Prediction 2: October 1, 2026, will be the day we hear about certificates breaking the internet

As early as the week of October 1, 2026, expect headlines about unexpected outages as the wave of 6-month SSL certificates issued in March begin to expire. While many Fortune 500 companies may weather the storm and avoid disruption thanks to the adoption of robust Certificate Lifecycle Management, the story will be different for smaller organizations and critical systems further down the chain. While organizations with skilled IT teams might resolve these issues within an hour, smaller businesses could have unknown recovery times. October 1 will be another wake-up call that shorter certificate lifespans demand proactive management or risk making the news for all the wrong reasons.  

Prediction 3: 2026 will be the year of action on post-quantum cryptography (PQC)

2024 was the year the industry woke up to PQC with NIST finalizing the foundational standards, and PQC protection began to quietly roll out across major platforms like Apple iMessage, Cloudflare and Google Chrome. In 2025, enterprises had to begin getting wise to PQC. Facing twin deadlines for PQC migration and shorter certificate lifespans, 90% of organizations allocated budgets and recognized the monumental task ahead: assessing and building cryptographic inventories. 2026 will be the year of execution. With budgets set and the first major certificate lifespan deadline hitting in March, enterprises will pivot from planning to actively implementing cryptographic discovery, pilot PQC rollouts, and the full automation required for crypto-agility. 

Prediction 4: MSPs will play a critical role in keeping businesses below the Fortune 500 secure and operational when it comes to certificate management

With organizations looking to consolidate vendors, MSPs will emerge as the single point of contact, integrating certificate lifecycle management with broader security and risk solutions. Instead of juggling multiple vendors for different pieces of the puzzle, businesses will turn to MSPs to be their strategic partner ensuring continuity and compliance in an increasingly fragmented security landscape. With the proliferation of certificates, along with short certificate maximum term validity, certificate lifecycle management will prove to be a rapidly emerging revenue opportunity for MSPs.

Prediction 5: In 2026, PQC standards will reach maturity

By the end of 2026, we should expect to see formal definitions for PQC versions of all major certificate types. Standards bodies like IETF and the CA/Browser Forum are moving through standardization processes, and SSL/TLS server certificates will be one of the most critical (and controversial) focus areas. Anywhere there’s a TLS handshake, PQC will start appearing, making quantum-safe key exchange the first practical step toward readiness. Traditional PKI architectures struggle with PQC’s large key sizes which has led to the proposal of a new PKI architectures such as  “photosynthesis” led by Google and Cloudflare, which looks to reshape certificate morphology and introduce blockchain-based storage models. 

Prediction 6: AI becomes a practical tool in certificate management

2026 will see AI emerge in adjacent areas of Certificate Lifecycle Management. We can expect AI-powered tools that help organizations locate rogue certificates, predict renewal needs, and streamline compliance. These efficiencies will become critical as certificate volumes grow and lifespans shrink. 

Prediction 7: In 2026, one question will be: “Is this AI model signed and trustworthy?”

The proliferation of Small Language Models (SLMs) running at the edge will force the need to begin model signing in order to secure the integrity of AI components. Think of it as taking the concept of code signing to ensure no one is tampering with code and applying it to a different environment, in this case SLMs. This will dramatically expand the use cases for Certificate Lifecycle Management beyond traditional web infrastructure, making it the central engine for managing digital trust in AI models and ultimately accelerating the adoption of PKI-backed digital identity as a mandatory requirement. 

Prediction 8: Consolidation of security vendors continues

With certificate lifecycles shortening, PQC migration looming, and automation becoming essential, organizations are looking for fewer vendors that can deliver end-to-end identity and trust services. Expect more mergers and acquisitions among PKI, CLM, and broader cybersecurity providers as they race to offer unified platforms and simplify procurement for overstretched IT teams. The consolidation of the solution set and partnerships will be key. 

Prediction 9: Passkeys will surge, but not without missteps

PKI-based passkeys are gaining momentum as governments and tech leaders push for passwordless authentication. Expect broader adoption of WebAuthn and FIDO standards in 2026, especially in business-to-consumer scenarios where mass authentication is critical. However, challenges remain. While passkeys work well for decentralized consumer use cases, in enterprise environments they collide with governance needs. For example: deprecating credentials when employees leave. Without mature lifecycle controls, organizations may implement passkeys in improper contexts, creating new security and operational headaches.  

Related posts:

Root Causes 552: 2026 Predictions

200 days until 200 days: Everything you need to know about the first stepdown in maximum certificate lifespan validity

Why we should start code signing LLM models

Despite such impressive ROI results, many organizations still lag behind in their SSL/TLS certificate management strategy. Data analyzed by research and advisory group Omdia shows that just 53% of organizations use automation for certificate renewals, and a mere 33% use automation for deployment. This limited adoption poses serious risks as quantum computing approaches and certificate validity periods will soon shrink to 47 days.

Fortunately, awareness is growing. Many teams are discovering that implementing certificate lifecycle management (CLM) automation is easier than they expected. A growing 90% of organizations now see overlap between post-quantum cryptography (PQC) readiness and the steps needed for short certificate lifespans, and automation is the fastest way to close that gap.

Is SSL automation really as big of a lift as it seems?

Skeptics often feel overwhelmed about the transition to SSL certificate automation. Many overestimate the technical lift because they assume automation requires entirely replacing legacy systems or overhauling existing workflows, when in reality, today’s platforms are designed to integrate with existing tools. In many cases, automation platforms can even augment existing solutions such as Microsoft Active Directory Certificate Services (AD CS), enhancing scalability and visibility without disrupting established environments.

Beyond technical concerns, some organizations question whether automation delivers enough ROI to justify the effort. Others worry about the time and resources needed for planning, testing, and deployment, especially when teams are already stretched thin. As a result, sticking with familiar manual methods for certificate issuance and renewal can feel safer, even if less efficient.

That hesitation comes at a cost. Manual management strategies increase both administrative overhead and the likelihood of outages, risks that will only intensify as certificate validity periods continue to shorten. By 2029, validity periods will span just 47 days, calling for a nearly-monthly cadence that will be virtually impossible to achieve under a strictly manual approach.

Although awareness of these challenges is growing, many organizations still rely on manual or semi-manual workflows that only automate part of the process. This partial approach can create a false sense of security, leaving gaps in visibility and control that ultimately lead to the very disruptions teams hope to avoid.

What is the real cost of manual certificate management?

Manual digital certificate management may seem efficient enough, but it’s far more costly than most teams realize. Labor alone drives up the cost: Forrester's TEI study highlights a 25% drop in labor expenses upon streamlining renewals via automation and a 30% drop from optimized provisioning.

Beyond labor, downtime adds dramatically to the expense. Certificate outages cost between $5,600 and $9,000 per minute, with losses quickly compounding due to reputational damage. These outages often stem from manual errors and will only become more frequent as certificate renewals occur at a faster pace.

Automation prevents outages and dramatically reduces risks. Forrester's TEI demonstrates considerable savings in response to reduced outage costs: a net present value of nearly $2.4 million in savings across three years.

Why CLM automation isn’t as time-consuming or expensive as people think

Automated CLM adoption does call for some upfront effort, but this shouldn't stand in the way of long-term savings. Not only could this drive millions in savings via streamlined provisioning (and outage prevention), implementation is often far easier than expected.

Omdia's report suggests that companies overestimate adoption costs and complexity. These misconceptions can prevent businesses from adopting the very solutions that could prompt significant savings.

User-friendly templates, prebuilt workflows, and integrations with leading ITSM and cloud platforms simplify deployment, allowing teams to maintain control without deep, time-consuming reconfiguration. Phased adoptions limit disruptions while expediting time-to-value and enhancing the overall ROI of automation.

Simply put, CLM automation isn't the drawn-out overhaul many expect. Modern platforms, like Sectigo Certificate Manager (SCM), are designed for quick deployment, often integrating with existing systems within a few months. With guided onboarding and scalable rollout options, organizations can see meaningful results fast without burdening IT teams or budgets.

What does simple SSL automation really look like?

Although SSL automation is often viewed as complex, modern solutions have made implementation far simpler than most expect. Prebuilt integrations, standardized protocols like ACME, and guided onboarding now allow organizations to automate certificate management without disrupting existing systems.

Sectigo Certificate Manager demonstrates how straightforward automation can be. It handles each stage of the digital certificate lifecycle within a single platform that’s fast to deploy. SCM makes large-scale automation accessible, even for enterprises operating within complex hybrid infrastructures.

Core capabilities

Sectigo's automated CLM platform operates from a single pane of glass. This simplifies certificate management, offering centralized visibility via a single, easy-to-access dashboard. This unified view promotes strong oversight of every certificate through every phase of the certificate lifecycle.

Pre-handled validations further streamline the process so that certificates can be issued promptly and to scale. Direct, device-level deployment eliminates time-consuming copy-and-paste functions.

Fast, flexible setup

Built for interoperability, SCM supports modern integration standards such as APIs and the Automatic Certificate Management Environment (ACME) protocol, enabling seamless deployment across diverse infrastructures.

Once configured, SCM delivers true set-it-and-forget-it functionality, with certificates automatically discovered, issued, and renewed. Built-in monitoring strengthens visibility, while automated policy enforcement promotes compliance without manual intervention.

Guidance from industry leaders

As the move towards shorter SSL certificate lifespans starts, organizations benefit most when they follow guidance from industry leaders. Clear direction and a structured roadmap remove uncertainty and help teams avoid common pitfalls when implementing automation.

Sectigo’s 47 Day Toolkit provides step by step guidance that supports this approach. It helps organizations modernize their certificate management processes, adopt automation, and reach true 47 day readiness.

The toolkit outlines the practical tasks needed to transition from manual tracking to fully automated certificate workflows, including discovery, technology inventory, automation mapping, rollout planning, and achieving crypto agility. With expert insights and a proven framework, the toolkit helps teams reduce risk, streamline operations, and adapt to upcoming accelerated certificate timelines.

Avoiding common automation missteps

CLM automation can drive significant savings, but automation missteps can compromise an otherwise promising ROI. These challenges often stem from a lack of understanding surrounding exactly what automation involves. Some teams confuse it with centralized key management or request-only workflows, while others assume IT service management tools already handle certificate lifecycle management.

This limited view prevents organizations from fully leveraging the advantages of automated certificate management. By only addressing narrow lifecycle components, businesses risk suffering gaps in deployment or policy enforcement, thereby prompting the very bottlenecks and outages that truly automated CLM seeks to avoid.

An effective strategy is to start small: build automation into core renewal processes first, validate performance, and then expand across broader infrastructure.

How long does it take to implement SSL automation?

With strong support and a phased approach, automated CLM adoption can be completed in just a few months. If action is taken soon, this means the platform could be fully deployed before the first SSL validity period reduction takes place. The transition begins on March 15, 2026, when certificate lifespans will shorten to 200 days, followed by further reductions to 100 days in 2027, and 47 days by 2029.

A typical implementation timeline includes the following milestones:

• Evaluation: Assess current certificate inventories and examine current processes to confirm automation readiness.
• Decision/Procurement: Select an automated CLM platform that reflects organization-specific needs. Prioritize scalable solutions that offer centralized visibility.
• Deployment: Configure the CLM platform and integrate it with existing IT systems or infrastructure. Plan a phased deployment, beginning with high-priority certificates.
• Completed Deployment: Extend automation across the full infrastructure. Confirm policy enforcement and monitor for performance and compliance.
• 200-day Validity Change on March 15, 2026: At this point, the CLM platform should be fully deployed and IT teams should be ready for the shift to 200-day validity periods.

The bigger picture: crypto agility and PQC readiness

Automation is a crucial piece to the foundation of crypto agility, the ability to rapidly adapt to emerging algorithms and cryptographic standards. This agility is essential for achieving post-quantum cryptography readiness. As quantum-resistant algorithms are standardized, automated CLM will allow enterprises to deploy them quickly and consistently across their environments.

Omdia insights suggest that quantum-readiness remains a future milestone (and not a present reality) for most organizations. Those that implement automation now will be better positioned to transition smoothly to PQC, gaining a long-term advantage while reducing current operational risk.

Sectigo leads in simple, scalable SSL automation

Sectigo Certificate Manager proves that achieving full SSL certificate automation is not a major lift. Designed for fast deployment and seamless integration, SCM helps organizations automate certificate management with minimal disruption to existing systems.

Backed by insights from Forrester and Omdia, SCM delivers measurable results: lower labor costs, reduced outage risk, and faster readiness for evolving standards like PQC and 47-day certificate lifespans.

Use the 47-Day ROI Calculator to discover the financial benefits of automation. Schedule a demo or free trial to see SCM in action.

Related posts:

The hidden multi-million-dollar cost of certificate outages and why it’s about to get worse

Stages of the Certificate Lifecycle Explained in Simple Terms

Seven common automation missteps that put your SSL/TLS certificates at risk

Digital certificates secure websites and devices, offering a foundation of trust that empowers organizations across numerous industries. These certificates are especially crucial for state and local government (SLG) agencies and education institutions, collectively referred to as SLED, which rely on stringent security measures to safeguard sensitive data and inspire public trust.

Through Secure Socket Layer (SSL) / Transport Layer Security (TLS) certificates, agencies and institutions can enhance student access, citizen services, and internal operations. These certificates offer protection via encryption and authentication. This limits the potential for data breaches and other cyberattacks.

However, manual methods of managing digital certificates, including spreadsheets, Outlook calendars, and siloed tools, are no longer sustainable. Many government and education organizations already struggle with growing certificate volumes and increasing complexity across sprawling digital environments.

This challenge will soon intensify: By March 15, 2029, under CA/Browser Forum rules, the maximum lifespan for public SSL/TLS certificates will become 47 days. This shift will dramatically increase the frequency of certificate renewals, placing unsustainable strain on manual management practices.

Certificate automation is now a necessity. It is the only practical, scalable path for government and education agencies to ensure uptime, maintain compliance, and support digital modernization as the SSL landscape evolves.

What unique digital certificate challenges do government agencies and education organizations face?

Government and educational institutions share many cybersecurity and digital certificate challenges with commercial enterprises: securing digital communication and maintaining trust amid constant threats and complex networks. But within state, local, and education environments, these challenges are intensified by limited IT resources and expanding digital ecosystems.

As more devices, applications, and internal services depend on digital certificates, visibility and control become increasingly difficult. Many of these organizations still rely on manual or outdated systems without centralized management. As a result, digital certificates often go unnoticed until they expire. Expired certificates disrupt critical systems and services, ultimately compromising trust among citizens and students and prompting long-term reputational damage.

Legacy systems and limited visibility

Many public sector organizations rely on outdated or fragmented infrastructure that wasn’t built to handle today’s certificate demands. Manual deployment and renewal processes make it difficult to maintain visibility across systems, increasing the risk of expirations. Decentralized management across agencies or campuses adds to the problem, creating blind spots and inconsistent tracking. Without a unified inventory, certificates can go unnoticed until they cause outages that disrupt essential public or educational services.

Manual management and staffing gaps

Tracking certificates through manual processes like spreadsheets or email reminders is error-prone and time-consuming. In small IT departments, these manual certificate renewal tasks can easily fall through the cracks, leading to expired certificates that can take down learning management systems (LMS), student information systems (SIS), tax platforms, or other public portals. Overburdened staff simply can’t keep pace with the growing volume of certificates across expanding digital environments.

Compliance and audit pressures

Government and educational institutions must;comply with strict regulations such as FERPA, which protects student privacy; HIPAA, which governs the security of health data; and federal frameworks like FedRAMP and NIST, which help establish cybersecurity and risk management standards for government systems. Manual processes make it nearly impossible to demonstrate continuous compliance or maintain audit readiness. When documentation is incomplete or inaccurate, organizations risk penalties, loss of funding, and reputational harm.

