TL;DR: SSL/TLS certificate validity is moving from 398 days to 47 days by 2029, while many organisations still rely on manual certificate management that cannot keep pace with rotation, inventory, and renewal pressure, according to GlobalSign. The operational shift makes certificate lifecycle governance a workload identity problem as much as a PKI problem.
NHIMG editorial — based on content published by GlobalSign: the changing economics of SSL/TLS certificate management as validity periods shorten
By the numbers:
- SSL/TLS certificates will pass from 398 days to 47 days by 2029.
Questions worth separating out
Q: What breaks when public TLS certificates are managed without automation?
A: What breaks first is consistency, then availability.
Q: Why do shorter certificate lifetimes create more operational risk?
A: Shorter lifetimes compress the time teams have to discover, approve, renew, and validate trust without interruption.
Q: How do security teams know if certificate lifecycle management is working?
A: Certificate lifecycle management is working when every certificate has a clear owner, renewal is automated or tightly managed, and expiry cannot occur without escalation.
Practitioner guidance
- Build a live certificate inventory Map every active SSL/TLS certificate to a service owner, deployment location, expiry date, and dependency chain.
- Automate renewal and revocation together Do not automate issuance alone.
- Set risk thresholds by certificate class Differentiate public-facing, internal, and machine-to-machine certificates in policy.
What's in the full article
GlobalSign's full blog post covers the operational detail this post intentionally leaves for the source:
- How GlobalSign expects certificate lifetimes to change across the 2029 transition window.
- Practical context on why manual certificate management struggles as renewal cycles shorten.
- The article's framing of what certificate automation needs to replace in day-to-day operations.
👉 Read GlobalSign's analysis of shrinking SSL/TLS certificate lifetimes and lifecycle pressure →
SSL/TLS certificate lifecycles are tightening and manual controls are cracking?
Explore further
Certificate lifecycle drift is a non-human identity governance problem, not just a PKI problem. Certificates are credentials that authenticate services, workloads, and automated exchanges. When their lifecycle is managed manually, ownership becomes unclear and expiry becomes a business risk rather than a technical event. Practitioners should treat certificate governance as part of NHI control, not a separate infrastructure task.
A question worth separating out:
Q: How should organisations govern certificates alongside NHI controls?
A: They should treat certificates as part of the wider non-human identity estate and govern them with the same discipline used for service accounts and API credentials. That means assigning ownership, limiting scope, tracking lifecycle events, and proving revocation. Certificate governance should sit inside identity operations, not beside it.
👉 Read our full editorial: Certificate lifecycles are tightening as manual management breaks down