TL;DR: Certificate lifetimes are shortening from 398 days today to 200 days in March 2026, 100 days in March 2027, and 47 days in March 2029, according to GlobalSign. Manual renewal processes cannot keep pace, so certificate governance is shifting from periodic administration to continuous automation and crypto-agility.
NHIMG editorial — based on content published by GlobalSign: the changing lifecycle of SSL/TLS certificates and the move toward automation
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams respond to shorter certificate lifespans?
A: They should treat shorter lifespans as an automation mandate, not as a reason to add more manual review.
Q: Why do short-lived certificates matter for machine identity governance?
A: Short-lived certificates matter because they are time-bound non-human credentials that define how systems prove identity to each other.
Q: What do teams get wrong about certificate automation?
A: They often treat it as a convenience upgrade instead of a resilience control.
Practitioner guidance
- Inventory every certificate and dependency chain Build a live register of certificates, expiry dates, issuing CAs, and the services that depend on each certificate.
- Automate renewal and reissue workflows Use ACME or equivalent automation to remove spreadsheet-driven renewal tasks from operational paths.
- Assign named ownership for certificate lifecycle control Make one team accountable for issuance, renewal, validation, and revocation oversight across the estate.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- A practical explanation of why 47-day certificate lifetimes change renewal operations and staffing assumptions.
- Discussion of the ACME protocol in the context of enterprise certificate automation and lifecycle management.
- Examples of certificate failures that caused outages in major services and public sector portals.
- The article's view of how post-quantum cryptography and TLS 1.3 shape future trust planning.
👉 Read GlobalSign's analysis of shrinking certificate lifetimes and PKI automation →
Certificate lifetimes are shrinking fast. Are your controls ready?
Explore further
Shorter certificate lifetimes create a machine identity governance problem, not just a renewal problem. The article is right to frame expiry as a trust issue, because every certificate is a machine identity with an owner, dependency chain, and failure mode. Once validity drops to weeks, the control gap is no longer technical awareness but lifecycle governance. Practitioners should treat certificates as governed identities with inventory, ownership, and validation requirements.
A question worth separating out:
Q: Who is accountable when an expired certificate causes a service outage?
A: Accountability sits with the team that owns certificate lifecycle governance, not only with infrastructure operations. The failure usually reflects missing ownership, weak inventory, and lack of automated renewal controls, which makes the issue a programme problem as much as a technical one.
👉 Read our full editorial: Shorter certificate lifetimes are forcing PKI automation now