A few months ago, I was on a call with a mid‑sized financial services firm. They had a solid security team and capable engineers. Nothing about the organization suggested risk or immaturity. During the conversation, I asked a simple question: how many TLS certificates are you managing?
The answer was roughly 180.
Then I asked how renewals were tracked. The response: spreadsheets, a shared drive, and calendar reminders.
It was concerning, but not surprising. Just six months earlier, I had the exact same conversation with a healthcare organization managing more than 300 certificates the same way. Despite the risk, this approach is far more common than most teams are comfortable admitting.
What’s changing now is scale.
The CA/Browser Forum has approved a progressive reduction in maximum TLS certificate lifetimes, culminating in a 47‑day limit by 2029, with significant reductions beginning as early as 2026. For teams that renew certificates annually today, this represents an eightfold increase in renewal activity per domain.
For that financial services client, 180 certificates quickly translate into more than 1,400 renewal events per year. With their existing process, this was not an operational problem waiting to happen. It was a structural failure already underway.
As we worked through the implications together, the initial instinct was predictable: add more process. Better spreadsheets. Tighter ownership. Escalation procedures. We challenged that assumption early. Process does not scale at this magnitude. No amount of procedural rigor can compensate for an eightfold increase in repetitive, time‑sensitive work.
Automation is not an optimization here. It is the only viable answer.
What we ultimately built, and have since deployed for several organizations facing the same challenge, is an Ansible‑based automation pipeline that manages the full certificate lifecycle end to end. Certificate signing request generation. Submission to the certificate authority. Deployment across a wide range of endpoints, including web servers, load balancers, and Kubernetes clusters. Post‑deployment validation to ensure certificates are live and correctly installed.
Event‑Driven Ansible plays a critical role. Instead of relying on humans to track expiration dates, the system continuously monitors live endpoints, local certificate stores, and Kubernetes secrets. When a certificate approaches its renewal threshold, the pipeline is triggered automatically. No manual checks. No calendar reminders. No late‑night surprises.
Equally important were the less visible pieces. Integration with secrets management so private keys never leave their source systems. A complete audit trail suitable for compliance and security reviews. And a local test harness that allowed engineers to run the full lifecycle safely in their own environment before anything touched production. That last element matters more than most teams realize. Trust in automation comes from watching it work, repeatedly, in a controlled setting.
Three months after go‑live, something interesting happened. On‑call pages for expired certificates stopped entirely. The system did its job quietly in the background, which is exactly how critical infrastructure should behave.
The security team gained auditable evidence they could provide to regulators without manual effort. The platform team reclaimed hours previously lost to renewal toil. And when we compared the avoided manual effort against the cost of implementation, the payback period was under eight months, even before factoring in the cost of downtime or customer impact from an outage.
The broader takeaway is simple. Organizations should assess their certificate exposure now, before the 2026 reductions take effect. The solution itself is not complex, but implementing it properly takes time. Six to eight weeks is typical, and that timeline compresses dramatically once a mandate is already in force.
Teams that act early will barely notice the transition. Teams that wait until 47 days becomes the standard will find themselves scrambling to automate eight renewals per year per domain while still delivering on every other commitment on their roadmap.
The spreadsheet era of certificate management is ending. That outcome is already written into policy. The only remaining question is whether your organization gets ahead of it or reacts when the pressure arrives.
Learn more about CertOps Automation.
 | Anuj Tuli, Chief Technology Officer Anuj specializes in developing and delivering vendor-agnostic solutions that avoid the “rip-and-replace” of existing IT investments. He has worked on Cloud Automation, DevOps, Cloud Readiness Assessments, and Migration projects for healthcare, banking, ISP, telecommunications, government and other sectors. He leads the development and management of Cloud Automation IP (intellectual property) and related professional services. During his career, he held multiple roles in the Cloud and Automation, and DevOps domains. With certifications in AWS, VMware, HPE, BMC and ITIL, Anuj offers a hands-on perspective on these technologies. Like what you read? Follow Anuj on LinkedIn at https://www.linkedin.com/in/anujtuli/ |