TL;DR: Certificate lifetimes are being shortened to 47 days from 2029, and Cybertrust Japan shows how ACME-based automation can reduce renewal overhead while exposing dependencies on platform integration, scheduling, and certificate lifecycle operations. The governance shift is bigger than renewal tooling: identity and trust teams now need continuous certificate management, not periodic maintenance.
NHIMG editorial — based on content published by Cybertrust Japan: SureHandsOn ACME and BIG-IP KOJOT-ACME for automated server certificate renewal
By the numbers:
- 2026年 3月 15日以降、現在の 398日から段階的に短縮されることが決定し、最短 47 日になる可能性があります。
- 100 枚あったとすると、従来は「1年間に 100枚証明書を更新する」のみであったところが、有効期間が 100日となると「100日に 100枚」、つまり実質的に「1年間に 400枚証明書を更新する」ということになります。, とになります。
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should teams prepare for shorter certificate lifetimes in production?
A: Teams should start with inventory, automation, and rollback readiness.
Q: Why do shorter certificate lifetimes create more operational risk?
A: Shorter lifetimes compress the time teams have to discover, approve, renew, and validate trust without interruption.
Q: What breaks when certificate lifecycle management is still manual?
A: Manual certificate management breaks at the point where expiry, ownership, and renewal do not line up.
Practitioner guidance
- Map all certificate lifecycle paths Document where certificates are issued, renewed, deployed, and revoked, including BIG-IP, FortiGate, and any external ACME clients or scripts.
- Test renewal failure modes under production conditions Simulate CA unavailability, scheduling failure, invalid profile settings, and profile assignment errors to see whether services continue or fail closed.
- Separate policy design from platform execution Define certificate policy centrally, then verify how each appliance or workload actually enforces it.
What's in the full article
Cybertrust Japan's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step BIG-IP and KOJOT-ACME setup details for environments that need implementation guidance.
- Exact configuration flow for issuing, renewing, and applying certificates through the ACME client.
- Hands-on notes on schedule handling, renewal execution, and the certificate replacement sequence.
- Examples of how the approach is being explored across other appliance platforms such as FortiGate and A10 Thunder.
👉 Read Cybertrust Japan's article on automating SSL/TLS certificate renewal with ACME →
Certificate automation and 47-day lifetimes: what teams need now?
Explore further
Certificate automation is becoming machine identity governance, not just SSL maintenance. As certificate lifetimes fall, the operational question shifts from how to renew certificates to how to govern the full lifecycle of credentials that authenticate services. That is squarely an identity control problem, even when the certificate sits on a network appliance rather than a user account. Practitioners should treat renewal automation as part of machine identity governance.
A question worth separating out:
Q: How do teams know whether certificate automation is actually working?
A: Look for fewer human-mediated renewals, cleaner ownership records, lower expiry-driven outage rates, and reliable reporting across hybrid systems. If certificate work still depends on spreadsheets, ad hoc tickets, or last-minute interventions, the automation layer has not replaced the underlying operational risk.
👉 Read our full editorial: ACME-based certificate automation and shrinking TLS lifetimes