There’s no debate about the importance of TLS certificates. They sit at the heart of security across websites, cloud platforms, APIs and internal services as standard. But as certificate lifecycles begin to shorten from March 2026, what used to be an annual administrative task is becoming significantly more demanding.
For a long time, renewals were handled in the background as part of routine security operations, often manually and tracked on spreadsheets. That is not going to be sustainable moving forwards. As renewal cycles accelerate, organisations are having to look more closely at how much work is needed and whether their current approach can realistically keep up.
In recent discussions with enterprise security leaders, I’ve been working through what that shift really means in operational terms. When you translate lifecycle reductions into renewal volumes, hours and headcount, the scale becomes clear very quickly.
Shorter certificate lifecycles and expanding machine identities
The CA/Browser Forum has confirmed a phased reduction in the maximum validity period for publicly trusted TLS certificates that starts now. The limit falls to 200 days from March 2026, to 100 days in March 2027 and to 47 days by March 2029. Once the 47-day cap is in place, organisations will need to renew certificates a minimum of eight times per year compared to the previous annual cycle.
At the same time, machine identities are expanding rapidly and many of these also rely on certificates. CyberArk reports that machine identities currently outnumber human identities 82:1. This means organisations are not only renewing certificates more often, but they’re also managing more of them in the first place – across both public facing and private environments.
Putting real numbers against lifecyle renewals
Let’s put some realistic numbers against this.
If an organisation manages 2,000 publicly trusted TLS certificates, under the old 398 day lifecycle that means around 2,000 renewals per year. As validity periods reduce, that picture changes quickly.
At a 200 day maximum validity which comes into effect March 2026, each certificate needs renewing roughly 1.8 times per year. That’s almost double the workload, and 2,000 certificates becomes 3,600 renewals annually.
At 100 days which comes into effect in March 2027, renewal frequency rises to 3.6 times per year. That’s roughly 7,200 renewals annually. By the 47-mandate in 2029, each certificate must be renewed 7.7 times per year. 2,000 certificates becomes in the region of 15,500 renewals every year.
These figures don’t account for any wiggle room for renewing prior to expiry so I think are realistically on the low side.
Now let’s apply a conservative time estimate. If each renewal takes four hours to validate, create a new private key, CSR creation, request, deploy and test, and a full time engineer works 1,800 hours per year, the operational effort looks like this:
When renewal activity reaches this scale, it stops being absorbed into existing teams and becomes a defined operational cost. For many organisations, this cost runs into seven figures once headcount is factored in.
Operational and reputational exposure
According to research by CyberArk, 72% of organisations have experienced a certificate-related outage in the last year. We’ve seen that as many as 50% of P1 and P2 outages can be traced back to mismanaged or expired certificates. With numbers like that, certificate management starts to become a matter of operational resilience.
These outages come with direct financial consequences. When a revenue-generating service goes down, transactions stop. Orders are abandoned and marketing spend continues while conversion drops. Engineering teams are pulled into urgent remediation outside of their planned work. The cost is not only the revenue lost during the incident, but the operational disruption that follows.
Browser warnings introduce a different kind of cost. When customers see a “site not secure” message, it immediately challenges confidence. In sectors where digital trust underpins the brand, a public security warning is hard to shrug off. Even after the issue is fixed, doubt can linger, damaging reputation for the long run.
As renewal cycles shorten and certificate volumes rise, the likelihood of oversight increases unless processes evolve. The underlying issue in many of these incidents is simply a lack of visibility into what’s live and when it expires. The impact of just one missed renewal can cost far more than a year of proactive management and automation.
The case for automation
Automation is often treated as an additional budget line. In practice, it functions as a cost control mechanism.
With automated policy-driven renewals and continuous discovery, certificates are identified, renewed and monitored as part of a defined operating model rather than a recurring administrative task. Visibility improves, and with it, confidence that certificates are governed consistently.
The impact goes beyond hours saved. Reducing manual touchpoints also lowers the likelihood of expiry-related incidents. It protects revenue in customer-facing environments, helps safeguard reputation, and allows experienced security teams to focus on strategic initiatives, resilience and governance instead of repetitive renewal activity.
A practical next step
The shift to shorter certificate lifecycles is already underway and the 47-day mandate will be here sooner than we think. The conversation is now moving beyond whether certificate automation is needed, that’s a given and one of the key drivers of the CA/Browser Forums decision to reduce, now we need to talk about to how to implement it in time, as the window is shortening.
The first step towards automation is getting clear visibility of your certificates. Working with CyberArk’s leading technology, we can provide a scan of your public TLS certificates, so you know where you stand. Once you know what you have you can start managing effectively, then you can start to work on automating the certificate management lifecycle.
Discover / Manage / Automate.
Using an ROI calculator built from our experiences working with enterprise security teams, we can help you work out the cost of automation vs manual renewal work and build a business case.
For many, the numbers speak for themselves.
.jpg)
