47-day certificate lifecycles: what PKI teams need to change

TL;DR: As public TLS certificates move toward 47-day lifecycles by 2029, renewal volume can rise almost eightfold for large environments, exposing manual PKI processes that cannot keep pace, according to DigiCert. Certificate governance is shifting from periodic maintenance to alliance-driven automation, where reliability depends on coordinated lifecycle control across platforms, operators, and integrators.

NHIMG editorial — based on content published by DigiCert: Why strategic alliances are now a must-have for PKI

By the numbers:

• A Global 2000 organization with 10,000 certificates valid for 398 days manages roughly 25 renewals per day.
• The new world now faces more than 200 renewals per day, an almost eightfold increase in operational volume.
• If an organization cannot reliably automate certificate rotation every 47 days, it will struggle to execute a successful PQC migration.

Questions worth separating out

Q: How should security teams manage certificate lifecycles as public TLS terms shorten?

A: Security teams should treat certificate renewal as a continuous lifecycle process rather than a periodic maintenance task.

Q: Why do shorter certificate lifecycles create operational risk for PKI teams?

A: Shorter lifecycles compress the time available for renewal and installation, which magnifies every coordination failure.

Q: What do organisations get wrong about automation in PKI governance?

A: Many teams automate certificate issuance but leave installation, validation, and monitoring partially manual.

Practitioner guidance

• Inventory every certificate dependency across the estate Map where certificates are issued, installed, validated, and monitored across load balancers, application delivery controllers, firewalls, cloud platforms, and legacy systems.
• Remove human touchpoints from renewal and installation paths Automate issuance, renewal, deployment, binding, and validation through native APIs and workflow orchestration.
• Assign explicit ownership for exception handling Separate the roles of policy owner, operator, and integrator so failures do not bounce between teams.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Certified integration patterns for certificate deployment across load balancers and application delivery controllers.
• The operating split between CA, CLM platform, MSSP, and GSI roles in a 47-day certificate ecosystem.
• How certificate event telemetry should flow into SIEM and observability workflows for exception-based response.
• The post's discussion of post-quantum migration planning and hybrid cryptographic transition scenarios.

👉 Read DigiCert's analysis of strategic alliances for 47-day PKI lifecycle management →

47-day certificate lifecycles: what PKI teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →