2027 is the deadline you need to prepare for today!

A lot of security teams are aware that certificate lifetimes are getting shorter. Fewer are actually prepared for what that means operationally.

The CA/Browser Forum approved a phased reduction in public TLS certificate validity periods in April 2025. From March 2026, the maximum lifetime dropped to 200 days. From March 2027, it drops again to 100 days. And by March 2029, certificates will max out at 47 days.

That last number gets most of the attention (rightfully so). But the 100-day milestone in 2027 is the one that obviously needs the focus now, because manual certificate management will become unsustainable at that point. Failing to respond to this phase-down means risking missed renewals and catastrophic outages, risks that are completely avoidable through simple automation.

We have a great team versed in working with organisations on their domain and certificate infrastructure. The risk is known. The urgency hasn’t landed yet.

Consider the baseline data we are starting from. An overwhelming 81% of organizations experienced a certificate outage last year. When a critical system crashes, it costs an average of $6,000 to $9,000 per minute, scaling up to $15 million per incident. We have watched tech giants like SpaceX Starlink suffer global blackouts and Microsoft Teams drive users to competitors over a single forgotten certificate.

What changes with shorter lifetimes isn’t just the workload. It’s the margin for error. We are shifting from a slow-moving, steady state of yearly renewals to a fast-paced cycle of perpetual change and monthly updates. Human scale simply cannot keep up.

And there is a hidden bottleneck most teams are overlooking. Domain Control Validation (DCV) reuse periods are shrinking at the exact same time. Historically, once you validated domain ownership, that check was good for over a year. But the CA/Browser Forum is phasing that reuse window down, eventually to just 10 days by 2029. This means you won’t just be renewing certificates more often. You will be forced to re-prove ownership nearly every single time you do.

To survive a 10-day reuse window, organizations will have to automate DCV through their DNS. This shifts the burden from the security team to your domain infrastructure. The good news is that most enterprise DNS providers already support this type of automation via APIs. The challenge is actually setting up those integrations so your certificate management tools can programmatically update DNS records in real time.

There are five things every organisation should be working through right now. Start with a full discovery of every certificate you own, you can’t manage what you can’t see. Then map which systems and technologies depend on those certificates, so you know where a missed renewal actually hurts. Check which of those systems support ACME, that’s where automation is both most critical and most straightforward. Build a rollout plan with clear ownership, timelines and priorities before the next deadline forces your hand.

Finally, look at this automation as your foundation for post-quantum readiness. Implementing a centralized Certificate Lifecycle Management platform does more than just solve today’s short-lifespan headache. It delivers the ultimate cryptographic agility. When current encryption algorithms must inevitably be swapped for quantum-resistant alternatives, automation ensures you can rotate your entire infrastructure in an instant, entirely avoiding a multi-year migration crisis.