TL;DR: Certificate lifespans are shrinking from 398 days to 47 days by 2029, while a 2023 Starlink outage shows how expired certificates can still trigger major operational failures, according to Infisical’s analysis. Manual certificate management is no longer scalable because machine identity governance now has to absorb faster renewal cycles, broader discovery, and tighter automation.
NHIMG editorial — based on content published by Infisical: Best Certificate Management Tools in 2026
By the numbers:
- A report by the CNCF indicates that 98% of organizations surveyed have now adopted cloud native technologies.
Questions worth separating out
Q: How should security teams manage certificate renewal as lifespans keep shrinking?
A: Security teams should move certificate renewal into an automated lifecycle process that includes discovery, policy enforcement, and revocation, not just issuance.
Q: Why do expired certificates create both reliability and security risk?
A: Expired certificates do more than interrupt service.
Q: What do security teams get wrong about certificate management tools?
A: Teams often focus on renewal features and ignore discovery, protocol support, and deployment fit.
Practitioner guidance
- Inventory every certificate before shortening lifespans do it for you Build a complete certificate inventory across cloud, on-prem, Kubernetes, and device estates, then classify each certificate by owner, expiry, issuing authority, and renewal path.
- Replace manual renewal workflows with protocol-based automation Use ACME, SCEP, or EST where they fit your environment, and eliminate spreadsheet or ticket-based renewal tracking for operational certificates.
- Treat CA flexibility as a control requirement Evaluate whether your certificate platform can support both public and private authorities without re-architecting the renewal process.
What's in the full article
Infisical's full blog post covers the operational detail this post intentionally leaves for the source:
- Side-by-side tool-by-tool breakdown of pricing models, deployment constraints, and licensing trade-offs
- Specific protocol and integration support across ACME, SCEP, EST, Kubernetes, Terraform, and GitOps
- Per-vendor feature limits, including audit retention, support scope, and self-hosted deployment caveats
- Buying guidance for teams choosing between open source, sales-gated, and hybrid certificate management options
👉 Read Infisical’s analysis of the best certificate management tools in 2026 →
47-day certificates and machine identity: are your controls ready?
Explore further
Manual certificate management has become a machine identity governance debt. The article’s core point is that expiry-driven control breaks down when renewal volume rises faster than human process can absorb. That is not just an operational inconvenience, it is a governance debt built into how many organisations still manage workload trust. The implication is that certificate programmes should be judged by their automation depth, not by whether they can eventually renew a cert.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when certificate expiry causes an outage?
A: Accountability sits with the team responsible for machine identity governance, not just operations or infrastructure alone. If certificate renewal depends on manual follow-up, the control is not mature enough for short-lived certificates. Frameworks like NIST Cybersecurity Framework 2.0 and OWASP Non-Human Identity Top 10 both point toward explicit ownership, lifecycle control, and continuous verification.
👉 Read our full editorial: Certificate management tools are shifting toward automated machine identity