100-day certs will force certificate operations into continuous mode

At a glance

What this is: Publicly trusted TLS certificates are moving to much shorter lifetimes, and the key finding is that certificate management is becoming a continuous operational discipline rather than a periodic admin task.

Why it matters: IAM, NHI, and infrastructure teams need to treat certificates as governed lifecycle objects because shorter validity windows expose weak ownership, manual renewal, and audit gaps across service identities and platform operations.

By the numbers:

• Publicly trusted TLS certificates issued on or after March 15, 2026 are capped at 200 days, with the cap falling to 100 days on March 15, 2027 and 47 days on March 15, 2029.
• That change means 200-day certificates require roughly 2x renewals, 100-day certificates require roughly 4x renewals, and 47-day certificates require more than 8x renewals.

👉 Read Keyfactor's analysis of 100-day TLS certificates and automation timing

Context

Certificate lifecycle management is no longer a back-office admin function. As TLS certificate lifetimes compress, the hard part is not issuing or renewing a single certificate. The hard part is running discovery, ownership, approvals, deployment, exceptions, and auditability on a much shorter cycle.

For infrastructure, platform, and identity teams, this is an NHI governance problem as much as a PKI problem. Certificates are non-human identities in practice, and shorter validity windows expose where inventory, ownership, and renewal workflows are still managed by spreadsheets and human memory.

Key questions

Q: How should teams handle certificate renewals when validity windows shrink to 100 days?

A: Teams should move from ticket-driven renewals to an automated lifecycle process that starts with inventory and ends with verified deployment. The key is not doing renewals faster by hand. It is removing human coordination from the critical path so ownership, approvals, replacement, and audit evidence can repeat reliably as the cadence compresses.

Q: Why do shorter certificate lifetimes create more risk for infrastructure teams?

A: Shorter lifetimes compress the time available to discover assets, confirm ownership, obtain approvals, and deploy replacements. That exposes weak governance, because manual methods can appear adequate at annual cadence but fail when the same process must run quarterly or monthly across many services and environments.

Q: What breaks when certificate management still depends on spreadsheets?

A: Spreadsheets can track data, but they cannot execute the renewal process or enforce accountability. When cadence shrinks, the failure mode is stale ownership, delayed replacement, and missing exception control. The result is operational instability, not just administrative inconvenience.

Q: Who should be accountable for certificate lifecycle governance?

A: Accountability should sit with the service or platform owner, with security and infrastructure teams setting policy and oversight. If responsibility is shared without being named, renewal failures become everyone’s problem and no one’s obligation, which is exactly how short-lifetime certificates create outages and audit gaps.

Technical breakdown

Why shorter certificate lifetimes change the operating cadence

Certificate lifetime reduction does not simply increase renewal frequency. It compresses the entire operating cadence around the certificate, including inventory accuracy, ownership assignment, approval routing, deployment sequencing, and exception handling. Once the cycle moves from near annual to quarterly and then monthly, any manual dependency becomes the bottleneck. The technical issue is not whether a tool can store certificate records. It is whether the organisation can repeatedly execute a lifecycle process across many assets without drift, delay, or hidden exceptions.

Practical implication: treat renewal as a repeatable lifecycle workflow, not a ticket-based admin task.

Why spreadsheets fail when validation windows shrink

A spreadsheet can record certificate data, but it cannot enforce the process that keeps that data current. As validation reuse windows shorten, stale ownership and delayed approvals become operational risks, not just hygiene issues. The process has to include source-of-truth inventory, automated detection of expiring assets, controlled replacement workflows, and auditable exception paths. When that chain depends on individual attention, certificate operations become unstable long before the deadline arrives.

Practical implication: replace manual tracking with an inventory and renewal workflow that can run without heroic intervention.

Certificate lifecycle as shared enterprise architecture

Certificate management spans security, platform engineering, service ownership, deployment control, and audit evidence. That makes it an architecture problem, not a siloed security workflow. When the lifecycle is unmanaged, failures surface as outages, rushed change windows, and unclear accountability. The relevant control question is whether the organisation can prove who owns each certificate, how it is renewed, and how exceptions are governed across teams and environments.

Practical implication: define ownership and governance for certificates the same way you would for other high-risk identity assets.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Certificate lifetimes are now forcing NHI-style lifecycle discipline onto PKI. A certificate is not just cryptographic material. It is a non-human identity with an owner, a renewal path, and an operational dependency chain. As lifetimes compress, the governance failure is no longer weak technology alone. It is the absence of repeatable lifecycle control across discovery, ownership, and replacement. Practitioners should treat certificate operations as governed identity infrastructure, not an administrative afterthought.

