{"id":6050,"date":"2025-12-03T07:00:00","date_gmt":"2025-12-03T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6050"},"modified":"2025-12-03T07:00:00","modified_gmt":"2025-12-03T07:00:00","slug":"how-cisos-can-prepare-for-the-new-era-of-short-lived-tls-certificates","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6050","title":{"rendered":"How CISOs can prepare for the new era of short-lived TLS certificates"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For years, organizations used SSL\/TLS certificates<\/a> with long lifespans, reviewing and renewing them only occasionally. That is about to change. On 15 March 2026, the maximum lifespan of a TLS certificate will be cut from 398 days to 200 days. Then, a year later, the limit will drop again to 100 days, and by 2029 it\u2019ll fall to just 47 days.<\/p>\n

This shift, meant to increase security, began with a proposal from Apple, which was approved in April 2025 by the CA\/Browser Forum, a consortium of certificate authorities. The idea received backing from the other three major browser makers: Google, Mozilla, and Microsoft.<\/p>\n

\u201cShorter certificate lifespans are a gift,\u201d says Justin Shattuck, CSO at Resilience. \u201cThey push people toward better automation and certificate management practices, which will later be vital to post-quantum defense.\u201d<\/p>\n

Risks of shorter certificate lifespan<\/h2>\n

But this gift, intended to strengthen security, could turn into a curse if organizations are unprepared<\/a>. Many still rely on manual tracking and renewal processes, using spreadsheets, calendar reminders, or system admins who \u201cjust know\u201d when certificates are due to expire.<\/p>\n

With so little time until the March 2026 deadline, organizations may find themselves scrambling to modernize certificate management. Some CISOs have begun accelerating automation projects, centralizing certificate inventories, and reassessing where responsibility for certificate lifecycle management sits within their teams.<\/p>\n

\u201cAs the CISO of a major US bank managing $40 billion in assets, my primary concerns with shrinking SSL\/TLS certificate lifespans revolve around operational resilience and the amplification of risks in an already complex financial ecosystem,\u201d says Clint Lawson, CISO at MidFirst Bank. \u201cWith lifespans set to drop, the frequency of renewals heightens the potential for human error, certificate sprawl, and undetected expirations that could lead to service disruptions.\u201d<\/p>\n

In banking and other sectors, mistakes in handling this issue can be costly and can translate into loss of revenue or customer trust. \u201cWhat keeps me up at night is the nightmare scenario of a cascading outage,\u201d Lawson adds. \u201cAn expired certificate halting online banking portals during peak hours, exposing us to regulatory scrutiny from bodies like the FDIC or OCC, or worse, providing a foothold for adversaries to exploit unencrypted channels.\u201d<\/p>\n

As the window for preparation is narrowing, companies need to shift gears now and rethink their procedures.<\/p>\n

How CISOs are preparing for shorter certificates lifespan<\/h2>\n

In many organizations, CISOs have already started to rethink their approach. The first step for most is simply figuring out what they actually have. That means getting a clear view of every certificate across the environment, instead of relying on scattered notes or pieces of information that different people appear to have.<\/p>\n

Visibility should be \u201cthe absolute first priority,\u201d says Pete Clay, CISO at Aireon. Without a complete and continuously updated inventory of certificates \u2014 knowing exactly what certificates exist, where they\u2019re deployed, and what systems depend on them \u2014 no amount of automation or tooling will prevent outages.<\/p>\n

\u201cWe\u2019re investing in a living cryptographic inventory that doesn\u2019t just track SSL\/TLS certificates, but also keys, algorithms, identities, and their business, risk, and regulatory context within our organization and ties all of that to risk,\u201d he says. \u201cEvery cert is tied to an owner, an expiration date, and a system dependency, and supported with continuous lifecycle-based communication with those owners. That inventory drives automated notifications, so no expiration sneaks up on us.\u201d<\/p>\n

The second priority should be automation. Clay argues that as certificate lifespans shrink, manual renewal cycles are no longer realistic. His team is moving toward centralized certificate management with automated issuance and renewal, and he recommends others do the same.<\/p>\n

Ideally, that means using APIs or workflows that leverage the Automatic Certificate Management Environment (ACME) protocol. ACME is an open standard that enables automated interactions between certificate authorities and servers, allowing certificates to be requested, issued, renewed, and replaced programmatically.<\/p>\n

\u201cCertificates are issued, deployed, and validated automatically across environments, whether that\u2019s cloud load balancers, Kubernetes clusters, or on-prem gateways,\u201d Clay says. \u201cThe goal is to make renewal a background process, not an emergency project, but always <\/em>supported by communication and accountability.\u201d<\/p>\n

Vira Tkachenko, chief technology and innovation officer at MacPaw, agrees. She explains that her team is using ACME to automate certificate renewals in environments where it is supported, such as their Cloudflare setup and virtual servers with Let\u2019s Encrypt. In areas where ACME is not yet available, they are in the process of establishing a centralized certificate inventory to maintain visibility and prevent unexpected expirations.<\/p>\n

Lawson follows a similar approach at the bank he works for. \u201cFirst, we deployed enterprise-grade certificate lifecycle management (CLM) platforms with AI-driven automation to handle issuance, renewal, and revocation seamlessly across our hybrid cloud environments,\u201d he says. \u201cSecond, we conducted comprehensive audits and built a centralized PKI dashboard that provides real-time visibility into every certificate, correlated with threat intelligence feeds to prioritize high-risk assets.\u201d<\/p>\n

Additionally, the bank partnered with leading certificate authorities to pilot post-quantum cryptography integrations. By doing this, they aim to future-proof their infrastructure against emerging quantum threats.<\/p>\n

Adapting to shorter certificate lifespans shouldn\u2019t be treated as a one-off technical chore, adds Lawson. These changes need to be woven into the larger digital transformation strategies shaping how organizations secure and operate their systems.<\/p>\n

Just as importantly, the business impact should be communicated clearly, so leadership understands that certificate automation is a must. \u201cAn expired certificate isn\u2019t a tech glitch\u2014it\u2019s downtime, lost revenue, and brand damage,\u201d says Clay. \u201cCISOs who frame this as resilience and trust management, not just compliance, get the investment and executive attention they need before the next outage happens.\u201d<\/p>\n

Pro tips for CISOs<\/h2>\n

Although the deadline is approaching, some organizations still do not have a full certificate management strategy in place. \u201cThey will be the first to feel the effects of unexpected downtime,\u201d says Jason Soroko, senior fellow at Sectigo. Luckily, though, there are things they can pay attention to prevent an outage.<\/p>\n

While automation is important as certificates expire more quickly, how it is implemented matters. Renewing a certificate a fixed number of days before expiration can become unreliable as lifespans change. The alternative is renewing based on a percentage of the certificate\u2019s lifetime, and this method has an advantage: the timing adjusts automatically when the lifespan shortens.<\/p>\n

\u201cHard-coded renewal periods are likely to be too long at some point, whereas percentage renewal periods should be fine,\u201d says Josh Aas, executive director of the Internet Security Research Group (ISRG), the nonprofit entity behind Let\u2019s Encrypt. \u201cFor example, an ACME client that renews every 60 days will eventually wait too long once certificate lifetimes are less than that, whereas a client that renews at 70% of a certificate\u2019s lifetime should be fine.\u201d<\/p>\n

Another important step is to set up alerts, adds Clay. Use continuous scanning to detect certificates that are getting close to expiring and send automatic notifications when they need attention. Connect those alerts to your team\u2019s ticketing or chat tools, so they are seen immediately. \u201cIt\u2019s not glamorous, but it\u2019s the difference between staying ahead of the problem and getting the 2AM outage call,\u201d Clay says.<\/p>\n

It also helps to have a clearly designated person to oversee certificate lifecycle, ideally, someone in security with responsibility for cryptography or public key infrastructure (PKI). \u201cFragmented responsibility is what causes outages and finger-pointing,\u201d adds Clay. \u201cBuild a single policy that defines how certificates are requested, purchased, approved, renewed, and revoked. Even a lightweight governance model will reduce chaos immediately and reduce your risks.\u201d<\/p>\n

Pete Nicoletti, global field CISO at Check Point, adds that CISOs should also make sure everyone is on the same page. That means making sure DevSecOps teams know the basics of good certificate hygiene. He also recommends running expiration tabletop exercises, so rapid response becomes second nature.<\/p>\n

Lastly, certificate health needs to be tracked just like any other governance metric. \u201cInclude metrics for renewals completed on time, expiring certificates, and key rotation compliance,\u201d Clay adds. \u201cWhen executives see those numbers trending in the right direction, it reinforces that crypto isn\u2019t just a technical function \u2014 it\u2019s a core part of operational resilience.\u201d<\/p>\n

Mistakes CISOs can make<\/h2>\n

As certificate lifespans shorten, the pressure to adapt can lead to missteps or blind spots. One of the biggest is assuming the change only affects public-facing websites. \u201cInternal TLS, mTLS, brokers, and device certificates can cause nasty outages because they are not observable [in Certificate Transparency (CT) logs] and often lack ACME paths,\u201d Shattuck says.<\/p>\n

Another common mistake is underestimating the value of tabletop exercises<\/a>. Soroko recommends scenarios like: \u2018We have to revoke and replace all of our certificates in 24-hours due to mis-issuance\u2019, or \u2018We have to revoke and replace all of our RSA certificates because RSA has just been deprecated.\u2019 By running these exercises, CISOs can quickly find out if their organization is truly prepared.<\/p>\n

A third trap is treating shorter certificate lifespans as a purely technical issue, which can be solved by automation alone. This is risky because the cultural and workflow shift required to support continuous renewal is often the hardest part, says Nicoletti. \u201cWithout investing in team upskilling and change management, resistance to automation could stall progress, leaving your organization exposed in a landscape where agility is non-negotiable,\u201d he adds.<\/p>\n

Finally, as March 15 approaches, perhaps the biggest mistake CISOs can make is assuming there is still plenty of time to adjust. This isn\u2019t a future problem. The shift is already underway, and organizations that delay will face a much harder transition later.<\/p>\n

\u201cCertificates do not expire unexpectedly,\u201d says Soroko. \u201cThey have a stated lifetime that does not change after the certificate is issued.\u201d Taking early action can be the difference between managing certificates predictably and risking an avoidable outage.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For years, organizations used SSL\/TLS certificates with long lifespans, reviewing and renewing them only occasionally. That is about to change. On 15 March 2026, the maximum lifespan of a TLS certificate will be cut from 398 days to 200 days. Then, a year later, the limit will drop again to 100 days, and by 2029 […]<\/p>\n","protected":false},"author":0,"featured_media":6051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6050","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6050"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6050"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6050\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6051"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}