Certificate lifespans are shrinking and most organizations aren’t ready

The push for shorter TLS certificate lifespans has been building for years. It started with Google’s internal push toward 90-day certificates, which gained traction inside the industry before resistance from enterprise customers slowed things down. Then Apple proposed 47-day certificates, which reignited the debate and ultimately forced the CA/Browser Forum to set a formal schedule.

The timeline that came out of those discussions moves certificate validity from one year down to 200 days, then 100, then 47 over a roughly three-year span. That schedule puts pressure on organizations to overhaul both their purchasing models and their operational processes for managing certificates.

John Murray, Senior Vice President of Sales, Americas at GMO GlobalSign describes the underlying goal: browsers want organizations to be able to move cryptographic key material quickly, revoke certificates on short notice, and replace them within tight windows. They also want tighter discipline around certificate hierarchies, including moving away from multipurpose root certificates toward single-purpose roots. Most organizations have not built the processes or tooling to do any of that at scale.

Larger enterprises are ahead of the curve, at least marginally. They tend to have dedicated PKI teams and budget for certificate lifecycle management tools. Mid-market and smaller organizations, which make up a significant portion of GlobalSign’s customer base, are the ones likely to be caught off guard when the next deadline hits.

Discovery is step one, not optional

For any organization starting to get serious about certificate management, Murray has a consistent answer to the question of where to begin. “Step one is discovery,” he says. “Having a tool that you can use to discover all your certificates and catalog everything.”

That advice applies equally to the immediate challenge of shorter lifespans and the longer-term work of preparing for post-quantum cryptography. In both cases, organizations need to know what certificates they have, where those certificates live, and what type of platform each one runs on. Without that inventory, automation is difficult to deploy and the scope of any migration project is essentially unknown.

GlobalSign’s Atlas platform includes certificate discovery, as does the company’s LifeCycle X by GMO tool. Discovery data also feeds directly into automation planning, because the platforms and infrastructure types an organization runs on determine which automation approaches are available.

Post-quantum preparation shares the same foundation

Post-quantum cryptography is generating significant attention in the PKI space, and for good reason. The finalization of quantum-resistant algorithms is underway, and organizations will eventually need to migrate their certificate infrastructure to use them. That migration will require updating not just certificate issuance processes, but the entire ecosystem of devices, web servers, load balancers, HSMs, and other infrastructure that certificates touch.

Murray sees a direct line between the work organizations need to do now for shorter validity periods and what they will need later for post-quantum. The automation infrastructure built to handle certificate rotation will also be the delivery mechanism for post-quantum certificates once those are ready to deploy. Organizations that have done the inventory work and built out automated renewal pipelines will be able to push new certificate types to endpoints without starting from scratch.

The organizations that wait will face two challenges at once: adapting to shorter lifespans and migrating to new cryptographic algorithms, neither of which is straightforward without a picture of what is running and where.

The purchasing model has to change too

Shorter certificate lifespans create a problem that extends beyond operations into procurement. The traditional model for buying certificates, purchasing a pack of certificates and renewing them once a year, breaks down quickly when certificates need to be replaced every 47 days.

GlobalSign developed a licensing approach built around subject alternative names (SANs) rather than individual certificate issuances. Under this model, organizations are licensed by the number of unique fully qualified domain names (FQDNs) they need to cover, measured in real-time. Renewing or replacing a certificate for a domain already under license does not consume an additional license slot. Organizations can rotate certificates as frequently as their security posture requires without triggering additional costs.

Companies that acquire new domains or expand their infrastructure can add to their license mid-year on a prorated basis. Combined with automation, this approach removes the commercial friction that would otherwise make high-frequency certificate rotation financially unsustainable.

Automation is not going to be optional

Murray is direct about where this is heading: organizations that are still managing certificates through spreadsheets or manual renewal processes will not be able to sustain that as validity periods compress. Small IT teams that treat certificate management as one item on a long list of responsibilities will run into outages. A single expired certificate, while inexpensive on its own, can cause significant operational disruption.

For smaller organizations, the Automated Certificate Management Environment (ACME) protocol offers a low-cost entry point. ACME, an open standard, can automate certificate renewal without requiring a dedicated CLM platform. Agents deployed on servers handle the renewal process automatically, and the protocol includes mechanisms for handling mass revocations. GlobalSign supports ACME across its certificate types, including organizationally validated and domain-validated certificates, and does not charge separately for ACME use.

For more complex environments, organizations may need a comprehensive CLM solution. GlobalSign offers its own tools, including Atlas and Lifecycle X by GMO, and works with third-party CLM providers through open API integrations. Larger companies sometimes build custom integrations with those APIs directly. The right approach depends on the size of the environment, the range of platforms involved, and the internal capacity to maintain the solution.

Murray acknowledges that fear of automation is real, particularly among organizations that have been managing certificates manually for years. Some IT teams worry about agent compatibility, or about environments where no ready-made automation path exists. GlobalSign’s LifeCycle X by GMO includes custom scripting capabilities and configurable templates for non-standard platforms, and the company has built out professional services to help organizations with initial ACME implementations, agent deployment, and platform configuration.

PKI expertise is scarce, and that matters

One factor that often gets overlooked in discussions of certificate management is the knowledge gap. PKI is specialized, and most organizations, particularly in the mid-market, do not have staff with deep expertise in it. Murray notes that even experienced IT professionals who know security well often lack familiarity with the specifics of certificate validation types, compliance requirements, and the technical trade-offs between different approaches.

That gap has been widening recently. The past year has seen significant compliance changes across SSL, code signing, and S/MIME certificates, driven by CA/Browser Forum decisions. Each change requires organizations to understand what is changing, why, and what steps they need to take. Organizations without a trusted advisor in the PKI space are often left trying to piece together requirements from forum discussions and vendor communications.

Murray argues that this is one area where specialization matters. GlobalSign focuses on PKI, which means its sales and solutions engineering teams can work through specific customer environments in depth. For a mid-market organization, engaging with a CA that understands the full range of certificate use cases, from web servers to code signing to device certificates, is a different experience than working with a generalist IT services firm.

The window to prepare is narrowing

The 200-day threshold takes effect on March 15, and the steps after that follow on a fixed schedule. For organizations still managing certificates manually, that schedule leaves limited time to build out the processes, tooling, and internal knowledge needed to keep up.

The path Murray recommends is consistent regardless of organization size: start with discovery to understand what you have, identify which platforms are candidates for automation, apply the 80/20 rule to bring as many certificates under automated management as possible, and address the remaining edge cases over time. For most mid-market organizations, some version of ACME combined with a SAN-based licensing model provides a workable starting point without requiring major upfront investment.

The organizations that treat this as a future problem are running out of runway.