Home » Digital Certificates: An Overview of Current Market Dynamics

Digital Certificates: An Overview of Current Market Dynamics

Digital certificates are currently undergoing a series of parallel changes. Within a short period of time, certificate lifetimes have been shortened, validation requirements adjusted and technical usage scenarios restricted. At the same time, new requirements are introduced in increasingly shorter cycles, announced deadlines are postponed and underlying requirements adjusted with little lead time.

Market dynamics, certificate lifetimes and domain validation

Organizations must align their processes with this growing market dynamic and remain flexible enough to respond to ongoing changes. The impact extends far beyond certificate inventories. It affects everything from domain validation and issuance to deployment in production environments.

Drivers reshaping the certificate market

Several stakeholders define the current framework for digital certificates, including Google, Apple and the CA/Browser Forum (CA/B). The CA/B Forum develops technical and organizational requirements for certificate authorities (CAs) and publishes them in the form of ballots. These form the basis for issuing publicly trusted certificates and are binding within this ecosystem.
Browser vendors such as Google, Apple and Microsoft implement these rules through their root programs and in some cases supplement them with additional policies of their own. Since these programs determine which certificates are considered trustworthy, their policies have a direct impact on the entire market.

CAs implement these frameworks technically. Individual requirements may be interpreted differently, leading to varying implementations, for example regarding certificate lifetimes. The current market dynamics result from the interaction of these stakeholders. At the same time, individual market participants can accelerate or delay certain changes. For organizations, this creates a situation with limited planning certainty. Adjustments can no longer be implemented solely along long-term roadmaps but must increasingly respond to ongoing changes.

Key changes affecting digital certificates

The current developments affect several layers simultaneously. Certificate lifetimes are being shortened, validation processes are changing and technical usage scenarios are becoming more restricted. These changes are interconnected and directly affect existing infrastructures.

Current changes affecting digital certificates

Certificate lifetimes

Reduction from multi-year certificate lifetimes to currently around 200 days
Target lifetime of 47 days from March 2029 onward
Different implementation approaches among CAs

Domain validation (DV)

Significantly shorter validity periods
Target validity of 10 days from March 2029 onward
Validation becomes closely tied to every certificate request

Automation

Domain validation is increasingly integrated into technical certificate management and CLM processes
Protocols such as ACME combine validation and issuance
Manual procedures become difficult to scale with shorter intervals

Technical changes

Separation of server and client certificates (EKU)
Existing architectures require adjustment

Market dynamics

Changes are introduced in shorter cycles
Deadlines may be adjusted or postponed
Implementation varies between certificate authorities

Shorter certificate lifetimes

The lifetime of publicly trusted TLS certificates has been reduced step by step. Multi-year certificates were followed by a limitation to 398 days. Current developments are driving further reductions, with lifetimes now moving into the range of around 200 days. The target is a validity period of 47 days from March 2029 onward. Implementation details vary depending on the certificate authority. While some providers issue certificates with a lifetime of 200 days, others deliberately limit them to 180 days in order to maintain additional technical buffers. This approach is intended to ensure that certificates are renewed within the permitted limits.

In addition to the number of days alone, other formal deviations may also result in certificates no longer complying with current requirements and therefore having to be revoked. Compliance with these requirements is therefore becoming an increasingly precise technical task.

Shortening and automation of domain validation

As certificate lifetimes become shorter, the processes and validity periods associated with domain validation are also changing. While successful validation could previously be reused over longer periods of time, these intervals are now being reduced significantly. The target state is a validity period of 10 days from March 2029 onward. Domain validation is therefore evolving into a recurring process closely tied to each certificate request. In practice, this means that a renewed validation check may become necessary whenever a certificate is requested.

Domain validation is also becoming increasingly integrated into technical certificate management and CLM processes. Certificate authorities are adapting their procedures as well, for example through sequential certificate issuance with continuously renewed validation. In addition, the requirements for validation processes themselves are increasing. Validation procedures are becoming more precise and more formalized. Unclear evidence or implementation errors may result in certificates not being issued or being revoked retrospectively.

End of dual EKU usage

Another technical change affects the use of certificates through Extended Key Usage (EKU). Until now, it was possible to use a single certificate both for server authentication and for client authentication (Mutual TLS / mTLS). This dual usage is now being phased out. The transition will begin in spring 2026.

In the future, usage purposes will be separated. As a result, the number of deployed certificates will increase, along with the effort required for administration, provisioning and coordination across systems and teams.

Causes of increasing market dynamics

The current market dynamics are driven by several developments. Increasing security requirements for digital trust infrastructures are leading to shorter certificate lifetimes and more frequent validations. Certificates are now used in significantly more contexts, including APIs and service-based communication. The impact of faulty or compromised certificates is therefore much broader.

Shorter lifetimes reduce the time windows during which such risks exist. At the same time, automated procedures make it technically feasible to operate with these shorter intervals. The combination of growing security requirements and technical feasibility is leading to faster and more frequent market adjustments.

Operational impact

Shorter certificate lifetimes and more frequent domain validations significantly increase operational effort. At the same time, the requirements for precision and coordination continue to grow.

This results in several new operational realities:

Higher frequency of certificate issuance and renewal
Increasing coordination effort between server operations, networking and security teams
Stricter compliance requirements regarding formal rules and certificate lifetimes
Need for consistent and traceable processes across system boundaries

Large-scale certificate replacements under time pressure

In recent months, there have been several cases in which CAs had to revoke already issued certificates at short notice. The causes included formal deviations or implementation errors identified retrospectively.

In such situations, certificate holders face an immediate need for action. Many policies and contractual terms contain corresponding short-notice response requirements, even if these obligations are not always immediately visible. As a result, affected assets must be identified, replaced and updated across production environments within a very short timeframe. Organizations therefore require processes that enable such scenarios to be handled quickly, in a structured manner and with a high degree of automation.

How certificate authorities are responding

CAs are adapting their processes to meet the changing requirements. Automated interfaces and protocols enable the integration of validation, issuance and provisioning. Certificates are often still provided under annual contractual terms, even though the validity periods of the individual issued instances are significantly shorter. During this period, certificates are re-issued multiple times in order to comply with the shortened requirements.

The separation of technical lifetime and contractual model simplifies existing billing and operational processes. For organizations, however, this means that certificate processes must be managed independently of contractual terms.

Key action areas

Existing processes must be adapted to the changing framework conditions. Important steps include:

Complete inventory of all deployed certificates
Integration of involved systems and interfaces
Coordination of validation, issuance and provisioning across system boundaries
Establishment of consistent and traceable certificate processes
Stronger automation of recurring workflows and renewals
Continuous monitoring of current market and regulatory developments

Current developments are published, among others, by the CA/Browser Forum as well as browser vendors such as Google and Apple. Specialist portals and industry publications such as the essendi it magazine provide additional analysis and context.

Our contribution to implementation

These requirements can only be addressed through consistent management of certificate processes.
With essendi cd, deployed certificates can be centrally inventoried and transparently documented. Building on this foundation, essendi xc supports the management and automation of certificate processes throughout the entire lifecycle.
Interfaces allow existing systems to be connected and processes to be automated. Validation, issuance and deployment are technically linked and operationally implemented.