TLS certificate lifetimes and PQC readiness: what changes now?

TL;DR: Shorter TLS certificate lifetimes, including a step-down to 200 days in 2026, 100 days in 2027, and 47 days by 2029, make automation non-negotiable for certificate renewal and PQC readiness, according to DigiCert. Manual certificate operations will not scale to crypto-agility, inventory discipline, or hybrid algorithm transitions.

NHIMG editorial — based on content published by DigiCert: Why shorter TLS validity raises the bar for PQC readiness

By the numbers:

• Only 38% have automated certificate lifecycle management in place.
• 69% of organisations now have more machine identities than human ones.

Questions worth separating out

Q: How should teams prepare TLS estates for post-quantum cryptography?

A: Teams should start with automated discovery, then map every certificate to an owner, a renewal path, and a criticality rating.

Q: Why do shorter TLS validity periods increase operational risk?

A: Shorter validity periods compress the time available to renew, validate, deploy, and troubleshoot certificates.

Q: What usually breaks when cryptographic inventory is incomplete?

A: Incomplete inventory breaks prioritisation.

Practitioner guidance

• Automate certificate discovery and renewal Use ACME or API-driven issuance to remove manual renewal work from internet-facing and internal TLS estates, then extend the same workflow to private PKI.
• Build a cryptographic inventory with ownership metadata Record algorithms, keys, protocols, supplier dependencies, business criticality, and named owners so PQC sequencing is based on evidence rather than assumptions.
• Test hybrid cryptography against real application constraints Validate larger keys, larger signatures, and protocol support across load balancers, middleware, and legacy applications before migration deadlines force change.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on building a cryptographic inventory for PQC planning across distributed estates
• Practical discussion of certificate automation patterns for TLS renewal at 200-day and 47-day lifetimes
• Workshop perspectives on hybrid cryptography, including how to test larger keys and signatures without breaking applications
• Examples of policy-driven encryption and HSM-backed abstraction patterns for crypto-agility

👉 Read DigiCert's blog on shorter TLS validity and PQC readiness →

TLS certificate lifetimes and PQC readiness: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →