Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

TLS certificate lifetimes and PQC readiness: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Shorter TLS certificate lifetimes, including a step-down to 200 days in 2026, 100 days in 2027, and 47 days by 2029, make automation non-negotiable for certificate renewal and PQC readiness, according to DigiCert. Manual certificate operations will not scale to crypto-agility, inventory discipline, or hybrid algorithm transitions.

NHIMG editorial — based on content published by DigiCert: Why shorter TLS validity raises the bar for PQC readiness

By the numbers:

Questions worth separating out

Q: How should teams prepare TLS estates for post-quantum cryptography?

A: Teams should start with automated discovery, then map every certificate to an owner, a renewal path, and a criticality rating.

Q: Why do shorter TLS validity periods increase operational risk?

A: Shorter validity periods compress the time available to renew, validate, deploy, and troubleshoot certificates.

Q: What usually breaks when cryptographic inventory is incomplete?

A: Incomplete inventory breaks prioritisation.

Practitioner guidance

  • Automate certificate discovery and renewal Use ACME or API-driven issuance to remove manual renewal work from internet-facing and internal TLS estates, then extend the same workflow to private PKI.
  • Build a cryptographic inventory with ownership metadata Record algorithms, keys, protocols, supplier dependencies, business criticality, and named owners so PQC sequencing is based on evidence rather than assumptions.
  • Test hybrid cryptography against real application constraints Validate larger keys, larger signatures, and protocol support across load balancers, middleware, and legacy applications before migration deadlines force change.

What's in the full article

DigiCert's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on building a cryptographic inventory for PQC planning across distributed estates
  • Practical discussion of certificate automation patterns for TLS renewal at 200-day and 47-day lifetimes
  • Workshop perspectives on hybrid cryptography, including how to test larger keys and signatures without breaking applications
  • Examples of policy-driven encryption and HSM-backed abstraction patterns for crypto-agility

👉 Read DigiCert's blog on shorter TLS validity and PQC readiness →

TLS certificate lifetimes and PQC readiness: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Shorter TLS validity is really a certificate governance problem, not just a compliance problem. When certificate lifetimes shrink, renewal failure becomes an identity outage rather than a routine maintenance miss. The control plane has to know where certificates live, who owns them, and how they are replaced at scale. Practitioners should treat certificate lifecycle automation as a production dependency, not an enhancement.

A few things that frame the scale:

  • 69% of organisations now have more machine identities than human ones, according to The Critical Gaps in Machine Identity Management report.
  • 57% of organisations lack a complete inventory of their machine identities, which is why lifecycle visibility remains the first blocker to control.

A question worth separating out:

Q: Who should own PQC readiness across the enterprise?

A: PQC readiness should sit with identity, platform, cryptography, and application owners together, but one team must own the inventory and migration sequence. Without clear accountability, certificate automation, algorithm selection, and application testing drift apart. The strongest programmes treat cryptographic change as a governed lifecycle, not a one-off project.

👉 Read our full editorial: Shorter TLS validity makes PQC certificate automation unavoidable



   
ReplyQuote
Share: