Automation vital as TLS certificate lifespans shrink
Imagine this. You've just landed overseas for your summer holiday. You're standing at the baggage carousel when everything suddenly stops. Flight information screens freeze. Check-in desks go dark. Staff scramble, but no one can explain what's happened.
It's not a power failure. It's not a cyberattack.
A digital certificate has expired and the systems that rely on it can no longer communicate.
This kind of outage is already a familiar nightmare for IT teams. What's about to change is how often it happens. As TLS certificate lifespans shrink, failures like this won't be rare incidents - they'll become routine.
The global push to shorten TLS certificate lifespans is accelerating, yet most organisations are dangerously underprepared. Without change, security teams will face an unrelenting cycle of renewals and machine-identity based outages.
From 15 March 2026, the maximum validity period for publicly trusted TLS certificates – including WebPKI and browser-trusted certificates - will fall from 398 days to 200 days, before dropping again to 100 days in 2027 and just 47 days by 2029. At the same time, the domain control validation (DCV) reuse window will also shrink – down to just 10 days by 2029 – significantly reducing the operational leeway organisations rely on today and reinforcing why manual processes simply won't scale. While the intent of this industry-wide shift is to reduce security risk, it introduces a far more immediate operational challenge: a dramatic surge in certificate renewals that most teams are not equipped to handle.
TLS certificates are not simply technical controls – they are machine identities. When a certificate expires, systems can no longer authenticate or communicate, breaking trust at a foundational level. Forgotten or unmanaged certificates will inevitably lapse, causing trust between connected machines to break down and taking critical systems offline - from airport baggage handling and payment terminals to industrial control systems.
The impact is rarely isolated. Certificate failures cascade across interconnected services, triggering outages that affect everything from customer-facing platforms to core operational environments.
What makes this transition uniquely disruptive is scale. A move to 47-day lifespans means organisations will need to renew certificates eight to nine times more frequently than they do today. For teams still relying on manual processes, that translates directly into ballooning workloads, rising operational risk and a sharp increase in human error– with a potential cost of at least USD$2.88 million based on current renewal models. Certificate-related outages are already common – increasing renewal frequency will only amplify both their likelihood and their financial impact.
This is no longer just a security issue - it's a business resilience problem. As certificate lifespans shrink, the labour required to track, renew and deploy them increases exponentially. Organisations that attempt to absorb this through manual effort will face unsustainable staffing demands, while still remaining exposed to outages, compliance failures and service disruption.
Compounding the challenge is timing. The TLS action lead time - the window between policy announcements and enforcement - is narrowing rapidly. That leaves organisations with less time to redesign processes, implement automation and test new workflows before shorter lifespans become mandatory across the internet.
Three actions organisations should take now
To navigate this shift, TLS certificates must be treated as part of a broader machine identity strategy - not a standalone PKI task. Based on what security leaders are encountering today, organisations should prioritise three actions ahead of the first deadlines.
1. Establish continuous visibility into certificates and their context
Static inventories quickly become obsolete. Organisations need automated discovery across on-premises, cloud and containerised environments to maintain a real-time view of where certificates live, what they secure, who owns them and when they expire. Without this visibility, blind spots are inevitable.
2. Replace manual renewals with end-to-end automation and continuous monitoring
Manual certificate renewal will not scale in a 47-day world. Automation is essential to ensure certificates are issued, renewed and deployed well ahead of expiry - without relying on human intervention that introduces delay and error.
The same applies to oversight. When certificates rotate every few weeks, point-in-time audits are no longer sufficient. Continuous monitoring and alerting provide early warning of misconfigurations, unauthorised usage or impending expirations before they escalate into outages.
3. Centralise policy enforcement and integrate certificate management into DevOps pipelines
Shorter lifespans leave little room for inconsistency. Centralised, policy-driven workflows help ensure renewal timing, approval processes and compliance requirements are applied uniformly across teams and environments.
At the same time, certificates are deeply embedded in CI/CD pipelines, microservices and Kubernetes platforms. Integrating certificate provisioning and renewal directly into DevOps workflows prevents insecure workarounds while maintaining development velocity.
Automation is now a prerequisite for resilience
The shift to 47-day TLS certificates is not a future problem - it is an operational reality already taking shape. Organisations that delay action will find themselves trapped in a cycle of renewal pressure, rising costs and recurring outages. This digital game of whack-a-mole will expose the operational fragility of organisations that have not automated certificate management.
Those that invest early in automated discovery, renewal and monitoring will be far better positioned to absorb the change - not just avoiding disruption, but strengthening trust across their digital environments.
The question is no longer whether certificate-related incidents will increase, but how prepared organisations will be when they do.