47-day TLS certificates will force machine identity automation

At a glance

What this is: This is an analysis of how shrinking TLS certificate lifetimes turn PKI and certificate lifecycle management into a machine identity governance problem.

Why it matters: IAM and NHI teams need to treat certificates as identities because renewal speed, ownership, and automation will determine availability and auditability.

By the numbers:

• Machines now outnumber people by more than 80 to 1, and those workloads and devices all depend on digital certificates to prove who they are.
• Starting in March 2026, Microsoft, Apple, and Google will enforce phased rules that require TLS certificate lifetimes be cut to 47 days by 2029.
• 1, team managing 1,000 certificates manually would spend 4,000 hours a year under 398-day lifespans, rising to 48,000 hours with 47-day lifespans.

👉 Read CyberArk's analysis of the 47-day TLS certificate era

Context

TLS certificates are not just configuration artifacts. In practice, they are machine identities that let workloads, APIs, containers, and services prove who they are to other systems. When certificate management stays manual, identity governance breaks down in the same way it does when human credentials are unmanaged: ownership is unclear, renewals are missed, and outages become a security and availability problem at once.

The article frames the coming 47-day certificate era as a scale problem for PKI and certificate lifecycle management, not simply a procurement issue. For IAM and NHI practitioners, the key shift is that certificate lifecycles now need the same governance patterns used for service accounts, secrets, and other non-human identities: visibility, policy, accountability, and automated renewal. That starting position is increasingly atypical, not sustainable.

Key questions

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should start by inventorying every certificate, identifying owners, and automating renewal for all high-risk and high-volume systems. The goal is to remove manual dependency before the shortened validity model increases renewal frequency. If a certificate can expire without a reliable automated path, it is already a governance problem.

Q: What is the difference between certificate management and certificate lifecycle management?

A: Certificate management is often treated as tracking issuance and expiry, while certificate lifecycle management includes ownership, policy, renewal, revocation, and offboarding. That broader lifecycle view is the only one that scales when certificates behave like machine identities. Practitioners should govern the full lifecycle, not just the expiry date.

Q: When does manual certificate handling become too risky?

A: Manual handling becomes too risky when the environment contains many distributed certificates, short renewal windows, or systems that must stay continuously available. At that point, the operational burden itself becomes a source of outages and audit failures. Organisations should automate before exceptions become the default operating model.

Q: Why do TLS certificates belong in NHI governance?

A: TLS certificates are machine identities because they prove identity for workloads, services, and devices just as credentials do for people. They need inventory, ownership, renewal, and revocation controls, which are core NHI governance functions. Separating certificates from the NHI programme leaves a major identity class outside oversight.

Technical breakdown

Why shorter TLS lifetimes change machine identity governance

TLS certificates function as cryptographic proof of identity for machines, so reducing certificate lifetime compresses the window in which a credential can stay valid. That improves exposure control in theory, but it also raises operational pressure because renewal, issuance, validation, and rollback must happen faster and more consistently. In a modern environment, certificates are distributed across clouds, clusters, applications, and edge systems, which makes manual tracking fragile. PKI and certificate lifecycle management therefore become identity systems, not just crypto plumbing. The core failure mode is not weak encryption, but stale, unmanaged, or expired identities creating outages or forcing unsafe exceptions.

Practical implication: Practitioners should model certificate lifetimes as an identity lifecycle constraint and remove any manual renewal path that cannot scale with shorter validity windows.

What automation changes in certificate lifecycle management

Automation in certificate lifecycle management covers discovery, ownership assignment, policy enforcement, renewal, and revocation. Agentless discovery finds certificates that teams do not already know about. ACME and API-driven workflows let systems renew certificates without human intervention, while centralized policy keeps issuance aligned to approval and trust rules. The important point is that automation is not only about speed. It reduces drift between what the identity policy says and what the infrastructure actually runs. Without that control plane, organizations end up with spreadsheets, ad hoc scripts, and inconsistent exceptions that are impossible to govern at scale.

Practical implication: Security teams should design certificate automation around discovery plus policy enforcement, not around renewal scripts alone.

How PKI and CLM fit into broader NHI controls

PKI and certificate lifecycle management sit in the same governance family as service account control, secret rotation, and workload identity. The common issue is standing trust that persists longer than intended. In an NHI programme, certificates should be inventory-backed, owned, rotated, and offboarded like any other machine credential. That means integrating certificate data into identity governance workflows, not leaving it in an operations silo. The governance question is whether the organisation can prove who owns each identity, where it is used, and how quickly it can be revoked or renewed when trust changes.

Practical implication: Teams should fold certificate inventory into NHI governance reviews and treat certificate ownership as an auditable control, not an operational detail.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

47-day certificates turn machine identity sprawl into an availability risk. The central issue is not whether TLS certificates exist, but whether organisations can renew them at the pace the new validity model demands. When machine identities outnumber people by orders of magnitude, renewal failures become outage events, and outage events become security events. Practitioners should treat certificate automation as resilience work, not just compliance work.

PKI and CLM now belong in the NHI control stack. Certificates are identity credentials, and their lifecycle has the same governance requirements as service accounts and tokens. That means inventory, ownership, policy enforcement, and revocation must be managed as part of one programme. Practitioners should stop separating certificate operations from identity governance.

Manual certificate handling creates trust debt. Every spreadsheet, exception, and untracked renewal pushes the environment further from policy and further from recoverability. Shorter validity periods do not create the weakness; they expose it faster. Practitioners should use the deadline to eliminate hidden certificate dependencies before they become operational failures.

Crypto-agility is becoming a governance requirement, not an upgrade path. The move toward shorter lifetimes also forces teams to think about algorithm change, hybrid cryptography, and future rotation demands. Organisations that can automate issuance and renewal are better positioned to absorb those changes without disruption. Practitioners should align certificate governance with long-term crypto-change readiness.

Centralized governance with decentralized execution is the right pattern. Machine identities are distributed, but policy cannot be. The practical model is a central control framework with local automation at the workload and application layer. Practitioners should enforce one policy model while allowing execution to happen where certificates are actually consumed.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Lifecycle Processes for Managing NHIs.
• For a broader inventory and governance baseline, review the Top 10 NHI Issues and compare certificate renewal controls against your current NHI lifecycle programme.

What this signals

Certificate governance is now an NHI problem, not a niche PKI problem. As machine identities multiply, the organisations that treat certificates as discrete assets rather than governed identities will accumulate hidden exposure. The practical response is to connect certificate inventory, ownership, and renewal policy to the same control plane used for broader non-human identity management, including guidance in the Ultimate Guide to NHIs.

With 90% of IT leaders saying properly managing NHIs is essential for a successful zero-trust implementation, the certificate deadline becomes a zero-trust stress test rather than a calendar event. Teams should align renewal automation with NIST Cybersecurity Framework 2.0 and verify that identity proofs can be rotated without human intervention.

Identity blast radius: Short certificate lifetimes reduce the period of trust, but only if renewal and revocation are actually enforceable in production. When a certificate expires unexpectedly, the blast radius is usually operational first and security second. Practitioners should use this shift to find every place where certificate handling still depends on spreadsheets, ticket queues, or tribal knowledge.

For practitioners

• Inventory every certificate and owner Build a current inventory of public TLS certificates, internal certificates, and any certificate used by workloads, APIs, or containers. Assign a business owner and an operational owner to each entry, then flag unknown or orphaned certificates for immediate remediation.
• Automate renewal before lifetimes shrink Replace spreadsheet-driven renewals with discovery, policy, and automated issuance workflows that can handle much shorter validity periods. Prioritise certificates that already sit in customer-facing systems, CI/CD pipelines, and hybrid environments.
• Map certificate governance to NHI lifecycle controls Treat certificate issuance, renewal, rotation, and revocation as part of the same lifecycle model you use for other non-human identities. Make lifecycle evidence available for audit, and include expiry risk in access and resilience reviews.
• Test failure handling for expired or missing certificates Run tabletop exercises and recovery drills for certificate expiry, failed renewal, and CA outage scenarios. Validate how quickly teams can detect the issue, rotate to a backup trust path, and restore service without manual shortcuts.

Key takeaways

• Shorter TLS certificate lifetimes make machine identity governance a reliability issue as much as a security issue.
• Manual renewal models will not scale as certificate validity shrinks, so automation becomes the control that prevents outages and policy drift.
• Certificates should be governed as non-human identities with inventory, ownership, renewal, and revocation controls tied to one lifecycle model.

Key terms

• Machine Identity: A machine identity is the credentialed identity used by a workload, service, container, or device to authenticate itself. In practice, this can be a certificate, token, API key, or service account. Machine identities need ownership, lifecycle controls, and rotation just like human credentials.
• Certificate Lifecycle Management: Certificate lifecycle management is the process of discovering, issuing, tracking, renewing, revoking, and retiring certificates across an environment. It turns certificates from one-time assets into governed identities, which is necessary when validity periods are short and systems depend on continuous authentication.
• Crypto-Agility: Crypto-agility is the ability to change cryptographic algorithms, trust chains, and certificate handling without breaking production systems. It matters because identity infrastructure must adapt to shorter certificate lifetimes, policy changes, and future algorithm transitions while keeping services available.
• Identity Blast Radius: Identity blast radius is the amount of damage that can occur when an identity is overprivileged, stale, or compromised. In machine identity environments, poor certificate governance expands the blast radius by letting expired or mismanaged credentials disrupt many systems at once.

Deepen your knowledge

Certificate lifecycle automation is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme around machine identities and short-lived certificates, it is worth exploring.

This post draws on content published by CyberArk: The next identity frontier: Automating PKI and certificate management before the 47-day era arrives. Read the original.