Manual certificate management is becoming a control failure, not an efficiency issue. Once renewal cycles move to 100 days and below, the old model of spreadsheets, tribal knowledge, and scattered responsibility stops being merely inefficient. It creates avoidable outage risk, audit gaps, and exception debt. The industry is moving from occasional intervention to continuous operation, and programmes that have not built that muscle will experience instability before they experience scale.

The named concept here is certificate cadence compression. That is the point at which shorter validity windows collapse the distance between issuance, validation, deployment, and audit. The practical implication is that organisations can no longer rely on periodic review to keep certificates aligned with reality. They need lifecycle governance that assumes the operating rhythm itself is changing.

Certificate ownership is now an enterprise accountability test. A certificate lifecycle spans platform teams, application owners, and security governance, which means the control gap is often not technical visibility but assignable responsibility. When no one can reliably answer who owns renewal, who approves exceptions, and who validates replacement, the certificate becomes a latent operational risk. Practitioners should read this as a signal that shared ownership models must be explicit, or they will fail under shorter cadences.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• A separate finding from the same survey shows that only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree governance is critical.
• For a broader governance lens, NHI Lifecycle Management Guide helps teams translate inventory, ownership, and renewal discipline into operational controls.

What this signals

Certificate cadence compression: shorter validity windows turn certificate renewal into a continuous control problem, not a calendar reminder. For most programmes, the question is no longer whether renewal can be automated. It is whether ownership, exception handling, and audit evidence can survive the move from yearly to near-monthly operational rhythm.

With 69% of organisations now reporting more machine identities than human ones in The Critical Gaps in Machine Identity Management report, certificate governance sits inside a broader identity scaling problem. The practical signal for teams is that lifecycle controls must be designed for volume, not just for compliance reporting.

The next planning cycle should assume that certificate operations and workload identity governance will converge. Teams that already depend on shared infrastructure, service ownership, and audit-ready change control should use this period to align certificate lifecycle processes with NIST Cybersecurity Framework 2.0 functions, especially govern, protect, and recover.

For practitioners

• Build a complete certificate inventory Create a source of truth that records every publicly trusted certificate, its owner, service, expiry, and renewal dependency. Without that baseline, shorter lifetimes only accelerate uncertainty.
• Automate renewal workflows end to end Remove manual handoffs from discovery through deployment so renewal can run on a predictable schedule. Include exception handling and audit logging so the process remains defensible under review.
• Assign named ownership for every certificate Require a clearly accountable owner for each certificate and service, including escalation paths when a renewal fails. Shared infrastructure without named ownership becomes ungovernable at shorter validity windows.
• Standardise exception handling and reporting Define which certificate exceptions are acceptable, how long they can remain open, and what leadership reporting should show. If exceptions are not controlled, the renewal programme will look healthy until it fails.

Key takeaways

• Shorter TLS certificate lifetimes turn certificate management into a continuous identity operations problem, not a periodic admin task.
• The evidence points to a scaling trap: manual tracking, weak ownership, and slow approvals become unstable as renewal cadence compresses.
• Teams that want to avoid outages and audit gaps need automated lifecycle workflows, explicit ownership, and governed exceptions before the 100-day threshold arrives.

Key terms

• Certificate Cadence Compression: The reduction of time between certificate issuance, validation, renewal, and replacement. In practice, it shrinks the window in which teams can rely on manual coordination. The result is a lifecycle problem that exposes ownership, auditability, and operational resilience gaps.
• Certificate Lifecycle Management: The governed process for discovering, assigning, renewing, replacing, and retiring certificates. It is more than renewal tracking because it requires accountability, exception handling, and evidence. When lifetimes shorten, lifecycle management becomes a continuous operational control.
• Validation Reuse Window: The period during which previously validated domain or IP data can be reused for certificate issuance. A shorter reuse window forces fresher verification and reduces tolerance for stale records. That change tightens the coupling between trust decisions and operational accuracy.
• Operating Cadence: The repeatable rhythm at which an organisation performs a control or workflow. For certificates, cadence determines whether renewals are routine or disruptive. If the cadence is too slow for the lifetime, the process becomes fragile even when the technology itself is sound.

Deepen your knowledge

Certificate lifecycle governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building lifecycle controls for certificates and other non-human identities, it is worth exploring.

This post draws on content published by Keyfactor: 100-Day Certs Are Next: Why Your Q2 Automation Investment Pays Off in 2027. Read the original.