Now, PKI is entering a new phase. Over the coming years, certificate lifetimes will be dramatically reduced, fundamentally changing how organisations must manage trust, security, and operations.

Why Certificate Lifetimes Are Being Reduced

For many years, publicly trusted SSL/TLS certificates were valid for over a year. While convenient, long-lived certificates also increased risk:

  • A compromised private key remains usable for longer.
  • Incorrect or outdated certificate data persists.
  • Manual handling becomes harder to control at scale.

To strengthen the security of the internet, browser vendors and certificate authorities have agreed to progressively shorten certificate validity periods. Shorter lifetimes reduce exposure, limit the impact of mis issuance, and encourage modern, automated security practices.

What Is Changing – and When

The changes are defined by the CA/Browser Forum, the industry group responsible for certificate baseline requirements.
The current maximum certificate lifetime of 398 days will be reduced in phases:

  • March 2026 – Maximum validity reduced to 200 days
  • March 2027 – Maximum validity reduced to 100 days
  • March 2029 – Maximum validity reduced to 47 days

At the same time, the allowed reuse period for domain validation will also be shortened. This means organisations will need to renew certificates far more frequently - and revalidate ownership more often.

What This Means for Organisations

More Renewals, Less Margin for Error

Moving from annual renewals to certificates that expire every few weeks fundamentally changes the operational model. Processes that once worked with spreadsheets, reminders, or manual workflows will no longer scale.

Certificate-related outages are already one of the most common causes of service disruption. With shorter lifetimes, the risk increases unless organisations adapt.

Improved Security – If Managed Correctly

From a security perspective, shorter certificate lifetimes are a positive change. If a key is compromised, the window of exposure is significantly reduced. When combined with proper monitoring, automation, and governance, this leads to a stronger and more resilient security posture.

Automation Becomes Essential

With certificates potentially expiring every 47 days, automation is no longer optional.

Certificate lifecycle management must be predictable, repeatable, and integrated into existing systems and workflows - from infrastructure and applications to DevOps pipelines and cloud platforms.

From Manual PKI to Managed Trust

This shift is pushing many organisations to rethink how PKI is handled internally.

Instead of treating certificates as isolated technical tasks, PKI increasingly needs to be managed as critical infrastructure - with clear ownership, visibility, and automation.

Modern PKI platforms, such as the DigiCert ONE platform, are designed specifically for this reality. They provide centralised certificate lifecycle management, automated issuance and renewal, and full visibility across both public and private trust environments.

Rather than tracking certificates in multiple tools and teams, organisations gain a single, consistent view of their trust landscape - reducing operational risk and simplifying compliance.

Preparing for Shorter Certificate Lifetime

Although the final changes are still a few years away, organisations that start preparing now will avoid unnecessary stress later.

Key steps include:

  • Gaining full visibility into all certificates across environments
  • Eliminating manual renewal processes through automation
  • Implementing monitoring to prevent unexpected expirations
  • Aligning PKI strategy with broader security and compliance goals

Just as importantly, PKI must be integrated into existing IT and security processes - not managed as a standalone concern.

PKI as a Strategic Capability

Shorter certificate lifetimes are only one part of a broader shift in how digital trust is managed.

Increased transparency requirements, evolving compliance demands, cloud-native architectures, and future cryptographic changes will continue to reshape PKI strategies. Organisations that invest in robust PKI governance and lifecycle management will be better positioned to adapt - not just to these changes, but to whatever comes next.

Let Us Talk PKI

PKI does not have to be complex or reactive. 

At Excedo, we help organisations design, operate, and modernise PKI solutions that are secure, scalable, and future-ready. Whether you are preparing for shorter certificate lifetimes, introducing automation, or reviewing your overall trust architecture, our experts can help you take control.

Contact Excedo to discuss how your PKI strategy can be ready for the changes ahead.