Free Trial
Contact Us
Sectigo Blog

Preparing for the 47-day certificate era: Why automation can’t wait

RSS Feed

SSL/TLS certificate lifespans are shrinking to just 47 days, making manual management impossible. Without true automation, outages, compliance failures, and financial losses are inevitable. This blog explains why automation is no longer optional, it’s a business survival strategy.

Brendan Bonner
By Brendan Bonner, Global Director Sales Engineering
September 22, 20258 min read

Table of Contents

Executive summary

Forty-seven days. That is all the time you will have before your business risks going dark because of a single expired certificate.

This is not hypothetical. Outages are already happening at some of the world’s largest companies; retailers losing millions during holiday sales, global websites getting knocked offline, and critical infrastructure failing without warning. The pattern is the same every time: not enough automation, not enough executive urgency, and leadership that assumed “the admins have it covered.”

They do not. They cannot. And they should not be asked to.

Certificate lifespans are shrinking, crypto deadlines like the 2030 RSA 2048 deprecation are looming, quantum is around the corner, and the operational burden has shifted from a yearly nuisance to an unrelenting cycle of risk. PKI administrators already know this. The failure is not theirs, it is leadership’s.

About me: I have seen what happens without automation

I have spent years in enterprise PKI and the MSP world, managing certificates for hundreds of clients. I know what “manual” really looks like: late-night CSR generation, copying certificates across different systems, scrambling to update configs, double-checking guides, and hoping nothing breaks. It was always slow, always error-prone, and always thankless.

When I came to Sectigo, it was like discovering fire. Suddenly, certificates could be issued, deployed, and monitored directly from one interface; no more manual CSRs, no more brittle scripts, no more “hope and pray” renewals.

The difference; true end-to-end automation. This is why I push so hard for organizations to act now. Because I have seen what happens when they do not.

Lessons from the field

The holiday outage: when freeze meets expiry

I watched this one unfold. A global retailer entered peak holiday season under a change freeze. Smart strategy; until certificates expired. With no way to deploy new ones, critical websites began going dark. Leadership had to watch helplessly as revenue leaked away in real time, all because manual renewals collided with change management.

The CA distrust: agility or chaos

Before joining Sectigo, I lived through the Symantec distrust event. At Sectigo I witnessed the Entrust Distrust. Practically overnight, customers had to replace every certificate tied to distrusted roots. For organizations without a certificate lifecycle management (CLM), it was chaos: manual replacements at scale, endless revalidations, and furious customers. Mistakes were made and sites went down. With crypto agility and CA agility, it could have been a controlled process. Instead, it was a fire drill on a global stage.

False automation = false confidence

I have seen this story too many times. A large security vendor purchased a well-known CLM solution. Their director of infrastructure assumed certificates were automated. In reality, it was still a fully manual process. Their CLM solution was acting as a fancy notification system. They never bothered to check the certs were automated. When a certificate finally expired, it caused a major outage. They had the “automation tool” on paper, but because it was not truly end-to-end automation, it was nothing more than a false sense of security.

The takeaway from these: outages are not caused by admins. They are caused by executives who fail to equip admins with real automation and then assume the problem is solved.

Why manual processes break at 47 days

Here is the truth: executives often assume “certificates are handled.”

This is what a certificate request looks like without automation:

  1. Generate the key pair – Admins manually create the private key and CSR, wrestling with OpenSSL or GUIs, filling out organization details, and hoping every field is right.
  2. Submit to the CA – Then they wait. Hours or days, depending on validation requirements. Sometimes DNS changes or org checks stall the whole process.
  3. Download and figure out deployment; Once issued, admins need to install it. Many end up Googling commands, digging through old notes, or asking AI tools for help.
  4. Schedule downtime – Certificates often require maintenance windows and coordination with app owners. One wrong config, and the site breaks.
  5. Repeat endlessly – Now compress that cycle into 47 days, across thousands of certs, across hundreds of systems.

You can quickly see how this process is not just tedious; it is unsustainable. At 47-day lifespans, which require monthly renewal cadences, manual renewal is a guaranteed recipe for outages.

With Sectigo Certificate Manager, it is different:

  • Validations are pre-handled.
  • Certificates renew automatically.
  • Certificates are deployed directly to the end device.
  • Outages stop being a guessing game and become preventable.

Manual certificates were barely manageable in one year. At 47 days, they are impossible.

The human cost: burnout and attrition

This is not just about outages; it is about people.

