Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day TLS certificates: are your renewal controls ready yet?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: CA/B Forum policy will shorten public TLS certificate lifetimes from 398 days to 200 days in 2026, 100 days in 2027, and 47 days by 2029, compressing renewal windows and exposing manual lifecycle weaknesses, according to CyberArk. The real issue is not certificate duration itself, but whether identity governance can sustain continuous renewal, inventory, and ownership at machine scale.

NHIMG editorial — based on content published by CyberArk: TLS certificate lifetimes are shortening, and automation is the only scalable response

By the numbers:

Questions worth separating out

Q: How should security teams prepare for shorter TLS certificate lifetimes?

A: Security teams should inventory all public certificates, assign clear ownership, and automate discovery and renewal before the next validity reduction arrives.

Q: When does manual certificate renewal become a security risk?

A: Manual renewal becomes a security risk once the renewal cadence is too tight for spreadsheets, tickets, and ad hoc approvals to keep pace.

Q: What breaks when public TLS certificates are managed without automation?

A: What breaks first is consistency, then availability.

Practitioner guidance

What's in the full article

CyberArk's full research covers the operational detail this post intentionally leaves for the source:

  • A renewal impact calculator that estimates the extra workload created by 47-day certificate lifecycles.
  • A certificate automation readiness checklist for teams assessing current maturity and gaps.
  • A white paper on certificate lifecycle change, CA distrust events, and cryptographic agility planning.
  • A practical framework for scaling certificate governance across hybrid and multi-cloud environments.

👉 Read CyberArk's analysis of the 47-day TLS certificate lifecycle shift →

47-day TLS certificates: are your renewal controls ready yet?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

47-day TLS is a certificate lifecycle shock, not a simple policy update. The shorter validity window forces identity teams to abandon any model built around periodic manual renewal. That model was designed for a slower operational cycle, and it fails when certificates must be renewed continuously across distributed environments. The implication is that certificate governance now belongs in the same operational conversation as NHI inventory, ownership, and lifecycle enforcement.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity programmes still lack a reliable machine inventory.

A question worth separating out:

Q: Who is accountable when a certificate expires and causes downtime?

A: Accountability should sit with the team that owns the certificate lifecycle, not just the infrastructure that hosts it. If ownership is unclear, the incident exposes a wider governance problem in identity and access management because no one is responsible for renewal, exception handling, or escalation. That ambiguity is what makes certificate outages repeat.

👉 Read our full editorial: 47-day TLS certificate lifecycles will expose manual renewal gaps



   
ReplyQuote
Share: