When certificates expire 8x faster, manual renewals break

Digital certificates quietly underpin almost everything that matters in modern IT: public websites, internal systems, APIs, and machine-to-machine traffic. For years, many teams treated renewal as a calendar exercise—tolerable when validity stretched beyond a year. That era is ending.

New security expectations are dramatically reducing maximum certificate validity—from periods of 398 days down to as little as 47 days by 2029. The shift is not theoretical: the first major reduction—to 200 days—began in March 2026. Shorter validity does not merely mean “more paperwork.” It means teams will need to renew certificates roughly 8x as often as before. Manual tracking, spreadsheets, and heroic weekend rotations don’t scale to that rhythm; they create drag, inconsistency, and blind spots.

This is not a niche web-server problem. Public-facing services, private infrastructure, APIs, and automated workloads are all in scope. Nearly half of enterprises experienced downtime last year specifically because of manual certificate management errors, which should be a warning that operational fragility has real revenue and reputation cost.

The result of these coming changes is that organizations need to automate certificate management now, not after the first preventable outage. Waiting until renewal volume spikes is how incidents become “normal.”

Red Hat delivers automated certificate management

The answer is not more headcount or tighter spreadsheets. It’s an enterprise-grade certificate management system built for automation. Red Hat Certificate System is an enterprise PKI platform from Red Hat, built on Dogtag PKI with more than 20 years of sustained development. It’s designed for on-premise deployment so you retain and control your own keys with hardware security module (HSM) support.

The core principle is simple and hard to retrofit later: automation is not a bolt-on; it’s foundational. That is what makes Certificate System suited to a world where renewal frequency rises and error tolerance falls.

Here is how the pieces fit together at a high level.

Clients—web servers, IoT devices, workstations, and other endpoints—enroll and renew using standard protocols such as ACME, EST, or CMC. Those requests terminate at the Certificate System certificate authority (CA), which connects to Directory Server for identity and policy glue and to an HSM for key protection where required.

Image 1: One CA infrastructure supports all enrollment protocols

The key architectural takeaway: One CA infrastructure supports all enrollment protocols. You’re not forced to stand up parallel islands of PKI to satisfy different client ecosystems. That consolidation matters when renewal cadence accelerates: fewer moving parts, clearer ownership, and a single place to enforce policy and observability.

With Certificate System, organizations gain built-in digital sovereignty across 3 dimensions:

• Your infrastructure: Deploy on premise or in your private cloud, without depending on external services you don’t control. For the strictest environments, you can even operate air-gapped.
• Your keys: Integrate with your HSM. Keys are generated and stored under your control, not exported, and without third-party escrow that would compromise your trust model.
• Your jurisdiction: Align with the regulations that bind you—whether GDPR, CCPA, HIPAA, or sector-specific rules—while keeping audit logs where you can govern access and retention.

Beyond placement and compliance, Certificate System is built to issue, renew, and revoke the certificates that prove identity for servers, people, and automated devices—continuously, not episodically.

This work also maps to 2 pressing themes in modern security:

1. Quantum-resistant readiness: Strengthening how digital identities are protected as cryptographic expectations evolve.
2. Automation at scale: As validity windows compress toward 47 days by 2029, manual renewal across thousands of endpoints shifts from “painful” to infeasible. Red Hat Certificate System 11.0 is positioned as a strategic foundation for automated, security-focused, and modern certificate management—reducing operational complexity before complexity creates incidents.

Are you ready for the 47 day renewals?

Certificate timelines are going to continue to become shorter and shorter. If you want a controlled, enterprise PKI path that matches shorter lifespans and rising automation demands, you need to start planning now. To learn more, please visit our Red Hat Certificate System page.