TL;DR: Security teams are moving from one- and two-year certificate lifecycles toward 90-day or 30-day validity as browser limits, federal guidance, and crypto-agility pressures reshape PKI, according to eMudhra. Long-lived certificates no longer fit modern machine identity operations, where expiry, automation, and rollback discipline determine whether PKI reduces risk or creates outages.
NHIMG editorial — based on content published by eMudhra: shorter certificate lifecycles and the operational case for agile PKI
By the numbers:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams respond to shorter certificate lifespans?
A: They should treat shorter lifespans as an automation mandate, not as a reason to add more manual review.
Q: Why do short-lived certificates matter for machine identity governance?
A: Short-lived certificates matter because they are time-bound non-human credentials that define how systems prove identity to each other.
Q: What do teams get wrong about 90-day certificate policies?
A: They often treat the new validity period as the control, when the real control is the renewal process behind it.
Practitioner guidance
- Inventory every certificate as a governed identity object Classify certificates by application owner, expiry date, criticality, and renewal mechanism so manual exceptions do not remain invisible.
- Automate renewal before shortening validity Use ACME or API-based renewal for non-critical services first, then prove renewal success, rollback behaviour, and monitoring coverage before enforcing 90-day lifecycles.
- Set policy exceptions with explicit expiry controls Allow longer validity only for embedded or legacy systems with documented constraints, and require compensating monitoring plus a retirement date.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- ACME-based automation patterns for issuing, renewing, and revoking certificates across multiple environments
- Phased migration guidance for moving from two-year certificates to 90-day or 30-day lifecycles
- Centralised certificate visibility practices for on-prem, cloud, and IoT estates
- Post-quantum rollout considerations for hybrid certificate transitions
👉 Read eMudhra's analysis of shorter certificate lifecycles and PKI agility →
Certificate lifecycles and PKI agility: are your controls ready?
Explore further
Short certificate lifecycles expose a machine identity governance problem, not just a PKI tuning problem. The article shows that trust windows are being compressed because the old assumption of year-long certificate stability no longer matches browser policy, federal guidance, or operational reality. That means certificate governance now sits alongside NHI lifecycle management, where visibility, renewal ownership, and expiry discipline matter as much as cryptographic strength. Practitioners should treat certificate lifecycle control as part of machine identity governance, not a niche PKI task.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 91% of former employee tokens remain active after offboarding, according to The 2025 State of NHIs and Secrets in Cybersecurity.
A question worth separating out:
Q: Which frameworks help teams govern machine certificate lifecycles?
A: NIST Cybersecurity Framework 2.0 and Zero Trust Architecture both support the governance, protection, and resilience principles needed for modern certificate operations. Teams should use them to define ownership, automate repeatable controls, and reduce single points of failure across issuance and validation workflows.
👉 Read our full editorial: Shorter certificate lifecycles are now a PKI governance issue