In many enterprises, trust infrastructure has evolved over years rather than being designed all at once. Certificates were added as services expanded, DNS environments grew organically, and identity systems were layered in as new platforms were adopted. For a long time, that worked.
However, the move to a maximum 47-day lifetime for public TLS certificates changes things. Shorter lifecycles reduce the exposure window for compromised keys, which is positive for security. But on the other hand, they also increase the operational tempo. Renewals, validations and updates that once happened annually will now happen almost continuously.
For already stretched security and infrastructure teams this is an immediate pressure point that needs addressing over the long-term. With that in mind, the goal should not be to simply cope with 47-day certificates, instead it should be about using this opportunity to reduce risk and strengthen digital trust over the long-term through a practical roadmap.
Step 1: Start with visibility, not tooling
Before introducing new platforms or processes, organisations need clarity. Many enterprises often have complex environments where certificates are distributed across cloud workloads, legacy systems and third-party services. Ownership may sit among different teams that don’t collaborate, and documentation or audit trails may be incomplete.
Therefore, the first step is to establish a establish a reliable inventory and clear accountability. Teams must find out what certificates exist, which domains they support, and who depends on them.
This approach aligns directly with regulatory expectations under DORA and NIS2 around ICT risk identification and asset management. In the UK, operational resilience frameworks require firms to understand the dependencies that underpin important business services. Certificates and DNS records are often part of those hidden dependencies, and having a trail is important. Without visibility, automation and resilience efforts will not be as effective.
Step 2: Gradually remove manual renewal risk
Many organisations still rely on calendar reminders, ticketing systems or spreadsheets to manage renewals. That approach may have been manageable with longer lifecycles, yet it becomes fragile and unsustainable with the new 47-day model. Remember, the objective is not to replace everything overnight, it is to reduce points of human error over time.
Automating discovery, renewal and policy enforcement reduces both security and availability risk. An expired certificate does not simply weaken encryption, it can interrupt customer access, or internal workflows instantly.
Under DORA, firms must demonstrate that critical services can remain operational under stress. Avoiding certificate-related disruption is part of that resilience story. Shorter lifecycles are not inherently disruptive, but gaps in lifecycle management are.
Step 3: Bring PKI and DNS closer together
Certificates and domains are operationally linked, yet they are often managed in silos, and in completely different teams. As renewal cycles accelerate, misalignment between PKI workflows and DNS updates becomes more visible.
Rather than treating DNS as background plumbing, it should be recognised as part of the trust layer that enables service availability. When DNS and PKI are coordinated, validation events are smoother and configuration drift is reduced, all of which simplifies governance.
Trust failures that affect availability are no longer viewed as isolated technical incidents. They are resilience issues. Treating PKI and DNS as a unified layer helps reduce that systemic risk, which is ultimately the end goal.
Step 4: Build towards crypto-agility, not just compliance
Lastly, leaders should look beyond immediate renewal pressures and look at how they build crypto-agility to get ahead of the game.
Artificial intelligence is increasing the scale of automated attacks. Quantum computing research is prompting legitimate questions about the longevity of current cryptographic standards.
Crypto-agility — the ability to rotate keys, update algorithms and adapt certificate policies without destabilising services — should be designed in now rather than retrofitted later. If your PKI and DNS are already closely linked, bring identity and access management into alignment. Certificates increasingly underpin machine identity, and secure service-to-service communication. So, if you embed cryptographic trust directly into IAM decisions, you are ensuring that identity systems remain robust even as your complex environments get more complex.
Supporting teams through transition
The reduction to 47-day certificates raises the security baseline, and it also raises the operational bar. For many enterprises, this transition will take time. Legacy systems will not disappear overnight. Processes will need to evolve incrementally.
Security leaders who prioritise visibility, reduce manual renewal risk, integrate PKI with DNS and design for crypto-agility will not only meet regulatory expectations. They will materially reduce operational risk.
Trust infrastructure is no longer invisible. But with deliberate modernisation, it does not have to become fragile either. Trust can be strengthened, even as lifecycles accelerate, provided it is engineered with resilience in mind.
Lakshmi Hanspal
Lakshmi Hanspal is Chief Trust Officer at DigiCert , responsible for ensuring the trust, integrity, security, and privacy of DigiCert products while fostering trust with customers, partners, and stakeholders.
