Shorter Certificate Lifetimes: Implications for CLM

Certificates as temporary anchors of trust

Digital certificates are a core component of modern PKI infrastructures. They bind a cryptographic public key to a verified identity and enable trusted TLS encryption. Web servers, APIs, container platforms, and internal services rely on TLS certificates as trust anchors within the chain of trust.

Each certificate has a limited validity period. Once it expires, it loses its function. To avoid outages, administrators must renew certificates so that connections continue to be considered secure. Certificate validity is a central element of the certificate lifecycle. This lifecycle includes the issuance, use, monitoring, and renewal of SSL certificates. The maximum validity period of digital certificates has been reduced several times in recent years. Until September 2020, the limit was 825 days. It was then reduced to 398 days. Since March 15, 2026, the maximum certificate validity period has been 200 days. This change has a direct impact on how certificates are managed in many IT environments.

At the same time, the period during which domain validation can be reused is being shortened. After successful validation, a Certification Authority only recognizes control over a domain for a limited time. As a result, new certificates require more frequent domain validation. This increases the number of required validation processes.

The reduction to 47 days ultimately leads to an almost monthly renewal cycle.

This development significantly increases administrative effort. An infrastructure with 1,000 certificates generates around 1,000 processes per year with a lifetime of 398 days. At 100 days, this number rises to around 3,500. At 47 days, approximately 8,000 certificate renewals occur each year.

The certificate lifecycle thus becomes a continuous process that must be continuously monitored and managed. Manual approaches quickly reach their limits.

Limits of Manual Certificate Management

Many organizations still manage TLS certificates manually. Certificates are requested, validated, and then installed.

A typical process includes:

• Generating a key pair
• Requesting a certificate
• Domain validation
• Issuance by a Certification Authority
• Installation on servers or gateways
• Monitoring validity
• Renewing certificates

Shorter lifetimes significantly increase the number of these processes and the associated operational effort.
Manual approaches often lead to issues such as:

• Incomplete documentation
• Incorrect certificate chains
• Unmanaged systems
• Expired certificates on web servers

If a web server certificate expires, browsers immediately display a security warning. Services become unavailable. Administrators must renew expired certificates before operations can be restored.

Certificate Lifecycle as an Infrastructure Process

With shorter lifetimes, certificate management (certificate lifecycle management) changes fundamentally. The processes described above occur at shorter intervals and affect many systems simultaneously. In large environments, this involves thousands of certificates. Issuance, validation, installation, and renewal take place continuously and in parallel. This creates an ongoing operational process. The certificate lifecycle becomes part of the infrastructure.

At the same time, full visibility of all certificates becomes critical. In many environments, certificates exist that are not centrally recorded. These so-called shadow certificates escape monitoring. They may originate from IoT or OT devices with pre-installed certificates that are integrated into the infrastructure without central tracking.

Short lifetimes cause these shadow certificates to expire sooner, which can lead to disruptions. At that point, they become visible and should be integrated into a central certificate management system.

Automation as a Prerequisite for Short Lifetimes

The increasing number of processes makes automation essential.
A widely used approach is the ACME protocol. It allows systems to automatically request, validate, and install certificates.
A typical automated process includes:

• Monitoring certificate lifetimes
• Generating new keys
• Domain validation
• Issuing a new certificate
• Automatic installation

Many systems renew certificates before a certificate expires. This helps maintain stable operations.
Automation reduces human error, relieves administrators, and stabilizes operations. It also reduces the manual effort required for recurring tasks that would otherwise tie up highly skilled IT resources and generate costs. This creates capacity for more complex tasks. An investment in certificate management pays off within a short period of time.

Further background on automation in certificate management can be found in the article Certificate Management: Secure, Efficient and Compliant.

The Role of Central Certificate Solutions

In addition to automation, centralized control is becoming increasingly important.
In modern IT environments, certificates are used in many areas:

• Web servers
• Container platforms
• APIs
• Cloud systems
• IoT devices

Central certificate management provides visibility of all certificates and monitors their validity from a single point.
For these tasks, essendi it offers a platform for managing cryptographic identities and certificates with its essendi crypto solutions.
The platform supports inventory, lifecycle management, and automation of certificates.
This includes:

• essendi cd for inventory of all certificates in the infrastructure
• essendi xc for automation of certificate processes
• essendi pki for building and operating a public key infrastructure
• essendi da for the automated distribution of certificates to IoT/OT devices and applications

Except for essendi da, these components can be used independently. Combined, they form a platform for fully automated management of digital certificates.
For more information see https://www.essendi.de/cs-crypto-solutions/