TL;DR: SSL/TLS certificate validity is moving from 398 days to 47 days by 2029, while many organisations still rely on manual certificate management that cannot keep pace with rotation, inventory, and renewal pressure, according to GlobalSign. The operational shift makes certificate lifecycle governance a workload identity problem as much as a PKI problem.
At a glance
What this is: GlobalSign’s post argues that shrinking SSL/TLS certificate lifetimes will expose the limits of manual certificate lifecycle management.
Why it matters: For IAM and NHI practitioners, shorter certificate validity increases the urgency of inventory, rotation, and ownership controls across workload identities and service trust paths.
By the numbers:
- SSL/TLS certificates will pass from 398 days to 47 days by 2029.
👉 Read GlobalSign's analysis of shrinking SSL/TLS certificate lifetimes and lifecycle pressure
Context
SSL/TLS certificate management is moving from a periodic housekeeping task to a continuous governance problem. As validity periods shrink, the main issue is no longer whether an organisation can issue certificates, but whether it can discover them, assign ownership, and renew them before trust breaks.
This matters to identity teams because certificates are a form of non-human identity in practice: they authenticate workloads, services, and automated connections. When manual processes lag behind certificate churn, the failure mode is not just operational disruption, but unmanaged machine trust that sits outside IAM and PAM oversight.
Key questions
Q: What breaks when public TLS certificates are managed without automation?
A: What breaks first is consistency, then availability. Without automation, teams miss renewals, lose visibility into certificate ownership, and struggle to keep pace with shortening validity periods. In practice, that means outages become more likely, exception handling becomes routine, and the certificate lifecycle stops being a controlled process.
Q: Why do shorter certificate lifetimes create more operational risk?
A: Shorter lifetimes compress the time teams have to discover, approve, renew, and validate trust without interruption. If those steps are manual or fragmented, more frequent renewals increase the chance of missed deadlines and failed services. The risk is not the shorter lifetime itself. The risk is weak lifecycle discipline at higher tempo.
Q: How do security teams know if certificate lifecycle management is working?
A: Certificate lifecycle management is working when every certificate has a clear owner, renewal is automated or tightly managed, and expiry cannot occur without escalation. Teams should also verify that dependent controls keep operating during renewal events. If certificates still depend on ad hoc admin tracking, the process is not mature enough.
Q: How should organisations govern certificates alongside NHI controls?
A: They should treat certificates as part of the wider non-human identity estate and govern them with the same discipline used for service accounts and API credentials. That means assigning ownership, limiting scope, tracking lifecycle events, and proving revocation. Certificate governance should sit inside identity operations, not beside it.
Technical breakdown
Why shorter certificate lifetimes change the operating model
Certificate validity windows compress the time available to detect, renew, and validate trust. In older models, long-lived certificates tolerated manual queues and spreadsheet-driven ownership. As lifetimes shorten, that tolerance disappears, and certificate management becomes a continuous control loop across issuance, deployment, monitoring, and revocation. The technical issue is not only expiry dates. It is the dependency chain behind each certificate, including the services that use it, the automation that deploys it, and the inventory that knows it exists.
Practical implication: treat certificate renewal as an always-on workflow, not a calendar reminder.
Certificate inventory is now the control plane
A certificate can only be governed if the organisation can see where it is installed, who owns it, and which systems depend on it. Certificate sprawl creates hidden trust paths across web services, APIs, internal applications, and device fleets. In identity terms, that is a non-human identity visibility problem: unmanaged certificates behave like silent credentials with no reliable lifecycle owner. Without a current inventory, teams cannot enforce rotation policy, assess blast radius, or prove revocation coverage after compromise.
Practical implication: build a live certificate inventory tied to service owners and renewal thresholds.
Automation is required to close renewal and revocation gaps
Automation matters because the failure window around certificates is often created by human delay, not cryptographic weakness. ACME-style issuance can reduce friction, but automation only helps if renewal, deployment, validation, and revocation are integrated end to end. Where those steps are fragmented, expired certificates, duplicate issuance, and stale trust anchors become predictable. The governance lesson is that certificate lifecycle management has to behave like a managed identity process, with policy, owner accountability, and telemetry.
Practical implication: automate renewal and revocation together, not renewal in isolation.
NHI Mgmt Group analysis
Certificate lifecycle drift is a non-human identity governance problem, not just a PKI problem. Certificates are credentials that authenticate services, workloads, and automated exchanges. When their lifecycle is managed manually, ownership becomes unclear and expiry becomes a business risk rather than a technical event. Practitioners should treat certificate governance as part of NHI control, not a separate infrastructure task.
