Notifications
Clear all
Topic starter
06/06/2026 1:42 am
TL;DR: Publicly trusted TLS certificate lifetimes are shrinking from 200 days in 2026 to 100 days in 2027 and 47 days in 2029, turning certificate management into continuous operations rather than occasional administration, according to Keyfactor. The real risk is not renewal frequency but the operating model gap between inventory thinking and repeatable lifecycle automation.
NHIMG editorial — based on content published by Keyfactor: 100-Day Certs Are Next: Why Your Q2 Automation Investment Pays Off in 2027
By the numbers:
- Publicly trusted TLS certificates issued on or after March 15, 2026 are capped at 200 days, with the cap falling to 100 days on March 15, 2027 and 47 days on March 15, 2029.
- That change means 200-day certificates require roughly 2x renewals, 100-day certificates require roughly 4x renewals, and 47-day certificates require more than 8x renewals.
Questions worth separating out
Q: How should teams handle certificate renewals when validity windows shrink to 100 days?
A: Teams should move from ticket-driven renewals to an automated lifecycle process that starts with inventory and ends with verified deployment.
Q: Why do shorter certificate lifetimes create more risk for infrastructure teams?
A: Shorter lifetimes compress the time available to discover assets, confirm ownership, obtain approvals, and deploy replacements.
Q: What breaks when certificate management still depends on spreadsheets?
A: Spreadsheets can track data, but they cannot execute the renewal process or enforce accountability.
Practitioner guidance
- Build a complete certificate inventory Create a source of truth that records every publicly trusted certificate, its owner, service, expiry, and renewal dependency.
- Automate renewal workflows end to end Remove manual handoffs from discovery through deployment so renewal can run on a predictable schedule.
- Assign named ownership for every certificate Require a clearly accountable owner for each certificate and service, including escalation paths when a renewal fails.
What's in the full article
Keyfactor's full post covers the operational detail this analysis intentionally leaves for the source:
- The CA/Browser Forum timing and cap changes that shape the 2026, 2027, and 2029 certificate cadence.
- The article's execution model for inventory, ownership, approvals, and exception handling across the renewal process.
- The financial framing that connects automation spend to reduced coordination overhead and fewer forced decisions.
- The roadmap logic for sequencing automation work before the 100-day threshold arrives.
👉 Read Keyfactor's analysis of 100-day TLS certificates and automation timing →
100-day certs are next: is your certificate model ready?
Explore further
06/06/2026 2:58 am
Certificate lifetimes are now forcing NHI-style lifecycle discipline onto PKI. A certificate is not just cryptographic material. It is a non-human identity with an owner, a renewal path, and an operational dependency chain. As lifetimes compress, the governance failure is no longer weak technology alone. It is the absence of repeatable lifecycle control across discovery, ownership, and replacement. Practitioners should treat certificate operations as governed identity infrastructure, not an administrative afterthought.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- A separate finding from the same survey shows that only 44% of organisations have implemented any policies to manage their AI agents, even though 92% agree governance is critical.
A question worth separating out:
Q: Who should be accountable for certificate lifecycle governance?
A: Accountability should sit with the service or platform owner, with security and infrastructure teams setting policy and oversight. If responsibility is shared without being named, renewal failures become everyone’s problem and no one’s obligation, which is exactly how short-lifetime certificates create outages and audit gaps.
👉 Read our full editorial: 100-day certs will force certificate operations into continuous mode
