For years, organizations used SSL/TLS certificates with long lifespans, reviewing and renewing them only occasionally. That is about to change. On 15 March 2026, the maximum lifespan of a TLS certificate will be cut from 398 days to 200 days. Then, a year later, the limit will drop again to 100 days, and by 2029 it’ll fall to just 47 days.
This shift, meant to increase security, began with a proposal from Apple, which was approved in April 2025 by the CA/Browser Forum, a consortium of certificate authorities. The idea received backing from the other three major browser makers: Google, Mozilla, and Microsoft.
“Shorter certificate lifespans are a gift,” says Justin Shattuck, CSO at Resilience. “They push people toward better automation and certificate management practices, which will later be vital to post-quantum defense.”
Risks of shorter certificate lifespan
But this gift, intended to strengthen security, could turn into a curse if organizations are unprepared. Many still rely on manual tracking and renewal processes, using spreadsheets, calendar reminders, or system admins who “just know” when certificates are due to expire.
With so little time until the March 2026 deadline, organizations may find themselves scrambling to modernize certificate management. Some CISOs have begun accelerating automation projects, centralizing certificate inventories, and reassessing where responsibility for certificate lifecycle management sits within their teams.
“As the CISO of a major US bank managing $40 billion in assets, my primary concerns with shrinking SSL/TLS certificate lifespans revolve around operational resilience and the amplification of risks in an already complex financial ecosystem,” says Clint Lawson, CISO at MidFirst Bank. “With lifespans set to drop, the frequency of renewals heightens the potential for human error, certificate sprawl, and undetected expirations that could lead to service disruptions.”
In banking and other sectors, mistakes in handling this issue can be costly and can translate into loss of revenue or customer trust. “What keeps me up at night is the nightmare scenario of a cascading outage,” Lawson adds. “An expired certificate halting online banking portals during peak hours, exposing us to regulatory scrutiny from bodies like the FDIC or OCC, or worse, providing a foothold for adversaries to exploit unencrypted channels.”
As the window for preparation is narrowing, companies need to shift gears now and rethink their procedures.
How CISOs are preparing for shorter certificates lifespan
In many organizations, CISOs have already started to rethink their approach. The first step for most is simply figuring out what they actually have. That means getting a clear view of every certificate across the environment, instead of relying on scattered notes or pieces of information that different people appear to have.
Visibility should be “the absolute first priority,” says Pete Clay, CISO at Aireon. Without a complete and continuously updated inventory of certificates — knowing exactly what certificates exist, where they’re deployed, and what systems depend on them — no amount of automation or tooling will prevent outages.
“We’re investing in a living cryptographic inventory that doesn’t just track SSL/TLS certificates, but also keys, algorithms, identities, and their business, risk, and regulatory context within our organization and ties all of that to risk,” he says. “Every cert is tied to an owner, an expiration date, and a system dependency, and supported with continuous lifecycle-based communication with those owners. That inventory drives automated notifications, so no expiration sneaks up on us.”
The second priority should be automation. Clay argues that as certificate lifespans shrink, manual renewal cycles are no longer realistic. His team is moving toward centralized certificate management with automated issuance and renewal, and he recommends others do the same.
Ideally, that means using APIs or workflows that leverage the Automatic Certificate Management Environment (ACME) protocol. ACME is an open standard that enables automated interactions between certificate authorities and servers, allowing certificates to be requested, issued, renewed, and replaced programmatically.
“Certificates are issued, deployed, and validated automatically across environments, whether that’s cloud load balancers, Kubernetes clusters, or on-prem gateways,” Clay says. “The goal is to make renewal a background process, not an emergency project, but always supported by communication and accountability.”
Vira Tkachenko, chief technology and innovation officer at MacPaw, agrees. She explains that her team is using ACME to automate certificate renewals in environments where it is supported, such as their Cloudflare setup and virtual servers with Let’s Encrypt. In areas where ACME is not yet available, they are in the process of establishing a centralized certificate inventory to maintain visibility and prevent unexpected expirations.
Lawson follows a similar approach at the bank he works for. “First, we deployed enterprise-grade certificate lifecycle management (CLM) platforms with AI-driven automation to handle issuance, renewal, and revocation seamlessly across our hybrid cloud environments,” he says. “Second, we conducted comprehensive audits and built a centralized PKI dashboard that provides real-time visibility into every certificate, correlated with threat intelligence feeds to prioritize high-risk assets.”
Additionally, the bank partnered with leading certificate authorities to pilot post-quantum cryptography integrations. By doing this, they aim to future-proof their infrastructure against emerging quantum threats.
Adapting to shorter certificate lifespans shouldn’t be treated as a one-off technical chore, adds Lawson. These changes need to be woven into the larger digital transformation strategies shaping how organizations secure and operate their systems.
Just as importantly, the business impact should be communicated clearly, so leadership understands that certificate automation is a must. “An expired certificate isn’t a tech glitch—it’s downtime, lost revenue, and brand damage,” says Clay. “CISOs who frame this as resilience and trust management, not just compliance, get the investment and executive attention they need before the next outage happens.”
Pro tips for CISOs
Although the deadline is approaching, some organizations still do not have a full certificate management strategy in place. “They will be the first to feel the effects of unexpected downtime,” says Jason Soroko, senior fellow at Sectigo. Luckily, though, there are things they can pay attention to prevent an outage.
While automation is important as certificates expire more quickly, how it is implemented matters. Renewing a certificate a fixed number of days before expiration can become unreliable as lifespans change. The alternative is renewing based on a percentage of the certificate’s lifetime, and this method has an advantage: the timing adjusts automatically when the lifespan shortens.
“Hard-coded renewal periods are likely to be too long at some point, whereas percentage renewal periods should be fine,” says Josh Aas, executive director of the Internet Security Research Group (ISRG), the nonprofit entity behind Let’s Encrypt. “For example, an ACME client that renews every 60 days will eventually wait too long once certificate lifetimes are less than that, whereas a client that renews at 70% of a certificate’s lifetime should be fine.”
Another important step is to set up alerts, adds Clay. Use continuous scanning to detect certificates that are getting close to expiring and send automatic notifications when they need attention. Connect those alerts to your team’s ticketing or chat tools, so they are seen immediately. “It’s not glamorous, but it’s the difference between staying ahead of the problem and getting the 2AM outage call,” Clay says.
It also helps to have a clearly designated person to oversee certificate lifecycle, ideally, someone in security with responsibility for cryptography or public key infrastructure (PKI). “Fragmented responsibility is what causes outages and finger-pointing,” adds Clay. “Build a single policy that defines how certificates are requested, purchased, approved, renewed, and revoked. Even a lightweight governance model will reduce chaos immediately and reduce your risks.”
Pete Nicoletti, global field CISO at Check Point, adds that CISOs should also make sure everyone is on the same page. That means making sure DevSecOps teams know the basics of good certificate hygiene. He also recommends running expiration tabletop exercises, so rapid response becomes second nature.
Lastly, certificate health needs to be tracked just like any other governance metric. “Include metrics for renewals completed on time, expiring certificates, and key rotation compliance,” Clay adds. “When executives see those numbers trending in the right direction, it reinforces that crypto isn’t just a technical function — it’s a core part of operational resilience.”
Mistakes CISOs can make
As certificate lifespans shorten, the pressure to adapt can lead to missteps or blind spots. One of the biggest is assuming the change only affects public-facing websites. “Internal TLS, mTLS, brokers, and device certificates can cause nasty outages because they are not observable [in Certificate Transparency (CT) logs] and often lack ACME paths,” Shattuck says.
Another common mistake is underestimating the value of tabletop exercises. Soroko recommends scenarios like: ‘We have to revoke and replace all of our certificates in 24-hours due to mis-issuance’, or ‘We have to revoke and replace all of our RSA certificates because RSA has just been deprecated.’ By running these exercises, CISOs can quickly find out if their organization is truly prepared.
A third trap is treating shorter certificate lifespans as a purely technical issue, which can be solved by automation alone. This is risky because the cultural and workflow shift required to support continuous renewal is often the hardest part, says Nicoletti. “Without investing in team upskilling and change management, resistance to automation could stall progress, leaving your organization exposed in a landscape where agility is non-negotiable,” he adds.
Finally, as March 15 approaches, perhaps the biggest mistake CISOs can make is assuming there is still plenty of time to adjust. This isn’t a future problem. The shift is already underway, and organizations that delay will face a much harder transition later.
“Certificates do not expire unexpectedly,” says Soroko. “They have a stated lifetime that does not change after the certificate is issued.” Taking early action can be the difference between managing certificates predictably and risking an avoidable outage.
The original article found on Cybersicherheit für viele Nebensache | CSO Online Read More
