In March 2025, the CA/Browser Forum approved an initiative driven by Apple and Google that will progressively reduce the maximum lifetime of publicly trusted TLS certificates. The timeline is clear:
- 2026: Maximum 200 days (down from 398 days)
- 2027: Maximum 100 days
- 2029: Maximum 47 days
For many organisations, this is not simply a technical change — it is a fundamental shift in the operational overhead required to maintain TLS certificates.
What manual certificate management actually costs in hours
At a 398-day lifetime, a certificate typically renews once a year. At 47 days, it renews roughly 7–8 times per year. For organisations managing 50–200 certificates manually — or semi-manually via calendar reminders and email chains — that is a 7–8x increase in workload.
To put hard numbers on it: assume a manual certificate renewal takes 2 hours end to end — spotting that expiry is approaching, coordinating with a vendor or internal IT, issuing, validating, deploying, and testing. With 100 certificates at a 398-day lifetime, that looks like:
- 100 renewals × 2 hours = 200 hours of work per year at 398-day lifetimes
- 100 certificates × 7.8 renewals × 2 hours = 1,560 hours of work per year at 47-day lifetimes
That is equivalent to more than three quarters of a full-time employee — spent exclusively on certificate renewal.
The 2026–2029 timeline: three years to adapt
Organisations that wait until 2029 to adapt will face the hardest transition. Those that start automating now can use the 2026–2029 window to gradually migrate systems to ACME-based automatic renewal and build the processes and governance needed for shorter lifetimes.
Organisations that begin in 2029 will have to implement fundamental changes under time pressure — a situation that, from experience, leads to mistakes and downtime.
Who is most exposed
Public sector organisations and local authorities are particularly exposed. Many run systems hosted by vendors that do not natively support ACME. Vendor dialogue, procurement processes, and contract amendments take time. The 2026–2029 window is narrow for organisations with complex vendor landscapes.
Organisations with on-premise infrastructure that cannot use ACME directly — internal certificate authorities, firewall-protected systems, specialised production equipment — face a different problem. What they need is an internal PKI strategy, not simply a migration to automatic renewal.
Organisations with many SaaS vendors need to track whether vendor-held certificates are properly managed. A 47-day certificate expiring at a business-critical SaaS vendor is your problem — even if you do not own the certificate.
Three concrete actions worth starting in 2026
1. Map all certificates and identify which can be automated. ACME-compatible infrastructure can move to automatic renewal relatively quickly. Systems that still require manual renewal are the ones that need a documented plan.
2. Implement automated monitoring across all certificates. With shorter lifetimes, spotting problems via calendar reminders is no longer viable. A central monitoring system that tracks all certificates and triggers alerts at critical thresholds is a prerequisite.
3. Start the vendor conversation now. For vendor-hosted systems — line-of-business applications, SaaS, public sector vendors — you need to understand whether the vendor supports automatic renewal and what their migration timeline looks like.
How CertControl handles the transition
The three actions described above — map certificates, implement automated monitoring, start vendor conversations — are precisely what CertControl is built to support:
- Automatic discovery of all certificates. CertControl queries Certificate Transparency logs to find every certificate ever issued to your domains — including those managed by vendors under your domain and those nobody internally knew about. The on-premise agent discovers internal certificates behind the firewall. The result is a complete register, not a manual list that is out of date from day one.
- ACME automation that eliminates the manual renewal burden. For certificates that support it, CertControl handles Let's Encrypt renewal automatically via HTTP-01 and DNS-01 challenges. An organisation with 100 ACME-compatible certificates does not need 1,560 hours of manual renewal work — it needs monitoring to confirm that automation is running correctly.
- Alerts at critical thresholds that actually reach the right people. Alerts are configured per certificate with thresholds matched to renewal complexity — 90 days for certificates held by third-party vendors, shorter for certificates you control directly. Alerts are routed to named owners, not a shared inbox.
- An audit log that proves ongoing governance. NIS2 requires documented evidence that monitoring was systematic. CertControl continuously builds the log that a regulator would expect to see — including which certificates were monitored, when alerts fired, and what happened next.