewal, revocation, and replacement can all be handled automatically, reducing manual effort and minimizing the risk of expired certificates causing outages. As certificate validity periods become shorter, automation shifts from being a convenience to becoming a necessity.

Support for Post-Quantum Cryptography

Modern PKIaaS platforms increasingly support both traditional and post-quantum cryptographic algorithms, along with hybrid deployments during the migration period. This allows organizations to gradually introduce quantum-resistant certificates as standards evolve, rather than undertaking large-scale migrations later.

Dedicated, Single-Tenant Infrastructure

Enterprise deployments often require dedicated infrastructure with built-in redundancy, monitoring, backup, and disaster recovery capabilities. High availability becomes even more important as certificate renewal events occur more frequently throughout the year.

24/7 Monitoring and Continuous Compliance

Most managed PKI services include continuous monitoring, regular maintenance, software updates, and support for common compliance frameworks. By handling operational tasks such as certificate authority maintenance, patching, and health monitoring, organizations can reduce administrative burden while maintaining a secure and reliable PKI environment.

Use Cases Where This Matters Most

The benefits of a managed PKI become most apparent in environments where certificates are issued, renewed, and managed at scale. As certificate lifetimes shrink, these use cases become even more dependent on automation.

Endpoint Authentication

Issuing high-assurance certificates to secure Intune-managed devices and applications, with automated revocation and policy management, and real-time synchronization with hybrid certificate support, for endpoint authentication across UEM and MDM platforms.

Automated Enrollment

Large environments often need to provision certificates for thousands of users, devices, and workloads. Automated enrollment through protocols and integrations such as ACME, SCEP, and enterprise identity platforms eliminates manual provisioning while ensuring certificates are issued consistently according to organizational policies.

Managed CA Operations

Running a certificate authority involves much more than issuing certificates. It includes protecting CA keys, maintaining certificate revocation services, monitoring infrastructure, performing backups, applying security updates, and ensuring high availability. A managed PKI service handles these operational responsibilities while allowing organizations to maintain governance over their PKI.

Each of these is a place where manual, infrequent certificate handling was already a stretch before certificate lifetimes started shrinking. They are exactly the workloads where a managed, automated approach earns its place.

Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

How PKIaaS Connects Into the Rest of Your Environment

A managed PKI only helps if it actually integrates with how certificates get requested and consumed across your environment. Encryption Consulting’s PKIaaS supports a broad set of enrollment paths and integrations: CA gateways, REST API access, ACME, agent-based and orchestration-driven enrollment, SCEP, Active Directory integration, and Microsoft Intune for managed devices. On the hardware security module side, the service integrates with Thales and Entrust HSMs. For secure email, it supports S/MIME across Gmail and Outlook.

That breadth matters specifically because of the lifecycle shrinkage driving this entire conversation. SCEP (defined in RFC 8894) and ACME (RFC 8555) exist precisely to make automated, machine-driven enrollment possible without a human submitting a request manually each time, which is the only realistic way to operate at a 47-day cadence across a large certificate estate.

How Encryption Consulting Can Help

Getting ready for a 47-day certificate renewal cycle is not just about certificates. It is an operational challenge, and it is exactly what Encryption Consulting’s PKIaaS is designed to handle much of that complexity for your team.

This starts with the foundation: a fully managed, scalable, and highly available PKI service that removes the operational complexity of running CA infrastructure in-house, including built-in expertise for hybrid certificate management and PQC readiness. Self-service capabilities combined with automated issuance, renewal, and revocation mean certificates do not depend on someone remembering to act, which is the single biggest requirement a shrinking renewal cycle creates. Every request stays tied to a verified, authenticated identity, so increasing the frequency of issuance does not mean loosening the controls around it.

On the infrastructure side, critical CA keys are protected with FIPS 140-3 Level 3 certified Cloud HSMs, with multi-factor authentication enforced for Root CA access, and the issuing CA environment runs on a dedicated, single-tenant architecture with real-time CRL infrastructure, monitoring, and backup and recovery built in, so availability keeps pace as renewal volume goes up. Continuous compliance is maintained through 24/7 monitoring, alongside expert-led operations covering CA and CRL renewals, patch management, and incident response.

On the integration side, the service connects into the protocols and platforms that make frequent, automated renewal actually achievable: CA gateways, REST API access, ACME, SCEP, Active Directory, and Microsoft Intune, along with HSM integration through Thales and Entrust. And because the platform supports native PQC capabilities to issue ML-DSA certificates alongside hybrid certificate management, each of the far more frequent renewal cycles a 47-day world creates becomes an opportunity to move toward post-quantum readiness rather than just maintaining the status quo.

Whether your organization needs a fully hosted PKIaaS, an on-premises managed deployment, or a SaaS-based approach to establishing digital identities, Encryption Consulting’s PKIaaS is designed to scale with the pace certificate lifecycles are now moving at, without requiring you to grow your internal PKI team to keep up.

Conclusion

Certificate lifetimes are getting shorter because the industry decided that long-lived certificates carry too much risk for too long, and that decision is now locked into a published timeline that every organization issuing publicly trusted TLS certificates will have to meet. By 2029, certificates that once lasted over a year will need to be reissued roughly every six weeks. Manual, periodic PKI management was never a great fit for security-critical infrastructure, and it stops being viable at all once renewal happens at that frequency.

PKI-as-a-Service exists to meet that shift directly: identity-bound, automated issuance, FIPS 140-3 Level 3 protected keys with enforced access controls, native support for post-quantum algorithms like ML-DSA, and integration with the enrollment protocols and platforms that make frequent, automated renewal actually workable. If your organization is still managing certificates on an annual cycle, the runway to adapt before 47-day certificates arrive is shorter than it looks.

If you are evaluating how your current PKI setup would hold up under that shift, that is exactly the question a PKI health assessment is built to answer.\