When I talk to PKI admins about the shift to 47-day certificates, many of them joke; though they are not really joking: “I hope to retire before this happens.”

CISOs say the same thing: “I just want to get out before this problem lands on my desk.”

That mindset is dangerous. It is not just technical debt: it is human exhaustion. These systems are being held together by people who may quit or retire rather than fight through another wave of manual chaos.

The reality is clear: this problem will not wait for retirement. The outages are coming unless businesses act. The only sustainable path forward is automation: end-to-end, built into the fabric of your infrastructure. And that is exactly what Sectigo Certificate Manager delivers.

Sectigo vs. other CLMs

Here is another hard truth: many other CLM vendors make automation harder than it must be. Why? Because they make money selling professional services.

They scope integrations as custom projects, dragging timelines from weeks into months and inflating costs. While you wait, your risk grows.

Sectigo takes the opposite approach:

  • Solutions, not services: Automation that works out of the box.
  • Pre-built integrations: ServiceNow, F5, IIS, Azure, and ready to deploy now.
  • Governance and crypto agility: Define and enforce policies that keep you ahead of crypto shifts like the 2030 RSA 2048 deprecation.

Where others sell services, Sectigo delivers solutions.

The biggest misconception about automation

One of the most dangerous misconceptions I see especially with customers migrating from Entrust: is the belief that they already have automation.

Many organizations have purchased CLM tools, expecting end-to-end automation. But when we dig in, we find the reality: zero percent automated.

These tools often amount to glorified notification systems and certificate request forms. They alert admins when certificates are about to expire, or they streamline the request workflow, but they have yet to set up automation devices where they are needed, because it is too hard and costly.

That is not automation. That is a fancier version of the same manual process.

True automation means the entire lifecycle is handled issuance, deployment, renewal, and replacement: without manual intervention. That is what Sectigo delivers, and it is the only approach that will stand up to the relentless pace of 47-day renewals.

Ask yourself: have you asked your team how many certificates you actually have fully automated to the end device? The answer may surprise you.

The path forward: a 47-day reality check

This is not a technical nuisance. This is a governance failure waiting to happen. Executives who ignore it are not just putting IT at risk, they are putting shareholder value, customer trust, and regulatory compliance on the line.

Here are the four pillars every leadership team must act on now:

  1. Visibility
    You cannot automate what you cannot see. Start with discovery and inventory of every certificate across your environment.
  2. Automation First
    Stop treating certificates like a manual ticketing task. True automation issues, deploys, renews, and replaces certificates directly on devices: without human intervention. Anything less is not sustainable in a 47-day world.
  3. Flexibility
    Every environment is different. Some teams will choose agents, others ACME, APIs, or cloud integrations. The key is to have multiple automation options ready to fit every use case, not a one-size-fits-all bottleneck.
  4. Governance
    Leadership must enforce policies from the top down: automation aligned with crypto agility, compliance, and risk frameworks. This is not just an IT decision; it is board-level risk management.

Why executives must act now

  • Financial impact: Certificate outages cost organizations millions in downtime, lost sales, and recovery efforts—far more than the cost of automation.
  • Personal accountability: Customers and investors do not blame admins. They blame CIOs, CISOs, and CEOs. This is a leadership failure, not a technical slip-up.
  • Compliance exposure: A single expired certificate can instantly break PCI, HIPAA, or SOX compliance, exposing your business to fines and lawsuits.
  • Competitive positioning: Competitors who automate will not only avoid outages but will also gain speed, resilience, and trust in the market. Can you afford to fall behind?
  • Board-level risk: Certificate automation must be part of quarterly board risk reviews. If it is not already there, you are already behind.

Closing: the countdown has already started

Automation is not about making PKI admins’ lives easier: it is about keeping your business online. The outages are already here. The headlines are already written. The question is whether your organization will be in the next one.

Ask yourself: do you want your company’s name in the news as the next certificate outage headline? Because that is the reputational gamble you are taking if you wait.

If you are ready to avoid being the cautionary tale, start with Sectigo’s 47-Day Checklist and get our team’s guidance on how end-to-end automation can work in your environment.

Forty-seven days is the new reality. The countdown is already ticking. The only question is whether you will get ahead, or get taken down.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

Seven common automation missteps that put your SSL/TLS certificates at risk

7 reasons automation is the solution to 47-day certificate lifespans

The hidden multi-million-dollar cost of certificate outages and why it’s about to get worse