Technology
Jul 15, 2026
Technology


A new browser industry mandate will force enterprises to renew website security certificates eight times more often than they do today, and the hardest, most manual part of that process just got automated.
[For more news, click here]
by Kasun Illankoon, Editor in Chief at Tech Revolt
By March 2029, the certificate that lets a browser trust a company's website will expire every 47 days, a sharp drop from the 398-day standard that governed the internet for most of the last decade. The change, set by the CA/Browser Forum, the industry body whose rules bind browser makers and certificate authorities alike, is quietly reorganizing how enterprise IT departments operate. What is notable is not the mandate itself but how the vendors racing to keep pace with it are treating a shrinking compliance window as a solvable engineering problem rather than a looming crisis.
Public TLS certificates are the small cryptographic files that confirm a website is who it claims to be, and they have historically lasted long enough that most IT teams treated renewal as an annual chore. That is changing on a fixed schedule. The CA/Browser Forum voted to cut the maximum validity of public certificates from 398 days down to 200 days, a cadence that took effect in March 2026. It will fall again to 100 days in March 2027, and again to 47 days by March 2029. The rationale is straightforward: shorter-lived certificates narrow the window in which a compromised or misconfigured credential can be exploited before it expires on its own, forcing internet infrastructure to refresh its trust more often and reducing the damage any single point of failure can do.
For an organization managing a couple hundred certificates, that shift means going from renewing credentials roughly once a year to doing it more than seven times a year for the same volume of infrastructure, once the 47-day cadence lands in 2029. Multiply that by every domain, subdomain, server, and internal system a modern enterprise runs, and what used to be a predictable, low-frequency maintenance task turns into a constant operational rhythm, one that most IT teams were never staffed or tooled to run manually.
ManageEngine, a division of Zoho Corporation and a longstanding provider of enterprise IT management and security software, has built its response around the part of the certificate lifecycle that automation has traditionally skipped over. The company announced post-deployment automation for TLS certificates in Key Manager Plus, its certificate lifecycle and machine identity management product. Rather than stopping once a new certificate is issued, Key Manager Plus now carries the process through to completion on its own: pushing the certificate to the target server, running whatever scripts a team has configured, restarting the services that depend on it, and notifying the people who need to know it happened.
That last stretch, sometimes called the last mile of certificate renewal, has historically been the part teams handled by hand, because doing so once a year was manageable. Vasudevan Seshadri, director of product management at ManageEngine, described why that assumption breaks down as renewal frequency climbs.
“Certificate renewal is rarely the hard part. The work that piles up on teams is what comes after it, at scale: pushing certificates to the server, restarting the services, and confirming they actually went live. End-to-end automation is what turns a 47-day renewal cycle from a scramble into something that runs on its own. With Key Manager Plus, we are eliminating the last manual step in the life cycle management loop,” said Vasudevan Seshadri, director of product management at ManageEngine.
The scale of the problem is easier to see through a single organization's numbers than through an industry timeline. RevSpring, a healthcare payment and engagement solutions provider based in Nashville, Tennessee, has watched its certificate estate expand rapidly as the shorter validity periods took hold, and as its own infrastructure grew alongside it. Jonathan Choiniere, infrastructure manager at RevSpring, laid out what that growth has meant for his team's day-to-day workload.
“We're going from under 200 certificates to over 2,000, across a lot of domains, different server setups, credentials and post-deployment actions for nearly all of it. We've had to dedicate significant engineering time to certificate management alone since the change to 200 days. With the 47-day certificate renewals coming up, automation is the only way we can keep up, and Key Manager Plus' CA-agnostic, certificate life cycle management has helped us automate the whole thing,” said Jonathan Choiniere, infrastructure manager at RevSpring, a payment solutions provider based in Nashville, Tennessee.
That tenfold jump in certificate volume, paired with a validity period that will eventually be roughly a tenth of what it was a few years ago, is the combination reshaping enterprise IT budgets and headcount decisions across the industry. It also explains why the appeal of the ManageEngine update sits less in the renewal step itself and more in everything that has to happen immediately afterward for a renewal to actually count.
To help organizations gauge their own exposure before the 47-day mandate arrives, ManageEngine has also released a TLS impact calculator built around the 2029 deadline. It asks enterprises to plug in three figures: the size of their certificate estate, the labor currently spent on renewal, and their exposure to outages if a renewal is missed or mishandled. The tool then compares that baseline against what the same organization would look like once its certificate lifecycle runs on full automation, on premises or in the cloud, using the same underlying logic. The comparison is meant to turn an abstract compliance deadline into a concrete staffing and risk conversation that IT leaders can bring to budget owners well before 2029, rather than scrambling once the shorter cycle is already in force.
The pressure building around certificate lifecycles is not confined to North America. ManageEngine operates offices across the UAE and Saudi Arabia, two markets where enterprise IT estates are expanding quickly as government-backed digital infrastructure programs, cloud migrations, and AI deployments multiply the number of domains, applications, and internal services that a single organization has to secure.
Gulf enterprises scaling at that pace are set to encounter the same math RevSpring is already living through: more infrastructure, arriving at the same time as a shrinking certificate validity window, is a combination that rewards automation and penalizes manual process almost immediately. For IT leaders in Riyadh, Dubai, and Abu Dhabi building out sovereign cloud and AI infrastructure, the RevSpring experience offers an early look at what happens when certificate volume and certificate frequency rise together, and a reason to treat automated lifecycle management as infrastructure rather than a later upgrade.
None of this changes the underlying purpose of a TLS certificate, which is still to prove a website is what it claims to be. What has changed is how often that proof has to be renewed, and how much of the process an enterprise can still afford to do by hand. As the industry's clock keeps accelerating toward a 47-day cycle, the organizations moving comfortably through each deadline are the ones that stopped treating certificate renewal as a task and started treating it as a pipeline.
Related Articles