Outdated certificate tools

Many state and local government agencies previously adopted solutions such as Microsoft Active Directory Certificate Services (AD CS) for certificate lifecycle management. While these tools were once effective, they now struggle to support hybrid or cloud environments. AD CS lacks automation, flexibility, and integration capabilities, which forces IT teams to spend valuable time managing certificates manually and increases the likelihood of configuration errors.

Budget and resource constraints

Government and educational websites are frequently underfunded, and many users have come to expect occasional issues caused by outdated IT systems. Limited budgets prevent agencies and institutions from investing in modern technologies like automated certificate lifecycle management (CLM) tools. Concerns about upfront costs frequently delay upgrades, even though the expense of outages, downtime, and breach response often exceeds the investment required for automation. If these organizations fail to recognize the ROI of automated solutions, they remain locked in a reactive cycle that drains resources and exposes them to unnecessary risk.

Why 47-day SSL lifecycles are a turning point for state, local, and education institutions

Manual CLM systems are already outdated, but existing challenges will become compliance, trust, and financial problems as SSL certificates shift to 47-day lifecycles by 2029. The CA/Browser Forum’s phased reductions will first cut maximum certificate validity to 200 days in 2026, then 100 days in 2027, before reaching 47 days by 2029.

This level of frequency makes manual SSL certificate tracking unscalable, particularly for government agencies and higher education systems that manage hundreds or thousands of certificates. These environments cannot afford downtime; even brief outages can impact public trust, disrupt education systems, or compromise citizen services.

For state, local, and education leaders, the 47-day lifecycle marks more than a technical adjustment; it represents an operational inflection point. Frequent renewals demand coordination across agencies, districts, and campuses that often lack unified oversight. To maintain compliance and continuity, these institutions will need to align policy, process, and technology to ensure every certificate, whether public or private, remains visible, valid, and up-to-date.

How automated CLM simplifies certificate management for SLED institutions

Promising centralized visibility along with streamlined issuance and renewals, automated certificate lifecycle management can provide a critical resource for navigating the transition to 47-day SSL certificate validity periods. These solutions offer centralized visibility across all public and private certificates and automate key processes such as discovery, renewal, deployment, provisioning, and revocation.

Automated CLM solutions, like Sectigo Certificate Manager (SCM), also offer integrations relevant to the needs of state, local, and educational institutions. For example, SCM can augment AD CS by layering automation, policy enforcement, and advanced reporting on top of existing Microsoft deployments. This approach extends the life of previous AD CS investments while reducing manual effort and operational risk with automation. In addition, SCM integrates with tools like Microsoft Intune to simplify mobile and endpoint certificate management and supports Linux, cloud-native, and hybrid environments.

In practice, these capabilities translate into stronger uptime, simplified compliance, and better use of limited IT resources.

Operational continuity

For state, local, and educational institutions, even a single expired certificate can interrupt critical services such as citizen portals, Wi-Fi networks, and online learning platforms. Automated certificate lifecycle management eliminates these risks by renewing certificates before they expire and maintaining uptime across distributed systems. With continuous availability, students and citizens experience reliable access, driving greater trust in agencies and institutions.

Compliance confidence

CLM solutions automate not only certificate renewals, but also, logs and audit trails. This improves transparency surrounding certificate activity, creating a clear audit trail that supports compliance with a wide range of agency and institution-relevant requirements, including FERPA, FedRAMP, HIPAA, and NIST.

Cost efficiency

Automated CLM delivers a strong ROI, enabled not only by dramatic reductions in downtime, but also, by limiting the staff burden created by manual certificate management. According to Forrester’s TEI study commissioned by Sectigo, organizations achieved an average 243% return on investment from using Sectigo Certificate Manager.

With automation in place, small IT teams can shift their focus to other critical tasks, including modernization efforts or even initiatives to implement Zero Trust architectures. Scalable CLM solutions can be utilized across campus and agency environments, promoting broad adoption and widespread improvements in efficiency.

Use cases for certificate automation in state, local, and education organizations

Certificate automation supports public agencies and educational institutions in their efforts to manage digital identities and secure digital communications across diverse environments. Automated CLM helps state, local, and education organizations enforce consistent certificate practices at scale.

Use cases include:

• Wi-Fi authentication: PKI-backed certificates enable secure, password-free network access for students, faculty, and staff. CLM solutions simplify onboarding and reduce the risk of unauthorized access by issuing certificates directly to approved devices.
• MDM & BYOD enrollment: College campuses (and many government agencies) function as BYOD (bring your own device) environments, in which students and employees enjoy the flexibility of connecting laptops or smartphones to secure institutional networks. Automated CLM streamlines certificate provisioning for smartphones, Chromebooks, tablets, and laptops, enabling secure connections across institution-managed MDM platforms.
• Portal & app security: Web portals, LMS, SIS, and mobile applications are prime targets for interception and misuse, but automated CLM alleviates these concerns by ensuring that all certificates are properly issued and renewed, thereby ensuring that communications remain encrypted.
• Internal services: Many essential backend systems rely on valid certificates for secure operation. CLM solutions limit service interruptions so that internal data transfers and communications remain reliable.
• AD CS replacement: Organizations aiming to augment or replace AD CS can ease this transition via automated CLM, even enabling phased migration so that organizations can adopt centrally managed solutions without experiencing significant disruptions.
• DevOps & cloud: Supporting operational frameworks such as GitOps, along with broad DevOps containers and Microservices, automated CLM supports continuous integration and continuous delivery (CI/CD), ensuring the automatic issuance and renewals of certificates within development pipelines.
• Compliance auditing: Automated CLM solutions produce comprehensive reports that confirm strict adherence to NIST, FERPA, and other relevant standards. This helps agencies and institutions consistently remain audit-ready.
• Unified trust: Supporting public and private certificate management under a unified framework, automated CLM ensures centralized oversight and consistent policy enforcement.

Real-world examples

Many government agencies and educational institutions have successfully made the shift to automated certificate management. At Sectigo, we're pleased to share multiple success stories involving public institutions that trusted in our services:

• University of Colorado Boulder: As an early SCM adopter, the University of Colorado Boulder implemented one of Sectigo's initial automated solutions to manage over 2,800 digital certificates. Since then, the university has enhanced its overall visibility and protection via centralized dashboards and automated email alerts.
• Rijkswaterstaat: A Netherlands infrastructure agency known as Rijkswaterstaat turned to streamline once-cumbersome certificate issuance processes. Following SCM implementation, provisioning times were reduced from three weeks to a mere two hours. SCM adoption also resulted in fewer certificate errors and improved reliability, increasing confidence in critical infrastructure systems.

Building a path forward for certificate automation

Ease the transition to 47-day digital certificates by adopting automated solutions that expedite the entire digital certificate lifecycle. A phased approach can help minimize disruptions, allowing state, local, and education organizations to integrate automation step-by-step while building internal confidence.

To guide that transition, Sectigo’s 47-Day Survival Guide outlines five key steps for achieving scalable automation:

1. Awareness and discovery: Identify every certificate in use and ensure leadership understands how shorter lifecycles will affect operations. Full visibility prevents surprises and establishes accountability.
2. Vendor technology inventory: Document the systems and applications that depend on SSL/TLS certificates, including learning platforms, Wi-Fi authentication, and citizen portals. This helps prioritize automation based on importance.
3. Automation mapping: Source a list of ACME clients for SSL/TLS certificate automation, and map the available automation to the technology inventory you created in step 2. 
4. Rollout plan: Introduce automation in stages with clear timelines, milestones, and responsibilities for each phase.
5. Crypto agility: Once automation is in place, establish policies and oversight to ensure long-term adaptability. A Cryptographic Center of Excellence can help standardize practices and keep crypto agility a top priority across all departments.

Training should also be an ongoing priority. Ensure that staff not only recognize the value of automation but also understand how to implement and oversee it effectively. By training teams to manage automation workflows, rather than chasing manual renewals, institutions can amplify cyber resilience and align security goals with operational realities.

Preparing organizations for the 47-day SSL certificate era

Amid shrinking certificate lifespans, government agencies and educational institutions can no longer rely on legacy systems and manual certificate management. As digital certificate volumes increase, automation becomes non-negotiable.

Sectigo offers a viable path to automation and improved security posture via Sectigo Certificate Manager, which promotes continuity, compliance, and resource optimization. Learn how Sectigo can support state, local, and educational environments, and take the next step towards achieving streamlined and secure certificate management.

Related posts:

SSL certificate expired? Here’s what happens and how to renew it

How to avoid SSL outages and renew certificates

Why businesses need a Crypto Center of Excellence (CryptoCOE)

As discussed in a recent episode of the Root Causes Podcast, within the world of IT, and more specifically, the landscape of Public Key Infrastructure (PKI), there are major changes rapidly evolving. This evolution is presenting organizations with not two, but three concurrent, major birds or rather, crises.

The good news? The solution to all of them is the same stone. It’s not just about managing certificates; it’s about achieving unified, cross-organizational Certificate Lifecycle Management (CLM), powered by true automation.

Here are the three PKI challenges: the "three birds" that are about to hit your enterprise simultaneously, and how a single, coordinated project can address them all.

Bird 1: The march to 47 days

The industry is moving quickly toward shorter certificate lifespans. This march towards 47-day certificates is forcing organizations to adopt a monthly renewal cadence of certificates before the March 2029 deadline. This means 12x more renewals, and 12x more risk of outages and downtime.

For organizations relying on manual spreadsheets, internal ticketing, and ad-hoc processes, this change is not an inconvenience, it’s an extinction event. “The old methods will become decreasingly tenable and eventually break entirely” according to Tim Callan on this Root Causes podcast episode. If your team struggles to renew a certificate annually, imagine doing it every 47 days.

The first step for survival: You must know exactly what you have in production, where they are, and who is responsible for them. This starts with Discovery.

Bird 2: The security mandate of Post-Quantum Cryptography (PQC) readiness

The race to secure systems against future quantum attacks is underway. For security architects, preparing for PQC is a massive undertaking, but the initial phase is identical to preparing for the 47-day mandate.

What is the first step in preparing for post-quantum cryptography? Inventory.

You must locate all cryptographic assets, understand their use cases, and determine their priority for migration. While PQC affects more than just TLS server certificates, these form the "lion’s share" of the immediate workload. This mandate ensures there is already a massive overlap with the operational challenge of shortening lifespans.

