Author: Jarret Hinrichs, CTO, Guardian Infrastructure Solutions
Manual Management Will Not Keep Up.
There’s a digital credential behind every HTTPS service your organization exposes. It proves the service is who it says it is, encrypts the connection, and allows clients to establish trust.
It also expires.
When that certificate expires, your website doesn’t just go down. Browsers throw up a warning that tells your users the site is not secure. Some browsers block access entirely. Payment systems stop working. And what looks like a hosting or application issue from the outside becomes a trust failure.
These are TLS certificates, still commonly referred to as SSL certificates. As of March 15, 2026, the rules around how long they can remain valid changed.
What Changed and Why It Matters
For years, these certificates could remain valid for over a year. That window just got cut significantly — and it’s going to keep shrinking.
• March 2026: Maximum validity is now 200 days
• March 2027: that drops to 100 days
• March 2029: that drops again to 46 days
Domain and IP validation reuse periods are being reduced on the same schedule.
This isn’t a vendor-specific change. It’s being driven through CA/Browser Forum standards and enforced by browser root programs, including those from Apple, Google, and Mozilla.
The reason is straightforward. A certificate is a point-in-time validation of identity and control. The longer it stays valid, the greater the chance that something has changed underneath it. Shorter lifetimes reduce that exposure: less time for stale validation, less time for misissuance to persist, less time for something to be wrong without anyone noticing.
The Operational Reality
Most organizations don’t have one certificate. They have many. They exist across websites, APIs, client portals, load balancers, reverse proxies, cloud services, Kubernetes ingress, appliances, and third-party platforms.
In a lot of environments, no single team has a complete inventory. Ownership is fragmented. Issuance, deployment, and renewal are handled in different places, in different ways. That was manageable when certificates lasted over a year.
It became a problem at 200 days. It becomes harder at 100. At 47 days, it breaks. At that point, this isn’t really about certificates anymore. It’s about whether lifecycle management is actually engineered as a continuous process.
What To Do Now
The first step is visibility. You need to know:
• what certificates you have
• where they live
• who owns them
• when they expire
• what depends on them
If you don’t have a clear answer to those questions, that’s the gap. From there, this becomes an automation problem. Manual certificate management made sense when renewals happened once a year. It doesn’t make sense at this pace.
In practice, that means integrating certificate issuance and renewal into your environment through automated processes, whether that’s ACME-based workflows or centralized lifecycle management.
The last piece is accountability. Certificate failures tend to show up at the boundaries — between infrastructure, application, platform, and third-party ownership. If those boundaries aren’t clearly defined, the failure point shows up in production.
What All This Really Impacts
This shift isn’t just about certificates. It’s a reflection of operational maturity. Organizations with clear inventory, ownership, and automated renewal processes will adjust. Organizations that are still handling this as a periodic task will feel it — especially as the window continues to shrink.
The timeline is already in effect. The first reduction has happened. The next phases are scheduled. The question isn’t whether certificate management has to become more active.
A Solution That Does the Work
This is also the kind of exposure Guardian Lumen is built to surface — giving you visibility into certificate inventory, upcoming expirations, misconfigurations, and untracked assets before they become incidents.
And for teams that need a broader outside-in view of what’s exposed, Guardian Glass extends that visibility beyond certificates alone.