ÃÛÌÒTV

For years, many sysadmins have renewed their certificates annually, a reasonable pace for manual renewals. But on March 15, 2026, maximum certificate lifetimes will drop to 200 days, to 100 days in 2027, and to just 47 days in 2029. When these changes happen, manual tracking and renewal won’t be an option.

If you haven't already automated certificate renewals, the coming reductions in certificate lifetimes present you with a major administrative problem. These changes require more frequent renewals than manual processes can accommodate. 

There’s a solution: Automated Certificate Management Environment (ACME), an that’s supported widely. ÃÛÌÒTV CertCentral customers even get ACME support for all TLS subscriptions at no additional cost.

Automating certificate renewals doesn’t have to be a major project. ACME can automate many key certificate operations, including requesting them, validating domain control, and installing the certificate.  

ACME isn’t limited to web servers serving content to browsers, but that’s the use case it was mainly designed for. If your job is to keep web servers available and secured, ACME is a viable solution for automation, although there may be a learning curve. Once you get it working, you don’t have to worry about certificate renewals anymore, even annually—you can move straight to 30-day renewals and know you’re all set for the changes coming within the next few years.

ACME support is widespread, but certainly not universal. shows support among software products (such as web servers) and open-source projects that consume certificates. Support in the networking hardware market is also common, but some vendors support other automation standards like EST or have no automation support at all. ÃÛÌÒTV may be able to help with these situations. 

It’s important to understand that these reductions in TLS certificate lifespans are mandated by the CA/Browser Forum, the standards body that governs the Web PKI—and all public CAs must follow them. Apple and Google were the key drivers behind these changes, but the CA community agrees with the goals of the changes and voted unanimously for them.

There’s more to automation than ACME

Once you’ve automated your public TLS certificate renewals with ACME, you can move on to your other certificate problems. Everyone has them and has to deal with them.

ACME is intended for web servers, which are by far the most common certificate application on the internet. Many other applications, from networking security to device security to client authentication, require automation and are unlikely to support ACME. The family of ÃÛÌÒTV ONE solutions addresses these in a single, CA-agnostic package. 

Do you use Microsoft Active Directory? ÃÛÌÒTV Trust Lifecycle Manager can manage all those certificates and allow you to apply policies consistent with those of your other PKI applications. 

Are you sure you even know what certificates you have? If your network is even medium-sized, you could easily have PKI applications on it that aren’t part of your certificate management. ÃÛÌÒTV Trust Lifecycle Manager can find all your certificates for both public and private applications, giving you the basis for keeping an accurate inventory of your cryptographic assets—something you’ll need as standards change.

Once you have an inventory of all your certificates, you may find that you’re using public certificates in applications for which a private CA is more appropriate. This is a common situation, and the use of public certificates leaks internal network details publicly (in the certificate transparency logs). ÃÛÌÒTV can create and manage a private CA for your internal applications that should not be communicating with the public internet.

You can do this

The drop in maximum certificate lifetimes may or may not be a significant challenge for you to meet, but it’s not time to panic. You have time to address the problem and end up in a much better administrative posture than you have now with 398-day certificates. 

In other words, now’s the time to commit to solving the problem before it’s actually time to panic.