An expired certificate sounds like a marginal technical issue. In reality, it is a governance failure with measurable financial consequences. And from 2029 onward, this problem will become structurally unsolvable for any company without automated certificate management.

What digital certificates are and why they are critical infrastructure

Digital certificates are the identity documents of the digital world. They authenticate servers and services (TLS/SSL), sign code and documents, protect email communication (S/MIME), secure VPN connections, and identify IoT devices on the network. Without valid certificates, critical systems cannot communicate, users cannot be authenticated, and transactions cannot take place. What makes this particularly problematic: expired certificates do not actively announce themselves. There is no alarm, no dashboard warning, no automatic escalation—except in organizations that have actively ensured this. In all others: silent failure. And this failure does not affect operations alone; depending on the context, it also triggers liability questions.
Internationally active industrial companies typically manage several hundred to thousands of certificates across different platforms, organizational units, and locations. In the majority of cases, this is still done predominantly manually, without a central overview, with unclear responsibilities, and without systematic monitoring.

The CA/Browser Forum decision: the time bomb already ticking

In April 2025, the CA/Browser Forum—the association of certificate authorities and browser vendors whose members include Apple, Google, Mozilla, Microsoft, and DigiCert—adopted a decision that fundamentally changes the IT security landscape: the maximum validity period for publicly trusted TLS/SSL certificates will be gradually reduced from 398 to 47 days by March 2029. At the same time, the reuse period for domain validations will be limited to ten days.

Timeline: Gradual reduction of certificate lifetimes

– Until March 14, 2026: max. 398 days — today’s status quo
– From March 15, 2026: max. 200 days — first reduction in force
– From March 15, 2027: max. 100 days — manual processes become critical
– From March 15, 2029: max. 47 days — full automation becomes mandatory

What does this mean in practice?

A company that currently renews 500 certificates manually once a year will have to renew each certificate eight times per year from 2029 onward. That equals 4,000 renewal processes per year. Each process includes validation steps, testing, and deployment. No IT team can handle this manually. The first stage of the reduction to 200 days has already been in force since March 2026. Companies that have not implemented an automation strategy by 2027 risk their first unplanned certificate outage. This is not a forecast; it is a calculation.

From technical issue to governance priority: what CLM means

Certificate Lifecycle Management (CLM) is the systematic management of digital certificates throughout their entire lifecycle: issuance, renewal, revocation, inventory. It is no longer a niche topic for security specialists, it is a governance requirement that follows directly from NIS2 §30 No. 8 (“cryptography and encryption”).

Mature CLM is structured on three levels: Strategically, the governance model, encryption policy and responsibilities are defined. Tactically, the CA hierarchy, certificate classes and issuance processes are determined. Operationally, automation takes place: discovery of all certificates, automated renewal via the ACME standard, continuous monitoring and integrated incident handling.

The ACME standard (Automated Certificate Management Environment) is the industrially recognized protocol for automated certificate issuance and renewal. It is supported by all leading Certificate Authorities and is the technical prerequisite to be able to handle the 47‑day requirements from 2029.

Convergence of requirements: when regulation and operations push at the same time

What makes the challenge in certificate management particularly urgent is the convergence of several developments: The shortening of lifetimes by the CA/Browser Forum increases operational pressure exponentially. NIS2 §30 No. 8 creates a regulatory obligation to provide proof for cryptographic processes. DORA (Digital Operational Resilience Act) sets specific requirements for digital operational resilience in the financial sector. And eIDAS 2.0 sharpens the requirements for qualified electronic signatures and trust services. Organisations that treat these requirements as individual problems will be structurally overwhelmed. Only an integrated, highly automated trust infrastructure that covers all digital identities holistically is sustainable in the long term.

Conclusion: those who do not act now will pay in 2029

The reduction to 47 days is decided. The timeline is published. The regulatory requirements are in force. What is missing now in many organisations is the organisational response: a complete inventory, a clear governance structure and an automation plan with a realistic time horizon. CLM projects from discovery to fully automated renewal typically take six to twelve months. Those who are still working manually in 2027 have already used up their buffer. The right time to act was yesterday. The next best is today.