Shorter certificate validity exposes standing trust assumptions that many programmes still rely on. Long-lived certificates encourage complacency in renewal, inventory, and revocation processes. As validity periods compress, organisations that cannot automate ownership and rotation will accumulate hidden exposure across service-to-service trust paths. The practical conclusion is that lifetime reduction forces governance maturity, not just operational speed.
Certificate sprawl creates a visibility gap that maps directly to unmanaged machine credentials. The more certificates that exist across cloud, application, and device environments, the harder it becomes to prove which ones are active, needed, or expired. That makes certificate inventory a control requirement for identity security teams working across workload identity and service authentication. Practitioners should fold certificate discovery into broader NHI visibility and access governance.
Certificate rotation without policy is automation without control. Automated issuance can reduce effort, but it does not solve accountability, approval, or scope design by itself. If renewal logic is not tied to asset ownership and revocation workflows, teams simply move the failure faster. Practitioners should align certificate automation with lifecycle policy and evidence collection, not treat it as a standalone fix.
What this signals
Certificate governance is converging with NHI operations. As certificate lifetimes shrink, teams that still separate PKI from identity operations will struggle to maintain inventory, ownership, and revocation discipline. The practical shift is toward a single lifecycle view of machine credentials, supported by NHI Lifecycle Management Guide and policy controls aligned to NIST SP 800-53 Rev 5 Security and Privacy Controls.
Secrets and certificates now fail for the same governance reasons. Both break down when central management is weak and ownership is fragmented. In our research, 54% of organisations report dissatisfaction with current secrets management because not all secrets are secured, and that pattern will repeat in certificate programmes unless discovery and accountability are explicit.
Teams should expect certificate renewal to become a standing operational metric, not an occasional compliance check. That means measuring ownership coverage, expiry exposure, and revocation assurance together, then folding those results into broader identity risk reporting.
For practitioners
- Build a live certificate inventory Map every active SSL/TLS certificate to a service owner, deployment location, expiry date, and dependency chain. Include internal services, APIs, and device certificates so unmanaged machine trust does not sit outside governance.
- Automate renewal and revocation together Do not automate issuance alone. Connect renewal triggers to deployment validation and revocation workflows so expired or compromised certificates are removed from use before trust failures spread.
- Set risk thresholds by certificate class Differentiate public-facing, internal, and machine-to-machine certificates in policy. Apply tighter renewal thresholds where service disruption or unmanaged trust would create the highest operational impact.
- Tie certificate ownership to change control Require an accountable team or system owner for each certificate lifecycle event. Renewal, replacement, and revocation should be tracked in the same change process used for other identity-critical credentials.
Key takeaways
- Shrinking certificate lifetimes turn certificate management into a continuous identity governance problem, not a periodic PKI task.
- The main risk is not cryptography failure but visibility failure, because unmanaged certificates behave like hidden machine credentials.
- Automated renewal only helps when inventory, ownership, and revocation are governed as one lifecycle.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Certificate lifecycle drift overlaps with non-human identity credential governance. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management applies to service certificates and workload trust. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers certificate issuance, renewal, and revocation workflows. |
| CIS Controls v8 | CIS-5 , Account Management | Certificate ownership and lifecycle control depend on account and asset management discipline. |
Treat certificates as managed NHI credentials and enforce ownership, rotation, and revocation policy.
Key terms
- Certificate Lifecycle Management: The process of tracking, issuing, renewing, replacing, and revoking digital certificates across their full useful life. In security programmes, it becomes a governance function because expired or orphaned certificates can interrupt services or leave trust paths active longer than intended.
- Machine Identity: A digital identity used by services, workloads, or devices to authenticate to other systems. Certificates, tokens, and keys often underpin it, which means machine identity governance depends on ownership, rotation, and revocation controls rather than human sign-in workflows.
- Certificate Sprawl: The uncontrolled growth of certificates across applications, environments, and teams. Sprawl reduces visibility, weakens ownership, and makes it harder to prove which certificates are active, needed, or safely retired, especially when lifetimes shorten and automation is incomplete.
What's in the full article
GlobalSign's full blog post covers the operational detail this post intentionally leaves for the source:
- How GlobalSign expects certificate lifetimes to change across the 2029 transition window.
- Practical context on why manual certificate management struggles as renewal cycles shorten.
- The article's framing of what certificate automation needs to replace in day-to-day operations.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps practitioners connect certificate lifecycle control to the wider identity programme.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org