Bird 3: The deprecation deadline of the end of mutual TLS (mTLS)

This is the newest, and perhaps most overlooked, bird. The industry has announced the definitive deprecation of client authentication certificates used for Mutual TLS.

This deadline is hard: June 15, 2026.

Large enterprises may not even know where they are currently using a server certificate for client authentication. This mandate forces another immediate, large-scale search across the IT environment to identify and replace these certificates.

Again, the necessary homework is the same: Can you tell, right now, the precise numbers of your TLS server certificates versus your client authentication certificates? For most, the answer is "no."

The stone: Unifying siloed efforts with automation

Historically, these problems are managed in silos. A security architect reports to the CISO about PQC threats, while an operations manager reports to the CIO about the 47-day mandate. The work is incredibly duplicative, potentially leading to wasted resources, crossed purposes, and multiple, competing tool evaluations.

The "one stone" that kills all these birds is unified Certificate Lifecycle Management (CLM) powered by automation.

CLM provides the essential visibility arc that stretches across the organization, giving a single, centralized view of every certificate, regardless of type, vendor, or location. By treating the three mandates as one single, coordinated project, organizations can:

1. Build a single inventory: Eliminate redundant discovery efforts.
2. Automate renewal: Implement a system that can handle monthly renewals for 47-day certs without human intervention.
3. Achieve agility: Gain the ability to rapidly identify, migrate, and replace assets, whether due to PQC, mTLS deprecation, or a revocation event.

Elevate the conversation

For this unified approach to succeed, ownership must be elevated. Leaving this work to the "people who are in the trenches" (the Linux admins or IT directors) will result in a failure to see the full picture.

This convergence of deadlines is a risk problem, not just an operational one. It requires attention from the CTO, CEO, or Head of Product: someone with scope over both the security and operational teams.

If your enterprise has not yet begun a single, coordinated project focused on complete certificate visibility and automation, now is the time to start. The deadlines are real, they are converging, and the penalty for inaction is an exponential increase in operational and security risk.

Conclusion

Sectigo is here to help. Our goal within the industry is to educate and inform people about these drastic industry changes. As a reputable CA and a CLM provider, we develop resources to help you through these monumental shifts.

Our 47-Day Toolkit is a first step in starting the discussion in your organization about automation ahead of the first deadline of March 2026 to just 200 days. Looking for more? Reach out to us today and we’d be happy to point you in the right direction.

Related posts:

The benefits of automating certificate management for the 47-day lifecycle

What is crypto-agility and how can organizations achieve it?

In one of our latest Root Causes Toronto Sessions podcasts, Tim and I explored a topic that’s been quietly brewing beneath the surface: model signing. As artificial intelligence becomes more embedded in our everyday devices, from smartphones to IoT sensors, we’re seeing a shift from large, cloud-based language models to small and even nano language models running offline at the edge.

These models are efficient, specific, and increasingly powerful. But here’s the question: Do you know if the model running on your device is the one you intended?

The hidden risk beneath the waterline

Think of AI as an iceberg. The flashy, cloud-based LLMs are the tip, visible and well-known. But the bulk of AI’s future lies below the waterline: small language models embedded in devices, often at the point of manufacture. These models are static, contain statistical weights, and are rarely, if ever, signed.

That’s a problem.

If we’re not signing these models, we’re leaving the door open to manipulation, malicious or accidental. And unlike traditional code, models are barely deterministic by nature, making tampering harder to detect and potentially more dangerous.

Why model signing matters

We already know the risks of unsigned firmware. Now imagine those risks applied to AI models that influence decisions, automate tasks, and interact with sensitive data. The implications are staggering.

So I ask you:

• Are your edge devices running trusted models?
• Do you have a mechanism to verify model integrity?
• Is your organization prepared for the “Wild West” of model deployment?

Because right now, there’s no consortium, no rules, no infrastructure. There’s not even a shared vocabulary for model signing. It’s time we start building one.

This isn’t just about technology. It’s about trust. As AI becomes more pervasive, model signing must become a standard practice, just like code signing did years ago. The thing here, though, is that we’re not just signing code anymore, we’d be signing the machines that think.

The machines are thinking and it’s time we start signing them. This is only the beginning of the conversation. And at Sectigo, we’re committed to leading it. Stay tuned for more on this topic.

Sectigo has successfully completed the largest and most technically sophisticated migration of public certificate infrastructure in industry history. More than half a million certificates – spanning SSL/TLS, S/MIME, and code signing – have been transitioned from Entrust Certificate Services to Sectigo Certificate Manager (SCM). But this wasn’t just a migration, it was a milestone rooted in trust, driven by strategy and executed with precision.

Engineering the future of digital trust 

We know that trust isn’t just built on technology and innovation, it’s built on integrity and transparency.

That belief shaped every decision we made throughout the migration. From the beginning, our customer-first mindset ensured our every decision reflected our commitment to long-term customer success.

That’s why we gave Entrust customers early access to SCM, allowing them to explore the platform without disrupting their production environments. It was the test drive before the journey began and a tangible example of how we turned principle into practice.

We also recognized that no two migrations would be alike. So, we took the time to understand each customer’s requirements and empowered them to migrate on their own timeline, giving them full control over their transition. This wasn’t a one-size-fits-all approach; it was a tailored experience designed to meet each organization’s unique needs. Whether customers chose our guided migration workflows, utilized our free professional services/support, or leveraged our simple migration developed in partnership with Entrust, every path was designed to minimize disruption and maximize control.

Behind the scenes, our engineering teams built a powerful, automated migration framework that included:

• In-app, guided migration workflows for every customer and partner
• Extensive pre-validation automation to eliminate issuance delays
• Real-time user provisioning and certificate inventory synchronization
• Custom feature parity work to ensure continuity and control
• Seamless partner migration into our new Sectigo Partner Platform

These innovations weren’t simply created to move certificates from point A to point B. They were about unlocking new possibilities for transitioning customers and partners. With shrinking certificate lifespans and the looming impact of post-quantum cryptography (PQC), organizations need the right tools. They need agility. They need foresight. Sectigo Certificate Manager delivers all three… and more.

A new standard for digital trust transitions

The migration set a new benchmark for scale, speed and precision in our industry. It was made possible by the extraordinary work of our engineers, developers, sales and support teams, each of whom played an important role in keeping customers confident throughout the process.

This milestone wouldn’t have been possible without the close collaboration between Sectigo and Entrust’s engineering teams. Both teams played a critical role in ensuring a smooth and coordinated transition. We’re grateful for the Entrust partnership and proud of what we accomplished together. We extend our sincere thanks.

At Sectigo, we continue to push the boundaries of what’s possible—and redefine what digital trust looks like. Former Entrust public certificate customers and partners now have access to a cloud-native, CA-agnostic CLM platform that automates every aspect of certificate management.

This migration was more than an incredible engineering feat and technical achievement, it was a promise kept. And it’s just the beginning.

Forty-seven days. That is all the time you will have before your business risks going dark because of a single expired certificate.

This is not hypothetical. Outages are already happening at some of the world’s largest companies; retailers losing millions during holiday sales, global websites getting knocked offline, and critical infrastructure failing without warning. The pattern is the same every time: not enough automation, not enough executive urgency, and leadership that assumed “the admins have it covered.”

They do not. They cannot. And they should not be asked to.

Certificate lifespans are shrinking, crypto deadlines like the 2030 RSA 2048 deprecation are looming, quantum is around the corner, and the operational burden has shifted from a yearly nuisance to an unrelenting cycle of risk. PKI administrators already know this. The failure is not theirs, it is leadership’s.

About me: I have seen what happens without automation

I have spent years in enterprise PKI and the MSP world, managing certificates for hundreds of clients. I know what “manual” really looks like: late-night CSR generation, copying certificates across different systems, scrambling to update configs, double-checking guides, and hoping nothing breaks. It was always slow, always error-prone, and always thankless.

When I came to Sectigo, it was like discovering fire. Suddenly, certificates could be issued, deployed, and monitored directly from one interface; no more manual CSRs, no more brittle scripts, no more “hope and pray” renewals.

The difference; true end-to-end automation. This is why I push so hard for organizations to act now. Because I have seen what happens when they do not.

Lessons from the field

The holiday outage: when freeze meets expiry

I watched this one unfold. A global retailer entered peak holiday season under a change freeze. Smart strategy; until certificates expired. With no way to deploy new ones, critical websites began going dark. Leadership had to watch helplessly as revenue leaked away in real time, all because manual renewals collided with change management.

The CA distrust: agility or chaos

Before joining Sectigo, I lived through the Symantec distrust event. At Sectigo I witnessed the Entrust Distrust. Practically overnight, customers had to replace every certificate tied to distrusted roots. For organizations without a certificate lifecycle management (CLM), it was chaos: manual replacements at scale, endless revalidations, and furious customers. Mistakes were made and sites went down. With crypto agility and CA agility, it could have been a controlled process. Instead, it was a fire drill on a global stage.

False automation = false confidence

I have seen this story too many times. A large security vendor purchased a well-known CLM solution. Their director of infrastructure assumed certificates were automated. In reality, it was still a fully manual process. Their CLM solution was acting as a fancy notification system. They never bothered to check the certs were automated. When a certificate finally expired, it caused a major outage. They had the “automation tool” on paper, but because it was not truly end-to-end automation, it was nothing more than a false sense of security.

The takeaway from these: outages are not caused by admins. They are caused by executives who fail to equip admins with real automation and then assume the problem is solved.

Why manual processes break at 47 days

Here is the truth: executives often assume “certificates are handled.”

This is what a certificate request looks like without automation:

1. Generate the key pair – Admins manually create the private key and CSR, wrestling with OpenSSL or GUIs, filling out organization details, and hoping every field is right.
2. Submit to the CA – Then they wait. Hours or days, depending on validation requirements. Sometimes DNS changes or org checks stall the whole process.
3. Download and figure out deployment; Once issued, admins need to install it. Many end up Googling commands, digging through old notes, or asking AI tools for help.
4. Schedule downtime – Certificates often require maintenance windows and coordination with app owners. One wrong config, and the site breaks.
5. Repeat endlessly – Now compress that cycle into 47 days, across thousands of certs, across hundreds of systems.

You can quickly see how this process is not just tedious; it is unsustainable. At 47-day lifespans, which require monthly renewal cadences, manual renewal is a guaranteed recipe for outages.

