Notifications
Clear all
Topic starter
25/06/2026 10:49 pm
TL;DR: As public TLS validity shrinks from 398 days toward a possible 47-day ceiling by 2029, PKI teams face higher renewal volume, faster revocation expectations, and a stronger case for automation, according to Keyfactor. Short-lived certificates reduce the damage window for key compromise, but they also expose how much certificate governance still depends on manual process.
NHIMG editorial — based on content published by Keyfactor: Why Short-Lived TLS Certificates Are the Future of Public Key Infrastructure (PKI)
By the numbers:
- Today’s publicly trusted certificates now top out at 398 days, and by 2029 that number may drop to just 47.
- The average time to detect a compromised machine identity is 214 days.
- Only 38% have automated certificate lifecycle management in place.
Questions worth separating out
Q: What breaks when certificate lifecycles stay manual as validity periods shorten?
A: Manual certificate management breaks when renewals become too frequent for humans to track reliably.
Q: Why do short-lived certificates matter for machine identity governance?
A: Short-lived certificates matter because they are time-bound non-human credentials that define how systems prove identity to each other.
Q: How do security teams know whether certificate automation is actually working?
A: Certificate automation is working when expiry events no longer depend on human memory, ticket chasing, or emergency renewals.
Practitioner guidance
- Inventory every certificate and owner Establish a complete certificate inventory across public-facing and internal systems, including expiry dates, issuing CAs, and accountable owners.
- Automate renewal before shortening validity further Move high-volume certificate classes into automated issuance and renewal workflows before policy changes reduce validity windows.
- Tie revocation to incident response Define how compromised certificates will be revoked, replaced, and propagated across dependent systems within a governed response process.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- Certificate validity trends and the policy pressure behind the move from year-long to short-lived TLS lifecycles
- How shorter certificate windows change renewal workload, outage exposure, and lifecycle ownership requirements
- Operational examples of certificate discovery, issuance, deployment, revocation, and renewal automation
- The practical case for adopting PKI automation before renewal volume becomes unmanageable
👉 Read Keyfactor's analysis of short-lived TLS certificates and PKI lifecycle change →
Short-lived TLS certificates: is your PKI lifecycle ready?
Explore further
25/06/2026 11:31 pm
Short-lived certificates expose certificate lifecycle as identity governance, not infrastructure housekeeping. The article is really about how trust now depends on continuous control of issuance, renewal, revocation, and visibility. That is an identity lifecycle problem, because every certificate is a non-human credential with a finite trust window. Organisations that still manage certificates as isolated infrastructure objects will keep missing the governance reality. The implication is that PKI ownership belongs in identity programmes, not only platform teams.
A few things that frame the scale:
- Average time to detect a compromised machine identity: 214 days, according to The Critical Gaps in Machine Identity Management report.
- 61% rely on spreadsheets or manual tracking for machine identity management, which is why lifecycle ownership breaks down before compromise is even detected.
A question worth separating out:
Q: Who should own certificate lifecycle governance in an enterprise?
A: Certificate lifecycle governance should sit between identity, platform, and security teams, with clear accountability for inventory, issuance, renewal, and revocation. If ownership lives only in infrastructure operations, the process usually becomes reactive. Identity governance needs visibility into certificates because they function as machine identities, not just technical configuration items.
👉 Read our full editorial: Short-lived TLS certificates are reshaping PKI governance
