There are two things happening in the SSL/TLS world right now that, in isolation, are manageable.
Together, they’re disruptive.
The first is well known: quantum computing is moving from theoretical research into practical engineering. Whether we think it will take 5 years or 15, one thing is clear: the public key algorithms protecting today’s internet were not designed for a quantum-capable adversary.
The second is more immediate and operational: the CA/Browser Forum has formalised the progressive reduction of SSL/TLS certificate validity periods, culminating in a maximum lifespan of 47 days by 2029.
Forty-seven days.
That’s not a typo.
If you run a public website, APIs, cloud workloads, or anything customer-facing, this isn’t just a compliance detail. It’s an operational shift.
Why This Combination Is Different
Let’s break it down.
1. The Post-Quantum Shift Is About Crypto Agility
Most organisations are not worried about quantum computers breaking RSA tomorrow.
What they should be thinking about is this:
When PQC becomes production-ready and mandated, how fast can you transition?
If your certificate infrastructure is rigid, manually managed, and scattered across business units, then the real risk isn’t quantum; it’s organisational inertia.
Crypto agility is not about deploying PQC today.
It’s about ensuring you can switch when the time comes.
2. 47-Day Certificates Change the Operating Model
For years, certificate management was treated as an administrative task. A renewal reminder here, a spreadsheet there.
That model doesn’t survive a 47-day validity world.
At 47 days:
- Renewals become constant
- Manual tracking becomes error-prone
- Outage risk increases exponentially
- Audit and compliance complexity grows
Shorter lifespans are good for ecosystem security.
But they demand automation.
The Real Issue Isn’t PQC. It’s Lifecycle Management.
Based on what we observe across industries, the real bottleneck isn’t algorithm readiness.
It’s visibility.
Many organisations don’t have:
- A complete inventory of their SSL/TLS certificates
- Centralised expiry monitoring
- Automated issuance and renewal workflows
- A structured plan for algorithm transition
And without those fundamentals, talking about post-quantum migration is premature.
You can’t modernise cryptography if you don’t even know where it’s deployed.
What Forward-Looking Organisations Are Doing
The more mature organisations we observe are taking a phased approach:
Step 1: Gain Full Certificate Visibility
Build a complete inventory across public websites, internal systems, cloud, containers, and load balancers.
Step 2: Automate the Lifecycle
Move away from manual renewals. Integrate issuance and renewal into DevOps and infrastructure pipelines.
Step 3: Design for Algorithm Flexibility
Ensure that certificate management systems are not tightly bound to a single algorithm. Prepare for hybrid (classical + PQC) deployments when standards stabilise.
Step 4: Monitor Industry Signals
Track NIST PQC standardisation, browser support, root program policies, and regulatory guidance to be prepared.
A Subtle but Important Shift
Historically, SSL/TLS certificates were treated as point-in-time security artefacts. From now on, they need to be treated as continuously managed cryptographic assets.
The 47-day timeline accelerates this.
The post-quantum era makes it non-optional.
Final Thought
The organisations likely to struggle in the PQC transition are not those lacking quantum expertise.
They’re the ones still managing certificates manually.
If there’s one practical takeaway from both trends, it’s this:
Before thinking about quantum-safe algorithms, make sure your certificate lifecycle is automated, visible, and crypto-agile. Everything else builds on that foundation.
If you’re assessing your certificate lifecycle readiness or thinking about crypto agility, we’re always happy to share what we’re seeing across the industry. Contact us today.
Follow us on LinkedIn for the latest happenings/updates.