47-day certificates lifespan mandate: How we can help

On April 11, 2025 the CA/Browser forum officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The new ballot targets certificate validity of 47 days by March 15, 2029 .

This change isn't just an infrastructure concern that can be relegated to security teams. This change will fundamentally require a reexamination of how products and services operate within the enterprise IT landscape to ensure operational uptime, availability and better security. The shorter lifespan of certificates means that customers must prioritize automation of certificate lifecycle as a core security tenet. Accelerated certificate expiration is a burden mostly to organizations who have manual processes around certificate issuance. In other words, this is only hard if you don't automate your certificate lifecycle management processes, and HashiCorp Vault helps you do that.

This post briefly looks at the risks of improper certificate management and how Vault adoption can help you heavily mitigate those risks.

»Major outages caused by certificate mismanagement

Failing to adequately invest in certificate lifecycle automation exposes customers to even higher risks and can result in incidents as illustrated with some examples below:

February 2020:

Microsoft Teams experienced a multi-hour outage due to an expired authentication certificate, preventing users from logging in.

April 2024:

SpaceX's Starlink: Elon Musk tweeted about a "ground station certificate" expiring, causing a multi-hour outage for Starlink users globally. Musk called it an "inexcusable" single point of failure.

September 2024:

A significant IT outage grounded all Alaska Airlines flights in Seattle for a couple of hours. The airline later confirmed the cause as a "certificate issue" that impacted multiple systems. While the specifics of the manual error weren't detailed, a widespread outage stemming from a certificate suggests potential issues in their management and deployment procedures.

»What are the signs of mismanagement?

Based on the stories above and countless other certificate-based outages, some signs of inadequate certificate management include:

• Configuration errors during deployment.
• Lack of visibility and tracking leading to missed expirations (indicating a flaw in manual inventory).
• Insufficient access controls and security around private keys.
• Failures in timely manual intervention even when expiration is imminent.

»How HashiCorp Vault can help

To address these challenges with managing shorter certificate lifespans, HashiCorp Vault, with its strong auth model, offers a powerful and simplified way to automate the entire process, thereby reducing the risk of outages and manual errors.

• Central source of truth: Instead of getting certificates from different places or using some insecure methods to generate certificates, Vault can act as your single, trusted source that can address all your needs for internal certificates.
• Automatic certificate generation: When a new service or application needs a certificate, Vault can automatically generate certificates with user-defined lifespans and private keys, without the developers needing to manually create them and potentially make mistakes.
• Automatic certificate renewals: Vault agents can automatically renew these internal certificates based on a set time-to-live before they expire, so your developers don’t need to worry about services suddenly breaking because a certificate wasn't updated on time. This is like setting up automatic payments for your bills so you never miss a due date.

Vault takes the complexity out of managing internal certificates by centralizing the process and automating the entire lifecycle of certificates — from generation, to renewal, and revocation — all this while still ensuring adequate security and operational scale. This means less manual work for your teams with minimal risks.

At a first glance, the upcoming 47-day certificate lifecycle requirement may appear to be a daunting challenge for large enterprises to meet. However, by adopting Vault PKI and taking advantage of its strong auth model, certificate automation capabilities, and extensive usage at scale by some of the largest organizations in the world, enterprises can address this new challenge with ease and renewed confidence.

Learn more about Vault’s PKI story in this video: