Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day certificate lifecycles: what PKI teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: As public TLS certificates move toward 47-day lifecycles by 2029, renewal volume can rise almost eightfold for large environments, exposing manual PKI processes that cannot keep pace, according to DigiCert. Certificate governance is shifting from periodic maintenance to alliance-driven automation, where reliability depends on coordinated lifecycle control across platforms, operators, and integrators.

NHIMG editorial — based on content published by DigiCert: Why strategic alliances are now a must-have for PKI

By the numbers:

Questions worth separating out

Q: How should security teams manage certificate lifecycles as public TLS terms shorten?

A: Security teams should treat certificate renewal as a continuous lifecycle process rather than a periodic maintenance task.

Q: Why do shorter certificate lifecycles create operational risk for PKI teams?

A: Shorter lifecycles compress the time available for renewal and installation, which magnifies every coordination failure.

Q: What do organisations get wrong about automation in PKI governance?

A: Many teams automate certificate issuance but leave installation, validation, and monitoring partially manual.

Practitioner guidance

  • Inventory every certificate dependency across the estate Map where certificates are issued, installed, validated, and monitored across load balancers, application delivery controllers, firewalls, cloud platforms, and legacy systems.
  • Remove human touchpoints from renewal and installation paths Automate issuance, renewal, deployment, binding, and validation through native APIs and workflow orchestration.
  • Assign explicit ownership for exception handling Separate the roles of policy owner, operator, and integrator so failures do not bounce between teams.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Certified integration patterns for certificate deployment across load balancers and application delivery controllers.
  • The operating split between CA, CLM platform, MSSP, and GSI roles in a 47-day certificate ecosystem.
  • How certificate event telemetry should flow into SIEM and observability workflows for exception-based response.
  • The post's discussion of post-quantum migration planning and hybrid cryptographic transition scenarios.

👉 Read DigiCert's analysis of strategic alliances for 47-day PKI lifecycle management →

47-day certificate lifecycles: what PKI teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

47-day certificate governance is an identity lifecycle problem, not just a PKI problem. The operational challenge is not the certificate itself but the governance model around issuance, rotation, validation, and ownership. When lifecycles shrink from a year to weeks, certificate handling starts to resemble machine identity lifecycle management, where policy, automation, and accountability must align continuously. Practitioner conclusion: PKI programmes now need to be run like identity programmes, not like annual renewals.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when certificate automation fails during renewal or migration?

A: Accountability should be split across the policy owner, the operator, and the integration owner, with clear escalation paths for failed renewals and validation errors. In a short-lifecycle environment, unclear ownership is itself a control failure because no team can safely assume another will catch the exception in time.

👉 Read our full editorial: 47-day PKI certificate lifecycles demand alliance-driven governance



   
ReplyQuote
Share: