A new era for certificate management: DevOps and technology leaders must prepare for the 47-Day SSL/TLS rule

A major shift is coming to the SSL/TLS certificates that authenticate and encrypt nearly every connection inside a modern enterprise. Over the next four years, a new industry standard will shorten certificate lifespans dramatically—ultimately requiring all public certificates to be reissued every 47 days by 15 March 2029.

This process is not a minor compliance adjustment. It will fundamentally change how organizations manage digital trust, secure distributed systems and maintain operational stability. For technology leaders overseeing DevOps, platform engineering and security teams, this marks an urgent need to rethink certificate management before it becomes an unmanageable operational burden.

Beginning in 2026, certificate validity periods will shrink in three major steps:

• 200 days in 2026
• 100 days in 2027
• 47 days in 2029

This approach reduces the window for rotation by more than two-thirds. A task that previously occurred once per year will soon need to happen every month and a half—turning certificate management into a continuous operational cycle.

Most organizations already struggle with this work. The average enterprise manages more than 23,000 certificates spread across domains, microservices, cloud platforms, load balancers, API layers and machine identities. Ownership is often unclear and tracking inconsistent. Despite best efforts, up to 25% of certificates are expired at any time. 

As past incidents at Microsoft, Cisco, Equifax and multiple government agencies have shown, a single expired certificate can instantly break critical systems. Now imagine the same complexity compressed into a 47-day rotation window.

Many organizations still rely on spreadsheets, scattered email reminders, manual cloud or Kubernetes queries, and hand-executed service restarts to track and rotate certificates. These approaches were fragile even under the 13-month model; under a 47-day rule, they simply won’t scale.

Rotation quickly becomes an endless loop of manual work: reissuing certificates, updating services, triggering reloads, validating changes and documenting everything for compliance. DevOps and platform teams face constant operational interruptions, more opportunities for human error, higher risk of outages and an ever-expanding volume of coordination work across application, security and infrastructure teams. Manual processes will fail long before the final 47-day requirement takes effect.

This is why the shift is far more than a public key infrastructure (PKI) update. It’s a direct threat to operational resilience, service reliability and the trust customers place in digital services.

Shrinking certificate lifespans impact every corner of the enterprise: customer-facing websites, internal corporate systems, microservices traffic, API gateways, cloud workloads and machine identity frameworks. As environments continue to grow more distributed and cloud-native, the number of certificates increases along with the blast radius of a single failure.

Technology leaders must recognize that the new rules will intensify several existing pressures, including higher expectations for uptime, greater scrutiny on security posture, more frequent audits and tighter regulatory obligations. The 47-day window forces organizations to adopt a continuous operational model for certificate management, one that manual processes cannot support.

Preparing early is essential to avoiding service disruptions, maintaining trust and keeping operating costs under control.

Given the scale and frequency of future rotations, the solution must be automated, intelligent and unified across environments. A modern certificate lifecycle capability requires enterprise-wide discovery, real-time monitoring, intelligent risk prioritization and the ability to generate, deploy and rotate certificates automatically—along with complete governance and audit evidence.

Automation is the backbone of resilience. It ensures that certificates never expire unnoticed, removes operational overhead from DevOps teams, and maintains a security posture without constant manual intervention.

As certificate validity windows shrink, organizations that automate will remain stable and secure. Those that don’t will face more outages, higher operational costs and an increasingly overwhelmed technical workforce.

The industry is moving toward shorter certificate lifetimes because it strengthens overall security, but the operational cost of that shift now falls on technology and engineering teams. Organizations that modernize their certificate lifecycle management will improve resilience, reduce incidents and meet compliance expectations with confidence. Those organizations that continue relying on manual practices will struggle to keep up as rotations become a constant requirement.

This is a pivotal moment to rethink certificate operations before the new rule becomes mandatory.

Solutions that combine automated discovery, monitoring, AI-driven risk scoring, dynamic certificate generation, seamless rotation and strong governance (such as modern integrations between IBM Concert® and HashiCorp® Vault®) provide the blueprint for how organizations can adapt. They represent the future of certificate lifecycle management: automated, intelligent and built for the scale and speed of today’s digital enterprises.