Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

47-day TLS certificates: what it means for IAM and machine identity


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: The CA/Browser Forum has approved a phased reduction in public TLS certificate lifetimes from 398 days to 47 days by 2029, with interim cuts beginning in 2026, turning renewal cadence into a recurring operational burden rather than an annual task, according to eMudhra. Manual certificate operations will not scale; automation becomes the difference between routine control and outage-prone sprawl.

NHIMG editorial — based on content published by eMudhra: the phased reduction of public TLS certificate lifetimes to 47 days by 2029

By the numbers:

  • The reduction is phased to give enterprises time to adapt, starting with a drop from 398 days to 200 days in March 2026 and ending at 47 days in March 2029.
  • Run the math: renewing 1,000 certificates once a year is a different operation from renewing the same 1,000 certificates eight times a year.
  • 72% of identity professionals find machine identities more challenging to manage than human identities, citing poor internal processes and insufficient tooling.

Questions worth separating out

Q: How should teams handle certificate lifetimes that keep getting shorter?

A: Teams should treat shorter TLS lifetimes as a lifecycle automation problem, not a renewal reminder problem.

Q: Why do shorter certificate lifetimes increase operational risk?

A: Shorter lifetimes compress the time available to validate, issue, deploy, and verify certificates.

Q: What do security teams get wrong about certificate renewal automation?

A: They often assume automation only matters at the issuance step.

Practitioner guidance

  • Inventory every public TLS certificate continuously Establish automated discovery across cloud, on-premise, and DevOps estates so expired or shadow certificates do not hide until renewal week.
  • Automate issuance, validation, and deployment as one pipeline Use ACME, SCEP, or EST where possible, and remove manual DNS edits and ticket-based handoffs from the renewal path.
  • Set expiry monitoring to fire well before failure Monitor renewal status, certificate age, and validation freshness so alerts arrive with enough runway to remediate before services break.

What's in the full article

eMudhra's full article covers the operational detail this post intentionally leaves for the source:

  • A phased timeline showing how the 398-day limit drops to 200 days, then 100 days, then 47 days.
  • Operational implications for certificate discovery, ACME issuance, domain validation, deployment, and renewal at scale.
  • The article's view on how automation pressure will change renewal workflows and certificate handling across environments.
  • The post's link to post-quantum certificate migration and why automation becomes the enabling layer.

👉 Read eMudhra's analysis of the 47-day TLS certificate lifetime change →

47-day TLS certificates: what it means for IAM and machine identity?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

47-day TLS creates a certificate lifecycle governance gap, not just a renewal problem. When validity periods shrink this far, the old assumption that renewal is a periodic admin task stops holding. Certificate management becomes a continuous identity process that must be measured, monitored, and automated across every environment where public trust depends on it. The implication is that governance now has to follow the lifecycle, not the calendar.

A few things that frame the scale:

A question worth separating out:

Q: Who should be accountable for public certificate governance?

A: Accountability should sit across PKI, infrastructure, and IAM teams, because public certificates are non-human identities embedded in service trust. If ownership is split without clear lifecycle control, renewal failures become everyone’s problem and nobody’s responsibility. Governance needs a named owner for each certificate and each renewal path.

👉 Read our full editorial: 47-day TLS certificates will force certificate lifecycle automation



   
ReplyQuote
Share: