An expired certificate may initially seem like a minor technical issue. In reality, however, it can lead to system outages, production disruptions, and significant financial losses. With the gradual reduction of TLS certificate validity periods, managing digital certificates is becoming a critical challenge for IT security teams. Organisations that still rely on manual certificate management are facing increasing pressure. By 2029, publicly trusted TLS certificates will only be valid for 47 days. Without automated certificate management, meeting these requirements will become nearly impossible.

What Are Digital Certificates?

Digital certificates form the foundation of trust in modern IT infrastructures. They authenticate servers and applications, encrypt communication channels, and ensure the integrity of digital processes.

Digital certificates are commonly used for:

• TLS/SSL connections for websites and applications
• Code and document signing
• S/MIME-secured email communication
• VPN connections
• IoT devices and connected industrial systems

When a certificate expires, applications may become inaccessible, or systems may refuse communication. Particularly concerning is the fact that many organisations lack complete certificate inventories and automated alerting mechanisms.

The CA/Browser Forum decision: the time bomb already ticking

In April 2025, the CA/Browser Forum—the association of certificate authorities and browser vendors whose members include Apple, Google, Mozilla, Microsoft, and DigiCert—adopted a decision that fundamentally changes the IT security landscape: the maximum validity period for publicly trusted TLS/SSL certificates will be gradually reduced from 398 to 47 days by March 2029. At the same time, the reuse period for domain validations will be limited to ten days.

Timeline: Gradual reduction of certificate lifetimes

– Until March 14, 2026: max. 398 days — today’s status quo
– From March 15, 2026: max. 200 days — first reduction in force
– From March 15, 2027: max. 100 days — manual processes become critical
– From March 15, 2029: max. 47 days — full automation becomes mandatory

What does this mean in practice?

A company that currently renews 500 certificates manually once a year will have to renew each certificate eight times per year from 2029 onward. That equals 4,000 renewal processes per year. Each process includes validation steps, testing, and deployment. No IT team can handle this manually. The first stage of the reduction to 200 days has already been in force since March 2026. Companies that have not implemented an automation strategy by 2027 risk their first unplanned certificate outage. This is not a forecast; it is a calculation.

From technical issue to governance priority: what CLM means

Certificate Lifecycle Management (CLM) is the systematic management of digital certificates throughout their entire lifecycle: issuance, renewal, revocation, inventory. It is no longer a niche topic for security specialists, it is a governance requirement that follows directly from NIS2 §30 No. 8 (“cryptography and encryption”).

Mature CLM is structured on three levels: Strategically, the governance model, encryption policy and responsibilities are defined. Tactically, the CA hierarchy, certificate classes and issuance processes are determined. Operationally, automation takes place: discovery of all certificates, automated renewal via the ACME standard, continuous monitoring and integrated incident handling.

The ACME standard (Automated Certificate Management Environment) is the industrially recognized protocol for automated certificate issuance and renewal. It is supported by all leading Certificate Authorities and is the technical prerequisite to be able to handle the 47‑day requirements from 2029.

Convergence of requirements: when regulation and operations push at the same time

What makes the challenge in certificate management particularly urgent is the convergence of several developments: The shortening of lifetimes by the CA/Browser Forum increases operational pressure exponentially. NIS2 §30 No. 8 creates a regulatory obligation to provide proof for cryptographic processes. DORA (Digital Operational Resilience Act) sets specific requirements for digital operational resilience in the financial sector. And eIDAS 2.0 sharpens the requirements for qualified electronic signatures and trust services. Organisations that treat these requirements as individual problems will be structurally overwhelmed. Only an integrated, highly automated trust infrastructure that covers all digital identities holistically is sustainable in the long term.

Conclusion: those who do not act now will pay in 2029

The reduction to 47 days is decided. The timeline is published. The regulatory requirements are in force. What is missing now in many organisations is the organisational response: a complete inventory, a clear governance structure and an automation plan with a realistic time horizon. CLM projects from discovery to fully automated renewal typically take six to twelve months. Those who are still working manually in 2027 have already used up their buffer. The right time to act was yesterday. The next best is today.