47-day certificates: is your PKI still manageable by hand?

TL;DR: Manual certificate tracking is breaking down as certificate lifespans shrink, environments sprawl across cloud and DevOps, and outages remain expensive, according to Keyfactor. Spreadsheet-based PKI is no longer a governance model, because visibility, auditability, and renewal speed now determine operational resilience.

NHIMG editorial — based on content published by Keyfactor: Stop Using Spreadsheets for Certificates – Here’s What to Do Instead

By the numbers:

• On average, certificate outages cost businesses more than $300K every hour.
• Imagine your business has 150K certificates and two people on the security team managing them.

Questions worth separating out

Q: How should security teams manage certificates when renewal windows keep shrinking?

A: Security teams should move from manual renewal to centralized discovery, policy-based automation, and clear ownership for every certificate.

Q: Why do spreadsheets fail as a certificate governance model?

A: Spreadsheets fail because they cannot keep pace with certificate sprawl, short lifetimes, and changing dependencies across cloud and DevOps environments.

Q: What signals show that certificate management is outside control?

A: Warning signs include repeated last-minute renewals, incomplete ownership records, unknown certificates in production, and outages caused by missed expiry dates.

Practitioner guidance

• Centralize certificate discovery across all environments Build an inventory that covers on-premise systems, cloud-native workloads, DevOps pipelines, containers, and mobile applications so expiration risk is visible in one place.
• Automate renewal before expiry windows narrow further Replace ticket-based renewals and spreadsheet reminders with policy-driven workflows that can renew, deploy, and verify certificates without manual handoffs.
• Separate issuance authority from operational ownership Assign clear certificate owners, enforce role-based access for issuance, and require logged approval paths for changes to trust settings or CA usage.

What's in the full article

Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:

• The article's full examples on why 47-day certificate lifetimes make manual renewal unsustainable at scale.
• The section on how certificate automation supports centralized monitoring across cloud-native, DevOps, mobile, and on-premise environments.
• The discussion of how reporting and alerting help teams produce audit evidence for PCI DSS and HIPAA requirements.
• The operational case for policy-driven workflows, self-service portals, and API integration in PKI management.

👉 Read Keyfactor's analysis of why manual certificate management no longer scales →

47-day certificates: is your PKI still manageable by hand?

Explore further

View Full Forum →  |  NHI Foundation Course →