The debate over whether to reduce the lifespan of Transport Layer Security (TLS) certificates has been a contentious one in the past several years, but the theoretical turned into reality earlier this year when the
Certification Authority Browser Forum approved the proposal.
The April vote by the CA/Browser Forum – which includes such companies as certificate authorities as
DigiCert and
GlobalSign and browser companies like
Apple,
Google,
Microsoft, and
Mozilla – means the maximum lifetime for a TLS certificate is 398 days, until March 15, 2026, when it’s reduced to 200 days, and then to 100 days a year later. On March 15, 2029, the lifespan drops to 47 days.
Regardless of which side of the debate an organization falls on – that the move will bolster online security and encourage automation, or that it will create more risk, add operational costs, and favor automation companies – the decision means that in less than four years, firms will have to drastically increase the number of times they have to renew certificates every year. Some argue that smaller companies – many of which renew their certificates manually – likely won’t have the resources to keep up such a pace.
“Shorter certificate lifespans reduce the window of opportunity for attackers to exploit compromised certificates, force faster adoption of security updates, and limit the potential damage if a certificate authority is compromised or a private key is stolen,”
Kurt Sand, general manager of machine identity security at
CyberArk, told MSSP Alert. “These benefits help reduce the risk of certificate exploits.”
That said, Sand added that the “challenge comes down to execution and organizational readiness. Most organizations are still using manual processes that were designed for annual renewals. When you compress that timeline to 47 days, those processes simply can't keep up.”
Calculator and Discovery Scan
CyberArk this week introduced its TLS Certificate Renewal Impact Calculator and TLS Certificate Discovery Scan, interactive tools designed to help organizations understand the operational and financial impact of the shorter certificate lifespans and the exposure of their certificates as those lifetime reductions kick in.
The phased process will mean that organizations will have to renew certificates at least eight times a year, and in some cases, each month. The hit on companies relying on manual processes will be even greater: an entity managing 500 certificates now spends about 2,000 hours every year with the processor, but that number could jump to more than 24,000 hours by 2029, according to CyberArk.
In addition, certificate management with the current 398-day lifespan already is difficult, Sand said. In its
2025 State of Machine Identity Security Report, CyberArk found that 72% of security leaders experienced at least one certificate-related outage over the previous year, and 67% faced such problems monthly, and 45% did so every week.
Hurdles Mount
The new requirements will increase the challenges exponentially, Sand said.
“Shorter certificate lifespans reduce the window of opportunity for attackers to exploit compromised certificates, force faster adoption of security updates, and limit the potential damage if a certificate authority is compromised or a private key is stolen,” he said. “These benefits help reduce the risk of certificate exploits. The challenge comes down to execution and organizational readiness. Most organizations are still using manual processes that were designed for annual renewals. When you compress that timeline to 47 days, those processes simply can't keep up.”
The new certificate calculator and scanning tools are part of the CyberArk Identity Security Platform, a set of capabilities aimed at ensuring that every identity has the appropriate level of dynamic privilege controls when assessing resources in multi-cloud environments. Through them, organizations can see how the shift to 47-day lifespans will the number of renewals needed and the number of people necessary to help them, quantify operation costs and the ROI of automation, and proactively migrate to automated certificate lifecycle management.
Risk, Opportunities for MSSPs, MSPs
For partners like MSSPs and MSPs, the reduction in certificate lifestyles represents a significant operational risk as well as an opportunity to expand their offerings, Sand said.
“Most service providers already struggle to maintain visibility across certificates issued from multiple internal and public certificate authorities, especially when managing dozens or hundreds of customer environments,” he said. “Service providers tell us they are particularly concerned about scale. Today, even a modest enterprise might have thousands of certificates across hybrid, multi-cloud, and multigenerational architectures.”
As with other organizations, MSSPs and MSPs that rely on manual models to discover, issue, renew, and audit those certificates on a near-continuous basis, they will run into a problem of scale.
“Providers risk SLA [service level agreement] violations, unplanned emergency work and reputational damage even if a single certificate slips through,” he said.
That said, the reduced certificate lifespan is already driving demand from organizations for managed certificate lifecycle services. Many companies don’t have the staff, tools, or expertise to handle the accelerated nature of certificate renewal cycles.
“They are turning to service providers for help,” Sand said. “This creates a clear opportunity for MSSPs and MSPs to differentiate by offering automated certificate lifecycle management as a foundational security service.”
