By NHI Mgmt Group Editorial TeamPublished 2026-05-20Domain: Cyber SecuritySource: GlobalSign

TL;DR: Certificate lifetimes will shrink from 200 days in 2026 to 47 days in 2029, turning manual renewal, revocation, and inventory management into a near-continuous operational burden, according to GlobalSign. The real issue is not the date itself, but the fact that certificate governance now depends on automation, ownership, and auditability rather than periodic maintenance.


At a glance

What this is: This is an analysis of the move toward much shorter SSL/TLS certificate lifetimes and the operational pressure it puts on manual certificate management.

Why it matters: It matters to IAM, PAM, and security teams because certificate lifecycle control is part of identity governance for workloads, services, and applications, and stale certificates create both outage and exposure risk.

By the numbers:

👉 Read GlobalSign's analysis of the 47-day certificate lifecycle transition


Context

Shorter certificate lifetimes are not just a PKI housekeeping issue. They are a governance problem because the operational margin for error disappears as renewal windows compress and revocation becomes more frequent. For identity teams, that means certificates behave less like static infrastructure artefacts and more like managed credentials with an active lifecycle.

The identity angle is real because certificates authenticate workloads, services, and internal systems as non-human identities. When certificate handling remains manual, the same problems seen in NHI governance appear again: poor inventory, slow revocation, missed expiry, and unclear ownership across platforms and environments.


Key questions

Q: What breaks when certificate lifetimes become too short for manual renewal?

A: Manual renewal breaks first, followed by ownership visibility and revocation timing. As lifetimes shrink, human workflows cannot reliably track every certificate across cloud, endpoint, and internal systems. The result is expired credentials, failed authentication, and lingering trust in certificates that should already have been rotated or removed.

Q: Why do short-lived certificates matter to non-human identity governance?

A: Certificates are a form of non-human identity because they authenticate services, workloads, and systems. When lifetimes shorten, they require the same governance disciplines as other NHIs: discovery, ownership, rotation, revocation, and auditability. The shorter the lifetime, the less viable manual control becomes.

Q: How do security teams know if certificate automation is actually working?

A: Look for fewer missed expiries, shorter revocation delays, complete certificate inventory coverage, and fewer emergency renewals. A working programme produces reliable evidence of who owns each certificate, when it will renew, and whether replacement has happened before service disruption or trust exposure.

Q: Who is accountable when expired certificates cause outages or exposure?

A: Accountability should sit with the system owner, the platform owner, and the security function that governs machine identity policy. If certificate expiry can take down services or extend trust beyond its intended window, it is a lifecycle governance failure, not just a technical mistake.


Technical breakdown

Why shorter certificate lifetimes change PKI operating models

A certificate lifetime reduction changes the economics of PKI. When certificates last years, organisations can tolerate manual renewal queues, ad hoc ownership, and spreadsheet-based tracking. When lifetimes fall to weeks, the failure mode shifts from occasional lapse to continuous process strain. Certificate lifecycle management has to cover discovery, issuance, renewal, validation, and revocation as an integrated system rather than as separate tasks handled by different teams. That is why the article's central point is really about operational control, not just cryptographic hygiene.

Practical implication: identify every certificate-dependent service and assign lifecycle ownership before renewal windows shrink further.

How certificate automation reduces identity and outage risk

Automated certificate lifecycle management reduces the gap between certificate expiry, revocation, and replacement. In practice, it uses API-driven workflows, policy-based renewal, and centralized visibility to remove the dependency on human memory. That matters because expired certificates can cause service failures, while delayed revocation leaves compromised credentials active longer than intended. For identity programmes, this is structurally similar to reducing standing privilege: the goal is not only efficiency, but shorter exposure windows and tighter control over machine authentication.

Practical implication: move renewal and revocation into policy-driven workflows tied to inventory, ownership, and exception handling.

What short-lived certificates mean for workload identity and secret governance

Short-lived certificates sit alongside other machine identity controls such as API keys, service accounts, and workload identities. The common governance problem is the same: organisations often know a certificate exists, but not where it is used, who owns it, or whether it is still valid in every downstream system. That creates an identity blind spot that also affects audit, compliance, and incident response. In mixed cloud estates, certificate automation should be treated as part of broader workload identity governance rather than as a standalone PKI project.

Practical implication: fold certificate discovery into broader NHI inventory and access governance, not a separate PKI-only workstream.


Threat narrative

Attacker objective: The objective is to exploit stale or unmanaged certificate lifecycles to preserve access, impersonate services, or trigger service disruption.

  1. Entry occurs when expired or near-expiry certificates are missed in manual inventory and renewal queues, causing services to fail or remain vulnerable with stale credentials.
  2. Escalation happens when delayed revocation leaves certificates active after they should have been removed, extending the exposure window for misuse or impersonation.
  3. Impact is operational outage, failed authentication, audit friction, and a larger attack surface for machine identity abuse.

NHI Mgmt Group analysis

Short-lived certificates are becoming machine identity governance, not just PKI maintenance. As certificate validity shrinks, the control problem moves from periodic renewal to continuous lifecycle assurance. That is the same pattern identity teams already know from non-human identity governance: ownership, inventory, rotation, and revocation all matter at machine scale. The practical conclusion is clear. Certificate programmes must be run as identity programmes, not as ticket queues.

Manual certificate management now creates a standing exposure window. The article correctly identifies that renewal intervals are collapsing faster than human workflows can adapt. When a certificate is missed, the issue is not only expiry. It is the persistence of an authentication artefact that should already have been replaced or revoked. This is the same failure mode seen in poorly governed service accounts and API keys. Practitioners should treat delayed renewal as a lifecycle control failure, not an admin inconvenience.

Certificate automation is becoming a prerequisite for audit-ready identity control. Frequent renewal means teams need reliable evidence of discovery, ownership, renewal timing, and revocation status across cloud and on-prem environments. That maps naturally to NIST CSF, NIST SP 800-53, and the identity lifecycle controls in OWASP-NHI thinking. The organisations that can prove control will be the ones that stay operational when validity windows keep shrinking.

Post-quantum readiness and certificate agility are now linked to identity governance maturity. The article is right to connect shorter certificate lifetimes with a broader cryptographic agility agenda. But the deeper lesson is organisational: if a team cannot manage present-day certificate churn, it will struggle with future cryptographic transitions as well. Practitioners should use certificate modernization as a test of governance maturity, not just tooling maturity.

What this signals

Certificate lifecycle control is now part of NHI programme maturity. Teams that still separate PKI from identity governance will struggle as renewal intervals collapse. The practical shift is to treat certificate ownership, revocation, and audit evidence as one operational control plane rather than as isolated admin tasks. That aligns naturally with the broader machine identity problem space described in the Ultimate Guide to NHIs , What are Non-Human Identities.

Credential sprawl will become visible faster than many programmes can absorb. Shorter certificate lifetimes surface the same weakness that drives NHI risk elsewhere: organisations cannot govern what they cannot inventory. When certificate telemetry is weak, expiry events become a symptom of broader identity blind spots, not a one-off failure. Teams should expect pressure to link PKI reporting with workload identity and secrets governance.

Automation maturity will become a procurement and architecture question, not a scripting question. As validity windows shrink, the difference between resilient and fragile programmes will be whether renewal, validation, and revocation are embedded into operating workflows. NIST SP 800-53 Rev 5 Security and Privacy Controls provides a useful reference point for access and system integrity controls, but the practical challenge is proving those controls work at machine speed.


For practitioners

  • Map every certificate to an owner and service Build a live inventory that links each certificate to its system, business owner, renewal date, and dependency chain. Without that mapping, automation will still leave hidden failure points in AWS, Azure, Intune, and internal services.
  • Automate renewal and revocation workflows Move high-volume certificates into policy-driven workflows so renewal, validation, and revocation happen through API-based processes instead of tickets and reminders. This reduces human error and shortens the exposure window for stale credentials.
  • Prioritise high-risk certificate estates first Start with externally exposed services, VPNs, and internal applications whose failure would interrupt business operations. Pair that prioritisation with the identity inventory guidance in the Ultimate Guide to NHIs , What are Non-Human Identities so certificate governance sits inside the broader NHI programme.
  • Tie certificate telemetry to audit evidence Use real-time reporting to show renewal status, expiry risk, and revocation completion across environments. That evidence helps compliance teams and makes certificate governance measurable instead of anecdotal.

Key takeaways

  • Shorter certificate lifetimes turn certificate management into a continuous identity governance problem, not a periodic PKI task.
  • Manual renewal and revocation processes are the weakest link as validity windows contract from months to weeks.
  • Automation, ownership mapping, and audit evidence are the controls that will decide whether certificate modernization reduces risk or just increases churn.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, CIS Controls v8 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Certificate renewal and revocation gaps mirror NHI lifecycle control failures.
NIST CSF 2.0PR.AC-1Certificates are authentication artefacts that must be governed through access control.
NIST SP 800-53 Rev 5IA-5IA-5 covers authenticator management, including certificate-related lifecycle handling.
CIS Controls v8CIS-5 , Account ManagementCertificate ownership and revocation are part of managing non-human account-like credentials.
NIST Zero Trust (SP 800-207)Short-lived certificates support zero trust by reducing standing trust windows.

Treat certificate expiry, rotation, and revocation as lifecycle controls with explicit ownership and automation.


Key terms

  • Certificate Lifecycle Management: The process of discovering, issuing, renewing, revoking, and replacing certificates across an environment. It becomes a governance discipline when certificate volume and expiry frequency exceed what manual administration can safely handle.
  • Cryptographic Agility: The ability to change cryptographic mechanisms, key lengths, and trust models without major operational disruption. It depends on automation, clear ownership, and the ability to rotate and replace certificates quickly when standards or risks change.
  • Machine Identity: A digital identity used by services, workloads, systems, or devices rather than a person. Certificates, tokens, and keys are common machine identity mechanisms, and they must be governed across their full lifecycle to avoid outage and exposure.
  • Revocation Latency: The time between deciding that a credential or certificate should no longer be trusted and that state being enforced everywhere it matters. Long revocation latency creates unnecessary exposure and is a common sign of weak lifecycle control.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • A staged timeline for the move from 200-day to 100-day and 47-day certificate lifetimes.
  • Practical implementation examples for certificate lifecycle management across AWS, Azure, and endpoint environments.
  • Operational arguments for why manual certificate administration breaks at scale and where automation changes the model.
  • A future-facing discussion of cryptographic agility and post-quantum preparation in certificate programmes.

👉 GlobalSign's full eBook covers the operational roadmap for automation, auditability, and certificate agility.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives security and identity practitioners a common operating model for lifecycle control across humans, workloads, and services.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org