TLS certificate lifetime changes: What CISOs must do now
TLS certificates now expire after 200 days. That window will soon narrow to 100 days and eventually to 47. Is your organization ready?
Organizations that rely on manual TLS certificate lifecycle management are racing against the clock. The 200-day certificate timeline, which took effect in March 2026, means the first wave of certificate renewals will arrive within a matter of months.
"People will feel the realities when they start to renew those first sets of certificates," said Sarah Almond, an analyst at Gartner. Nick France, CTO at Sectigo, a certificate authority (CA) and certificate lifecycle management (CLM) provider, agreed, calling September and October a "wake-up call" for organizations that aren't ready.
The March 2026 change is just the first in a series of updates to certificate lifetimes. The phased approach set by the CA/Browser Forum, a consortium of CAs and browser vendors that sets standards for digital certificates, will further reduce the period to 100 days in March 2027 and ultimately to 47 days in March 2029.
The changing lifetimes are being done in the name of security, and experts and CAs warn that the transition requires immediate action to prevent costly outages or breaches that erode customer trust and disrupt operations.
About TLS certificates and expiration
TLS certificates -- digital credentials that verify the identity of a website, server or application -- enable encrypted, authenticated connections that protect data from interception. These certificates carry expiration dates to limit the impact of compromised, stolen or improperly issued certificates, enforce cryptographic upgrades and ensure compliance with policies and regulations.
If a TLS certificate expires, it is no longer trusted to establish TLS connections. Websites using the expired certificate are flagged as insecure by browsers, resulting in businesses losing credibility, trust and revenue. According to CyberArk's 2025 "State of Machine Identity Security" report, 72% of organizations experienced at least one certificate-related outage in the previous year -- before the shortened TLS certificate timeline took effect.
"Every service owner knows that rotation of a certificate must happen before expiration. Otherwise, end users will see scary or confusing error messages and lose trust in the service," said Ken Beer, director of cryptography at AWS.
Why the change?
Improved security is the driver of quicker expiration timelines. The CA/Browser Forum listed six benefits of reducing TLS certificate validity periods:
- Certificates represent a snapshot in time. A TLS certificate reflects accurate ownership and validation information when it is issued. In time, that information could become outdated, making shorter certificate lifetimes more reliable.
- Outdated certificates create security risks. Changes such as domain expiration, ownership transfers or compromised keys can leave a certificate valid even though the information it contains is no longer accurate, enabling misuse.
- Shorter lifetimes reduce the impact of improperly issued certificates. If a CA improperly validates information or issues a certificate incorrectly, shorter validity periods limit how long the bad certificate remains trusted.
- Shorter lifetimes drive automation adoption. More frequent renewals push organizations to adopt automated certificate issuance and renewal processes, improving the resilience and reliability of CLM systems.
- Certificate expiration provides protection when revocation mechanisms fall short. Revocation technologies, such as certificate revocation lists and OCSP, are not always timely or effective at scale. Shorter certificate lifetimes reduce reliance on those technologies.
- Shorter lifetimes improve cryptographic agility. If a cryptographic algorithm becomes vulnerable or obsolete, shorter-lived certificates enable organizations and the internet ecosystem to transition more quickly to stronger cryptography.
Another benefit of shortening the certificate lifecycle is post-quantum cryptography (PQC) readiness. The March 2029 date is close to many predictions of when the industry expects quantum computers to go live -- and when they could break current cryptography algorithms. Shorter certificate lifetimes will make it easier for organizations to transition to quantum-resistant algorithms when current cryptographic standards become vulnerable.
Three critical steps for CISOs
If they haven't already, CISOs and their teams must start focusing on three key areas to prepare for the TLS certificate changes: inventorying, automating CLM and achieving crypto-agility.
Inventory certificates
To secure anything, CISOs must know what they have and where they are -- yet in the case of cryptography, only 32% of organizations have inventoried their assets, according to a Ponemon Institute study.
To begin, CISOs should document all their organization's cryptographic assets. Creating a TLS certificate inventory helps reduce certificate-related outages and identify security risks, such as expired certificates, weak encryption, unmanaged certificates and shadow IT.
To create an inventory, identify certificates across all environments -- servers, devices, the cloud, and Kubernetes and containers -- and correlate them with their business service and owner. Use CLM platforms or cloud-native tools to simplify the process. Establish automated monitoring of factors such as expiration alerts, certificate changes and unauthorized certificates. Review, update and audit the inventory regularly.
Automate certificate lifecycle management
With an inventory in place, CISOs need to plan how to issue, deploy, revoke and renew certificates. While certificate requests and renewals are often automated, legacy systems, change management requirements and operational controls can introduce manual steps that prevent the process from being fully automated.
Brian Trzupek, senior vice president of product at DigiCert, a CA and CLM vendor, said that while many CAs automate certificate installation, the process is still a multistep one. "You start to diminish that because of network deployment aspects," he said. "Then there's the configuration testing of that deployed asset. In some cases, you can readily configuration test that, and others it's more complex, and CAs don't do that. There are layers of automation."
In terms of renewal, organizations definitely need to automate, Almond advised. "Most organizations that I speak to won't be able to cope with a manual process when the renewal period is 47 days," she said. "Some say manual processes will be too disruptive even before we get to 47 days, so at the 100-day point or before."
Greg Wetmore, vice president of product development at Entrust, a CLM vendor, attributed this to the scale of certificates in use today.
"Ten years ago, organizations would have only had a few certificates, and now we're into the thousands, tens of thousands, hundreds of thousands of cryptographic objects," he said.
Build crypto-agility
Moving from manual to automated TLS certification aligns with the broader need for crypto-agility -- the ability to efficiently and quickly switch among cryptographic algorithms, keys and protocols without disrupting operations or sacrificing security -- in the modern digital landscape.
"It's not just changing or shortening certificate lifetimes; there are a lot of other changes happening in our industry -- public certificates, PKI and public CAs -- and a lot of them are customer-impacting," France said. "Everybody needs to start preparing for post-quantum encryption, post-quantum certificates and variants of that."
Almond agreed. "This whole challenge is really one of crypto-agility," she said.
And yet, the Ponemon study found that, despite strong government guidance, only 38% of organizations are actively preparing for the post-quantum era.
Two key steps of achieving crypto-agility are inventorying cryptographic assets and automating processes. Organizations must also control their cryptographic assets with policy, Wetmore said. Other key steps include deploying a key management system, using PKI, and regularly testing and validating systems to ensure they are ready for the challenges posed by quantum computing and other future cybersecurity threats.
What's next? Preparing for inevitable change
The September and October renewal wave will separate the prepared from the unprepared. Organizations that have inventoried cryptographic assets, automated CLM processes and begun preparing for crypto-agility should be able to navigate the change successfully, while the organizations that haven't will face resource-intensive manual reviews, increased risk of outages and other business implications.
As Beer warned, organizations that fail to invest in automation will "waste time and resources managing their PKI, increasing their exposure to certificate-related outages and reducing their ability to use those resources to innovate in other areas of their business."
And the fact of the matter is that more changes to TLS certification lifetimes are coming, and the PQC era will be here before many realize it. The time to prepare is now.
Samira Sarraf is an award-winning international business and technology journalist and editor with 15 years of experience. She has published news and features on CSO Online, CIO.com, Computerworld, ARNnet, TechPartner News and more.