TL;DR: Certificate lifespans are shrinking from annual renewals to 200 days now and 47 days next, forcing approval cycles, ownership models, and deployment workflows to operate eight times as often, according to Keyfactor. The operational issue is not policy itself but the assumption that certificate lifecycle management can still be handled on a calendar cadence.
At a glance
What this is: This is an independent analysis of shorter certificate lifespans and the finding that policy now moves faster than many PKI operating models can absorb.
Why it matters: It matters because certificate governance now touches NHI, workload identity, and broader infrastructure ownership, so IAM teams need lifecycle controls that can keep pace with enforcement speed.
By the numbers:
- As of March 15, 2026, maximum TLS certificate lifespans dropped to 200 days.
👉 Read Keyfactor's analysis of 47-day certificate lifespans and PKI operations
Context
Certificate lifespan policy is compressing from yearly renewal cycles into a much tighter operating window. That changes PKI from a periodic maintenance task into a continuous governance problem, because ownership, approval, and deployment processes have to keep up with enforcement speed.
For identity teams, the issue is not whether shorter lifetimes reduce exposure. The real question is whether current certificate management models, especially those still tied to tickets, spreadsheets, and manual sign-off, can sustain the new cadence without creating outages or control drift.
Key questions
Q: How should security teams prepare for shorter certificate lifespans?
A: Teams should inventory every certificate, assign clear ownership, and automate renewal and deployment before renewal cadence tightens further. The main risk is not the new policy itself but the gap between enforcement speed and human process speed. If renewals still depend on tickets or spreadsheets, expiry becomes an operational failure mode.
Q: Why do shorter certificate lifespans create operational risk?
A: Shorter lifespans compress the time available for approval, issuance, deployment, and validation. That increases the chance of overlap, missed renewals, and expiry-related outages when workflows are manual or fragmented. The risk rises because the process must now perform reliably at machine cadence, not calendar cadence.
Q: What breaks when certificate renewals are still managed manually?
A: Manual renewal models break when the certificate interval becomes shorter than the organisation’s approval and tracking cycle. Ticket queues, spreadsheet inventory, and fragmented ownership cannot absorb repeated renewals without delay. The result is a control gap that shows up first as missed expiry and later as service interruption.
Q: Who is accountable when a certificate expires and services go down?
A: Accountability should rest with the service owner, the platform team managing deployment, and the security function governing lifecycle policy. Shorter lifespans make shared ownership unavoidable, because certificate expiry now affects availability as well as security. Frameworks such as the NIST Cybersecurity Framework 2.0 help define that responsibility boundary.
Technical breakdown
Why shorter certificate lifespans change PKI operating models
Certificate lifespan policy defines how long a TLS certificate remains valid before renewal is required. When validity windows shrink, the underlying cryptographic model does not change, but the operational burden does. Renewal frequency increases, ownership becomes harder to track, and every manual dependency becomes a failure point. This is why shorter lifetimes are not just a security setting. They are a governance constraint that forces organisations to treat certificate management as continuous lifecycle work rather than occasional administration.
Practical implication: map every certificate class to an owner, a renewal path, and an automated deployment process before the shorter lifespan milestones arrive.
How policy speed exposes approval and tracking bottlenecks
The main technical friction is not key generation or certificate issuance. It is the handoff between policy enforcement and internal process. If renewal depends on ticket queues, manual approvals, or spreadsheet-based tracking, then the organisation inherits delay at every cycle. As the renewal interval compresses, those delays overlap and compound. The result is not only higher workload but also greater chance of expiry-related outages, because the process is now slower than the certificate’s life span.
Practical implication: remove manual renewal steps from the critical path and measure mean time to renew, not just certificate counts.
Lifecycle agility for certificates and workload identity
Lifecycle agility means aligning certificate inventory, renewal automation, and deployment orchestration with policy cadence. It also means treating certificates as shared identity infrastructure for applications, workloads, APIs, and devices rather than isolated PKI artefacts. In practice, the same controls that help with NHI hygiene matter here: visibility, rotation discipline, and clear ownership. The difference is that certificate expiry creates a hard stop, so missed governance becomes an operational outage rather than a slow-control failure.
Practical implication: build renewal automation and inventory visibility into the same operating model so expiry is a managed event, not a surprise.
Breaches seen in the wild
- Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Shorter certificate lifespans expose lifecycle debt, not just PKI complexity. When renewals shift from annual to near-continuous, organisations discover whether ownership, visibility, and deployment are real or merely assumed. The policy change is forcing a re-evaluation of operational maturity across certificate estates, especially where manual tracking still dominates. Practitioners should treat this as a lifecycle governance test, not a tooling upgrade prompt.
Standing administrative assumptions fail when certificate policy becomes machine-paced. The assumption that a certificate can be renewed through occasional human coordination was designed for long-lived validity windows. That assumption fails when enforcement compresses renewal into a recurring operational event that outpaces ticketing and spreadsheet workflows. The implication is that governance models built around calendar reminders no longer describe the actual risk boundary.
Certificate expiry is becoming an availability problem with identity roots. A missed renewal no longer represents a narrow hygiene issue when certificates underpin applications, workloads, APIs, and devices. Outages now reveal that identity lifecycle and service continuity are coupled. That means certificate governance belongs in the same operational conversation as access continuity, because expiry failure can interrupt service before any security alert fires.
Lifecycle agility: the practical discipline of matching certificate ownership, automation, and renewal orchestration to policy cadence. The term matters because shorter lifespans turn process speed into a control requirement. If teams cannot prove that their lifecycle process moves at the same pace as enforcement, then the certificate estate is already operating on borrowed time.
For IAM leaders, the broader lesson is that identity governance must be measured by renewal success, not policy intent. A policy that reduces exposure on paper can still raise operational risk if the renewal model cannot execute reliably. The next governance question is not whether short-lived certificates are justified, but whether the organisation can sustain them without creating repeatable outage conditions.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- Short-lived certificate policy will only reduce risk if governance can match enforcement speed, which is why the NHI Lifecycle Management Guide is a useful next step for lifecycle design.
What this signals
Lifecycle agility is the concept teams should take from the 47-day trajectory. Policy is no longer the slow layer that operations can catch up to later. If certificate management still depends on human-paced approvals, the organisation is already carrying hidden expiry debt across applications, workloads, and APIs.
For readers building broader identity programmes, shorter certificate lifespans should trigger a review of whether lifecycle ownership is defined as a security task or an infrastructure control. The difference matters because expiration failures become service failures, and service failures are often the first signal that governance is lagging behind policy.
With 91.6% of secrets still valid five days after notification, per the Ultimate Guide to NHIs, the industry pattern is clear: remediation speed is the real control. The same lesson applies to certificates as lifespans shrink and renewal windows narrow.
For practitioners
- Inventory certificate ownership end to end Map every certificate to a named business owner, technical owner, and renewal path so no asset depends on tribal knowledge or a single admin queue.
- Automate renewal and deployment workflows Remove ticket-based approval from the renewal critical path wherever policy and risk allow, then validate that issuance, install, and restart steps run without manual intervention.
- Measure expiry risk as an operational metric Track mean time to renew, percentage of certificates inside the renewal window, and failed deployment rates so teams can see whether cadence is keeping up.
- Adopt lifecycle controls for shared identity infrastructure Treat certificates supporting applications, workloads, APIs, and devices as a governed lifecycle population, using the NHI Lifecycle Management Guide and the OWASP Non-Human Identity Top 10 as reference points.
- Plan for the 47-day enforcement horizon now Build a transition plan that tests renewal automation at the shortest expected lifespan, then stress-test ownership handoffs before policy cadence tightens further.
Key takeaways
- Shorter certificate lifespans turn PKI from a periodic task into a continuous governance discipline.
- The operational risk is not policy change itself, but the manual processes that cannot keep pace with it.
- Teams that automate ownership, renewal, and deployment will be far better positioned for the 47-day horizon.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived certificates still fail when rotation and renewal are not automated. |
| NIST CSF 2.0 | PR.AC-1 | Certificate ownership and lifecycle control map to access governance and accountability. |
| NIST Zero Trust (SP 800-207) | PR.AC | Short-lived credentials support zero trust only when identity lifecycle is tightly controlled. |
Align certificate lifecycle automation with zero trust principles to reduce standing exposure.
Key terms
- Certificate Lifespan: The period during which a digital certificate remains valid before it must be renewed or replaced. In identity operations, shorter lifespans reduce exposure but also compress the time available for ownership, approval, deployment, and validation, making lifecycle management a continuous control rather than a periodic task.
- Lifecycle Agility: The ability to manage identity artefacts through renewal, rotation, and offboarding at the pace required by policy. For certificates, lifecycle agility means the organisation can keep renewal, deployment, and verification aligned with enforcement cadence instead of depending on manual coordination.
- Certificate Ownership: The assignment of responsibility for maintaining, renewing, and retiring certificates across technical and business teams. Good ownership means there is a known person or team accountable for each certificate path, which is essential when renewal windows shrink and failures can become outages.
- Operational Cadence: The tempo at which an organisation executes identity-related work such as renewal, approval, and deployment. When policy cadence is faster than operational cadence, control gaps appear, because even secure settings can fail if the organisation cannot perform the required actions in time.
Deepen your knowledge
Certificate lifecycle governance is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is preparing for shorter certificate lifespans, it is a practical place to start.
This post draws on content published by Keyfactor: When Policy Moves Faster Than People: Surviving the Shift to 47-Day Certificate Lifespans. Read the original.
Published by the NHIMG editorial team on 2026-03-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
