Three major PKI challenges are converging: shorter 47-day certificate lifespans, post-quantum cryptography readiness, and the deprecation of mutual TLS. The good news? A single solution, automated Certificate Lifecycle Management (CLM), tackle them all. Learn how automation unifies discovery, renewal, and agility in one coordinated strategy.

We all know the phrase “kill two birds with one stone” having the opportunity to get two tasks done for the output of one. In the fast-paced world of IT, finding two birds to kill with one stone is gold standard.

As discussed in a recent episode of the Root Causes Podcast, within the world of IT, and more specifically, the landscape of Public Key Infrastructure (PKI), there are major changes rapidly evolving. This evolution is presenting organizations with not two, but three concurrent, major birds or rather, crises.

The good news? The solution to all of them is the same stone. It’s not just about managing certificates; it’s about achieving unified, cross-organizational Certificate Lifecycle Management (CLM), powered by true automation.

Here are the three PKI challenges: the “three birds” that are about to hit your enterprise simultaneously, and how a single, coordinated project can address them all.

Bird 1: The march to 47 days

The industry is moving quickly toward shorter certificate lifespans. This march towards 47-day certificates is forcing organizations to adopt a monthly renewal cadence of certificates before the March 2029 deadline. This means 12x more renewals, and 12x more risk of outages and downtime.

For organizations relying on manual spreadsheets, internal ticketing, and ad-hoc processes, this change is not an inconvenience, it’s an extinction event. “The old methods will become decreasingly tenable and eventually break entirely” according to Tim Callan on this Root Causes podcast episode. If your team struggles to renew a certificate annually, imagine doing it every 47 days.

The first step for survival: You must know exactly what you have in production, where they are, and who is responsible for them. This starts with Discovery.

Bird 2: The security mandate of Post-Quantum Cryptography (PQC) readiness

The race to secure systems against future quantum attacks is underway. For security architects, preparing for PQC is a massive undertaking, but the initial phase is identical to preparing for the 47-day mandate.

What is the first step in preparing for post-quantum cryptography? Inventory.

You must locate all cryptographic assets, understand their use cases, and determine their priority for migration. While PQC affects more than just TLS server certificates, these form the “lion’s share” of the immediate workload. This mandate ensures there is already a massive overlap with the operational challenge of shortening lifespans.

Bird 3: The deprecation deadline of the end of mutual TLS (mTLS)

This is the newest, and perhaps most overlooked, bird. The industry has announced the definitive deprecation of client authentication certificates used for Mutual TLS.

This deadline is hard: June 15, 2026.

Large enterprises may not even know where they are currently using a server certificate for client authentication. This mandate forces another immediate, large-scale search across the IT environment to identify and replace these certificates.

Again, the necessary homework is the same: Can you tell, right now, the precise numbers of your TLS server certificates versus your client authentication certificates? For most, the answer is “no.”

The stone: Unifying siloed efforts with automation

Historically, these problems are managed in silos. A security architect reports to the CISO about PQC threats, while an operations manager reports to the CIO about the 47-day mandate. The work is incredibly duplicative, potentially leading to wasted resources, crossed purposes, and multiple, competing tool evaluations.

The “one stone” that kills all these birds is unified Certificate Lifecycle Management (CLM) powered by automation.

CLM provides the essential visibility arc that stretches across the organization, giving a single, centralized view of every certificate, regardless of type, vendor, or location. By treating the three mandates as one single, coordinated project, organizations can:

1. Build a single inventory: Eliminate redundant discovery efforts.
2. Automate renewal: Implement a system that can handle monthly renewals for 47-day certs without human intervention.
3. Achieve agility: Gain the ability to rapidly identify, migrate, and replace assets, whether due to PQC, mTLS deprecation, or a revocation event.

Elevate the conversation

For this unified approach to succeed, ownership must be elevated. Leaving this work to the “people who are in the trenches” (the Linux admins or IT directors) will result in a failure to see the full picture.

This convergence of deadlines is a risk problem, not just an operational one. It requires attention from the CTO, CEO, or Head of Product: someone with scope over both the security and operational teams.

If your enterprise has not yet begun a single, coordinated project focused on complete certificate visibility and automation, now is the time to start. The deadlines are real, they are converging, and the penalty for inaction is an exponential increase in operational and security risk.

Conclusion

Sectigo is here to help. Our goal within the industry is to educate and inform people about these drastic industry changes. As a reputable CA and a CLM provider, we develop resources to help you through these monumental shifts.

Our 47-Day Toolkit is a first step in starting the discussion in your organization about automation ahead of the first deadline of March 2026 to just 200 days. Looking for more? Reach out to us today and we’d be happy to point you in the right direction.

Related posts:

47-day TLS: shorter certificates lifespans everywhere

The benefits of automating certificate management for the 47-day lifecycle

What is crypto-agility and how can organizations achieve it?

*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Tim Callan. Read the original post at: https://www.sectigo.com/resource-library/pki-perfect-storm-automation