Blog
9 June, 2026
The era of the “set it and forget it” SSL certificate is over, and the deadline isn’t coming. It’s already here.
As of March 15, 2026, the CA/Browser Forum’s Ballot SC-081v3 took effect. Maximum TLS certificate validity dropped from 398 days to 200 days. If you renewed a certificate this week, it will expire in under 7 months.
And this is only the beginning. TeraSky has been helping organizations prepare for the future by automating PKI with HashiCorp Vault.
If you’re still managing certificates manually, here’s exactly what you’re facing.
The Mandatory Timeline You Need to Know
The CA/Browser Forum, the governing body of Certificate Authorities and browser vendors, including Apple, Google, and Mozilla, passed a unanimous, binding vote establishing this phased schedule:
- March 15, 2026 → 200 days
- March 15, 2027 → 100 days
- March 15, 2029 → 47 days
This is not a recommendation. It is not a best practice. It is a mandatory industry standard enforced at the browser level.
Non-compliant certificates will be untrusted by Chrome, Safari, and Firefox, meaning your services go dark.
By 2029, your certificates will need to be renewed at least 8 times per year. For every certificate. Across every service, container, API endpoint, and internal system in your environment.
The Math That Should Alarm You
Consider the operational reality. Managing a certificate manually takes roughly four hours end-to-end: discovery, request, validation, deployment, and documentation.
At 398-day lifespans, 1,000 certificates cost your team approximately 4,000 hours per year.
At 47-day lifespans, those same 1,000 certificates require approximately 48,000 hours per year, a twelvefold increase with zero additional infrastructure or staff.
Most enterprises don’t manage 1,000 certificates. They manage tens of thousands of systems across hybrid cloud, containers, and on-premises environments, many of which aren’t tracked in a single place.
The math doesn’t work. It was never going to work.
Why Certificate Lifespans Keep Shrinking
The push toward shorter certificate validity periods is not arbitrary. It reflects a broader shift in how the industry approaches trust, machine identity, and cryptographic risk.
Modern environments now generate massive volumes of machine-to-machine communication across Kubernetes clusters, APIs, microservices, and cloud platforms. At the same time, browser vendors and security bodies are reducing the acceptable window of exposure when certificates or keys are compromised.
The industry is also preparing for a post-quantum future, where cryptographic standards may need to evolve rapidly as quantum computing capabilities advance. That means organizations must become far more agile in issuing, rotating, and managing certificates at scale.
Shorter certificate lifespans are part of that transition. Organizations still relying on manual PKI processes are not just facing operational pain; they are running against the future direction of modern security architecture.
Why Manual Processes Are Already Failing
Even at today’s 200-day validity period, the cracks are already showing. By 2027, they will become structural failures.
Single points of human failure. If certificate renewal depends on a person noticing an expiration date, approving a request, and deploying correctly, your uptime depends on that person not being on vacation, sick, or simply overloaded.
Operational fatigue. Teams managing certificate renewals manually are already experiencing “certificate fatigue” – the volume of tracking, coordinating, and deploying across teams leads directly to missed renewals and inconsistent configurations.
Silent, catastrophic outages. Certificates don’t degrade gracefully. There is no warning. An expired certificate means an API call fails, a customer-facing service goes dark, or internal systems stop communicating -instantly, without notice, often at 2 am.
The 2027 cliff. When 100-day validity takes effect next year, organizations that haven’t automated will face a renewal backlog that compounds daily. There will still be time to transition -but almost no margin for error.
The Only Viable Answer: Treat PKI as Infrastructure
The organizations that will navigate this well have already stopped treating certificates as a task and started treating them as code.
The shift is not cosmetic – it changes the fundamental operating model:
Manual PKI
Reactive -fix it when it breaks
Fragmented across teams and methods
Human error causes outages
Breaks under volume
Automated PKI (HashiCorp Vault)
Proactive -dynamic issuance by policy
Centralized control across all environments
Machine-to-machine rotation, seamless
Scales without increasing headcount
With HashiCorp Vault, certificates are issued dynamically when a service needs them, rotated automatically according to policy, and revoked immediately when a service is decommissioned.
Your team stops managing expiration dates and starts managing policy – once.
The operational noise disappears. What replaces it is stability, uniformity, and infrastructure that enforces your security posture without depending on a human to remember.
The Window to Act Is Now
The 200-day mandate is live. The 100-day mandate arrives in March 2027. The 47-day mandate lands in 2029.
Each transition further compresses your margin for error.
Organizations that automate now smoothly absorb each deadline. Organizations that wait will face each one as a crisis.
Stop managing certificates.