Every organization operates on a foundation of identity. Whether it’s a person logging into an app, an API connecting to a service, or a container spinning up in the cloud, every interaction begins with authentication.
But here’s the shift most organizations are only starting to catch up to: machines now outnumber people by more than 80 to 1. These workloads and devices all depend on digital certificates to prove who they are. Those certificates are their identities.
When the system of identity for a machine breaks down, business grinds to a halt from system outages, and attackers have a new way in. And very soon, every business and government will face a new mandate that will challenge their ability to stay online. Starting in March 2026, Microsoft, Apple, and Google will enforce phased rules that require TLS certificate lifetimes be cut to 47 days by 2029.
This is a third-party risk with a rapidly approaching deadline, and if you’re still manually orchestrating TLS certificates, you must automate today, not tomorrow. Otherwise, your teams will face 12x more certificate renewals—and your business will face 12x the risk of outages.
PKI and CLM are identity systems
Public key infrastructure (PKI) and certificate lifecycle management (CLM) are the backbone of machine identity security. And the question business leaders have to ask is—is my program fast enough, consistent enough, and automatic enough to keep up?
In the Buyers’ Guide for PKI and Certificate Lifecycle Management, Gartner® frames PKI and CLM as core components of modern identity and access management. While these systems used to sit in the background, they’re now essential to securing how every machine, workload, and service identifies itself.
The five-step framework recommended within the report reads like an identity maturity model for the machine world. It starts with defining objectives and use cases— like visibility, agility, and scale—and then transitions to automation, governance, and total cost of ownership.
The underlying message? PKI and CLM must operate like identity systems. And with an unescapable mandated shift to 47-day certificate lifetimes, teams need to apply new forms of automation, so they can keep up with unprecedented levels of volume, variety, and velocity in TLS certificate management.
Necessary PKI and CLM capabilities include:
- Centralized policy with control of decentralized execution, mirroring how human identities are governed across cloud and on-premises environments.
- Automation as the default, because certificate lifespans will shrink consistently over the next three years.
- Clear ownership and accountability, just like user identity lifecycles.
The identity principles that once applied to people—visibility, policy enforcement, and continuous verification—must now extend to machines at an unseen scale.
Bringing the framework to life with CyberArk
With CyberArk Certificate Manager and Zero Touch PKI, organizations can turn the Gartner framework into action, automating every part of the machine identity lifecycle.
Certificate Manager delivers the visibility and control needed to manage short-lived public TLS certificates. It discovers every certificate across clouds and applications, assigns ownership, enforces policy, and automates renewals using agentless, ACME, and API-driven workflows. Security teams can gain continuous oversight and automated coverage without additional operational complexity.
Zero Touch PKI complements Certificate Manager by modernizing the enterprise root of trust. It replaces legacy Microsoft ADCS or on-premises CA infrastructure with modern SaaS-based speed and security that’s cryptographically strong, policy-driven, and ready for quantum-safe algorithms.
Together, these two solutions enable instant issuance, lifecycle automation, and hybrid cryptography—all without manual intervention.
Combined, these solutions also establish a modern identity foundation: centralized governance for every machine, continuous automation for every certificate, and crypto-agility for whatever comes next.
Why simply managing TLS certificates isn’t enough
What was once seen as “certificate management” has become a discipline of machine identity security. While many of us of course tried to manage lists of certificates with spreadsheets or reports in the past, we now have thousands of workloads, APIs, and containers that needs to identify themselves, prove their authenticity, and renew that proof, just like a user resets a password or rotates a key.
The upcoming 47-day certificate era is forcing every organization to think differently about identity. It’s no longer enough to issue and forget or track certificates in a static spreadsheet. Machines must continuously renew their credentials, update algorithms, and maintain compliance at a cadence no human team can sustain.
For instance, let’s say a team manages 1,000 certificates manually. Under 398-day lifespans, that renewal workload takes 4,000 hours a year. With 47-day lifespans, that number jumps to an unsustainable 48,000 hours spent solely renewing TLS certificates.
Automation is the only way to maintain security, resilience, and audit readiness as renewal cycles accelerate twelvefold. Teams can’t choose between compliance and agility anymore; both depend on managing machine identities at scale.
What security leaders should do next
Start by understanding where your machine identities live and how quickly they’ll need to be renewed.
Run a 47-Day Certificate Readiness Scan with Certificate Manager to discover unmanaged certificates, model renewal volume, and identify automation gaps. Then, design your identity strategy with Certificate Manager and Zero Touch PKI at its core, ensuring every machine, app, and service can securely identify itself, renew automatically, and stay aligned to policy without human intervention.
Once you’ve achieved visibility, you’ll already be well on your way toward confidence, compliance, and crypto-agility in the 47-day era, where only CyberArk delivers the modern speed, connected integration, and trusted platform you need to succeed.
Gartner, “Buyers’ Guide for PKI and Certificate Life Cycle Management,” by Sarah Almond, 29 May 2025
Gartner is a trademark of Gartner, Inc., and/or its affiliates.
