TL;DR: Certificate lifetimes are being shortened to 47 days from 2029, and Cybertrust Japan shows how ACME-based automation can reduce renewal overhead while exposing dependencies on platform integration, scheduling, and certificate lifecycle operations. The governance shift is bigger than renewal tooling: identity and trust teams now need continuous certificate management, not periodic maintenance.
At a glance
What this is: Cybertrust Japan describes automating server certificate renewal with ACME support on BIG-IP, set against the industry move toward much shorter TLS certificate lifetimes.
Why it matters: This matters because certificate renewal is becoming a higher-frequency identity governance problem, affecting workload authentication, operational continuity, and the controls used to manage secrets and machine trust.
By the numbers:
- 2026年 3月 15日以降、現在の 398日から段階的に短縮されることが決定し、最短 47 日になる可能性があります。
- 100 枚あったとすると、従来は「1年間に 100枚証明書を更新する」のみであったところが、有効期間が 100日となると「100日に 100枚」、つまり実質的に「1年間に 400枚証明書を更新する」ということになります。, とになります。
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read Cybertrust Japan's article on automating SSL/TLS certificate renewal with ACME
Context
TLS certificate renewal is no longer a slow operational chore. As certificate validity periods shrink, the work shifts toward automated issuance, renewal, and deployment, which turns certificate management into a governance and lifecycle problem rather than a calendar reminder.
That shift matters for identity programmes because certificates are credentials. When renewal depends on ACME workflows, platform integration, and scheduling, the organisation is really managing machine identity lifecycle, secret handling, and service availability at the same time. This is a common operating pattern, not an edge case.
Key questions
Q: How should teams prepare for shorter certificate lifetimes in production?
A: Teams should start with inventory, automation, and rollback readiness. Shorter lifetimes only work if every certificate can be found, reissued, deployed, and verified without manual dependency hunts. The practical goal is to make renewal routine enough that emergency replacement becomes a tested operational capability rather than a fire drill.
Q: Why do shorter certificate lifetimes create more operational risk?
A: Shorter lifetimes compress the time teams have to discover, approve, renew, and validate trust without interruption. If those steps are manual or fragmented, more frequent renewals increase the chance of missed deadlines and failed services. The risk is not the shorter lifetime itself. The risk is weak lifecycle discipline at higher tempo.
Q: What breaks when certificate lifecycle management is still manual?
A: Manual certificate management breaks at the point where expiry, ownership, and renewal do not line up. Services fail when a certificate expires, teams lose visibility when ownership is fragmented, and outage response becomes reactive instead of governed. The result is avoidable downtime, repeated exceptions, and an estate that grows faster than the people managing it.
Q: How do teams know whether certificate automation is actually working?
A: Look for fewer human-mediated renewals, cleaner ownership records, lower expiry-driven outage rates, and reliable reporting across hybrid systems. If certificate work still depends on spreadsheets, ad hoc tickets, or last-minute interventions, the automation layer has not replaced the underlying operational risk.
Technical breakdown
How ACME automates certificate issuance and renewal
ACME, the Automatic Certificate Management Environment, is a protocol that lets a client request, renew, and install certificates without manual ticket-driven steps. The client proves control of a domain, receives issuance data from a CA, and can then repeat the process on a schedule. In the article’s example, BIG-IP acts as the ACME client, so certificate lifecycle events become machine-executed rather than operator-executed. That reduces manual work, but it also means the renewal path must be dependable, observable, and authorized end to end.
Practical implication: treat ACME enrolment, renewal, and failure handling as a controlled identity workflow, not just a convenience feature.
Why shorter certificate lifetimes change the operating model
Shorter lifetimes compress the time between issuance and replacement, which increases the number of operational events per certificate. A 398-day certificate can be handled in a lighter-touch model, but a 47-day certificate pushes teams toward recurring automation, monitoring, and exception handling. The technical issue is not only scale. It is the trust dependency on the renewal pipeline itself, because any break in scheduling, connectivity, or policy enforcement can interrupt service authentication at the wrong moment.
Practical implication: validate renewal reliability under failure conditions before shortening lifetimes across production services.
Platform-specific ACME clients and integration constraints
The article shows that ACME support in a load balancer or security appliance is not always uniform across platforms. Some environments can use built-in integration, while others depend on vendor-specific tooling or external clients such as KOJOT-ACME. That creates architectural fragmentation: the certificate authority policy may be standard, but the deployment path, configuration files, profile assignment, and renewal scheduling vary by platform. The result is a mixed operational model that can hide differences in control maturity across environments.
Practical implication: inventory which platforms have native ACME support and which rely on external clients or scripts.
NHI Mgmt Group analysis
Certificate automation is becoming machine identity governance, not just SSL maintenance. As certificate lifetimes fall, the operational question shifts from how to renew certificates to how to govern the full lifecycle of credentials that authenticate services. That is squarely an identity control problem, even when the certificate sits on a network appliance rather than a user account. Practitioners should treat renewal automation as part of machine identity governance.
Shorter lifetimes expose renewal fragility that manual processes used to hide. A renewal path that works when certificates last many months may fail when the cadence accelerates to weeks. The real control gap is not the certificate itself, but the organisation’s ability to prove that issuance, renewal, deployment, and rollback all work consistently under time pressure. Teams should measure renewal resilience, not just renewal success.
Platform integration will become the differentiator between policy and practice. ACME is standardised, but implementation is not. When certificates are managed through load balancers, security appliances, or external scripts, the organisation inherits differences in logging, authorization, and failure handling. That creates a named concept we can call certificate lifecycle fragmentation: the same policy exists everywhere, but the execution path varies enough to weaken governance. Practitioners should map that fragmentation before shortening lifetimes further.
Identity teams should read certificate shortening as an early warning for broader secret rotation pressure. Certificate renewal is often the first credential lifecycle to be automated at scale, but the same operating logic will apply to API keys, tokens, and workload credentials. Organisations that build disciplined certificate automation now will be better positioned to handle the broader NHI population later. The next governance step is to align machine credential lifecycle with the rest of identity operations.
What this signals
Certificate lifecycle fragmentation will become a practical risk term for identity and platform teams as certificate lifetimes compress. The more varied the deployment path across appliances, scripts, and external clients, the more likely policy drift and renewal failure become. Teams should inventory those paths now and align them with the controls in NIST SP 800-53 Rev 5 Security and Privacy Controls.
For identity programmes, the deeper signal is that machine credentials are being managed under tighter operational clocks than most human identity processes. That creates a natural convergence with NHI governance, where ownership, rotation cadence, and offboarding are already core concerns. The governance lesson is simple: if you cannot describe the lifecycle, you do not yet control the credential.
As more services depend on automated issuance, the programme question changes from whether certificates are encrypted to whether they are governable at scale. That is where lifecycle visibility, exception management, and renewal observability start to matter more than the transport protocol itself. Teams that can trace each credential from creation to retirement will be better positioned to absorb the next shortening cycle.
For practitioners
- Map all certificate lifecycle paths Document where certificates are issued, renewed, deployed, and revoked, including BIG-IP, FortiGate, and any external ACME clients or scripts. Flag every manual handoff and every platform-specific exception before lifetime reductions take effect.
- Test renewal failure modes under production conditions Simulate CA unavailability, scheduling failure, invalid profile settings, and profile assignment errors to see whether services continue or fail closed. The goal is to confirm that renewal automation remains reliable when the control plane is stressed.
- Separate policy design from platform execution Define certificate policy centrally, then verify how each appliance or workload actually enforces it. Where native support is missing, require documented external client ownership, script review, and rollback procedures.
- Align certificate renewal with identity governance Treat certificates as machine credentials in the same governance inventory as API keys, tokens, and service accounts. Link ownership, renewal cadence, and offboarding responsibilities so certificate state is visible in identity operations.
Key takeaways
- Shorter certificate lifetimes turn TLS management into a continuous credential lifecycle problem, not a periodic maintenance task.
- Automation reduces renewal effort, but it also exposes hidden dependencies in scheduling, platform integration, and rollback readiness.
- Identity and security teams should govern certificates as machine credentials, with ownership, observability, and exception handling built in.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate renewal and lifecycle control are core NHI governance concerns. |
| NIST CSF 2.0 | PR.AC-1 | Certificate automation changes access and identity assurance for services. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers certificate lifecycle and renewal discipline. |
| NIST Zero Trust (SP 800-207) | Automated certificate trust supports continuous verification in zero trust architectures. | |
| CIS Controls v8 | CIS-5 , Account Management | Credential lifecycle governance maps to account and credential management practices. |
Treat certificates as managed machine credentials and enforce explicit ownership, renewal, and revocation processes.
Key terms
- ACME: ACME is a protocol used to automate certificate issuance and renewal between a client and a certificate authority. For practitioners, it reduces manual renewal work, but it also introduces a dependency on correct client configuration, credential handling, and monitoring of the automation path.
- Certificate Lifecycle Management: The governance of digital certificates from issuance through renewal and revocation, ensuring certificates are valid, monitored, and rotated before expiry. Expired certificates are a leading cause of outages and unplanned security gaps.
- Machine Identity: Machine identity is the credential set a service uses to authenticate to other systems, such as certificates, tokens, or API keys. In practice, it is a governance object with ownership, rotation, and offboarding requirements, not just a technical asset embedded in infrastructure.
What's in the full article
Cybertrust Japan's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step BIG-IP and KOJOT-ACME setup details for environments that need implementation guidance.
- Exact configuration flow for issuing, renewing, and applying certificates through the ACME client.
- Hands-on notes on schedule handling, renewal execution, and the certificate replacement sequence.
- Examples of how the approach is being explored across other appliance platforms such as FortiGate and A10 Thunder.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management for practitioners who need to connect credential lifecycle to operational control. It helps identity and security teams build the governance habits that certificate automation now requires.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org