With Sectigo Certificate Manager, it is different:

• Validations are pre-handled.
• Certificates renew automatically.
• Certificates are deployed directly to the end device.
• Outages stop being a guessing game and become preventable.

Manual certificates were barely manageable in one year. At 47 days, they are impossible.

The human cost: burnout and attrition

This is not just about outages; it is about people.

When I talk to PKI admins about the shift to 47-day certificates, many of them joke; though they are not really joking: “I hope to retire before this happens.”

CISOs say the same thing: “I just want to get out before this problem lands on my desk.”

That mindset is dangerous. It is not just technical debt: it is human exhaustion. These systems are being held together by people who may quit or retire rather than fight through another wave of manual chaos.

The reality is clear: this problem will not wait for retirement. The outages are coming unless businesses act. The only sustainable path forward is automation: end-to-end, built into the fabric of your infrastructure. And that is exactly what Sectigo Certificate Manager delivers.

Sectigo vs. other CLMs

Here is another hard truth: many other CLM vendors make automation harder than it must be. Why? Because they make money selling professional services.

They scope integrations as custom projects, dragging timelines from weeks into months and inflating costs. While you wait, your risk grows.

Sectigo takes the opposite approach:

• Solutions, not services: Automation that works out of the box.
• Pre-built integrations: ServiceNow, F5, IIS, Azure, and ready to deploy now.
• Governance and crypto agility: Define and enforce policies that keep you ahead of crypto shifts like the 2030 RSA 2048 deprecation.

Where others sell services, Sectigo delivers solutions.

The biggest misconception about automation

One of the most dangerous misconceptions I see especially with customers migrating from Entrust: is the belief that they already have automation.

Many organizations have purchased CLM tools, expecting end-to-end automation. But when we dig in, we find the reality: zero percent automated.

These tools often amount to glorified notification systems and certificate request forms. They alert admins when certificates are about to expire, or they streamline the request workflow, but they have yet to set up automation devices where they are needed, because it is too hard and costly.

That is not automation. That is a fancier version of the same manual process.

True automation means the entire lifecycle is handled issuance, deployment, renewal, and replacement: without manual intervention. That is what Sectigo delivers, and it is the only approach that will stand up to the relentless pace of 47-day renewals.

Ask yourself: have you asked your team how many certificates you actually have fully automated to the end device? The answer may surprise you.

The path forward: a 47-day reality check

This is not a technical nuisance. This is a governance failure waiting to happen. Executives who ignore it are not just putting IT at risk, they are putting shareholder value, customer trust, and regulatory compliance on the line.

Here are the four pillars every leadership team must act on now:

1. Visibility
   You cannot automate what you cannot see. Start with discovery and inventory of every certificate across your environment.
2. Automation First
   Stop treating certificates like a manual ticketing task. True automation issues, deploys, renews, and replaces certificates directly on devices: without human intervention. Anything less is not sustainable in a 47-day world.
3. Flexibility
   Every environment is different. Some teams will choose agents, others ACME, APIs, or cloud integrations. The key is to have multiple automation options ready to fit every use case, not a one-size-fits-all bottleneck.
4. Governance
   Leadership must enforce policies from the top down: automation aligned with crypto agility, compliance, and risk frameworks. This is not just an IT decision; it is board-level risk management.

Why executives must act now

• Financial impact: Certificate outages cost organizations millions in downtime, lost sales, and recovery efforts—far more than the cost of automation.
• Personal accountability: Customers and investors do not blame admins. They blame CIOs, CISOs, and CEOs. This is a leadership failure, not a technical slip-up.
• Compliance exposure: A single expired certificate can instantly break PCI, HIPAA, or SOX compliance, exposing your business to fines and lawsuits.
• Competitive positioning: Competitors who automate will not only avoid outages but will also gain speed, resilience, and trust in the market. Can you afford to fall behind?
• Board-level risk: Certificate automation must be part of quarterly board risk reviews. If it is not already there, you are already behind.

Closing: the countdown has already started

Automation is not about making PKI admins’ lives easier: it is about keeping your business online. The outages are already here. The headlines are already written. The question is whether your organization will be in the next one.

Ask yourself: do you want your company’s name in the news as the next certificate outage headline? Because that is the reputational gamble you are taking if you wait.

If you are ready to avoid being the cautionary tale, start with Sectigo’s 47-Day Checklist and get our team’s guidance on how end-to-end automation can work in your environment.

Forty-seven days is the new reality. The countdown is already ticking. The only question is whether you will get ahead, or get taken down.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

Seven common automation missteps that put your SSL/TLS certificates at risk

7 reasons automation is the solution to 47-day certificate lifespans

The hidden multi-million-dollar cost of certificate outages and why it’s about to get worse

As certificate lifespans shrink to 47 days, the pressure lands squarely on PKI administrators. You already know the risks: expired certificates mean outages, fire drills, and late-night calls. Our Global Director of Sales Engineering, Brendan Bonner, weighs in with seven common missteps he sees with clients that are putting their certificates at risk.

The problem is that teams are tackling today’s 47-day certificate challenge with outdated, one-year solutions. They stitch together portals, scripts, or IT service management (ITSM) workflows that resemble automation but fall short. Too often, it’s “automation” only for the PKI administrator. Certificates land in a central vault, but system, cloud, and network admins still have to retrieve and install them manually. That may check a box for PKI, but it doesn’t solve the real issue for the business.

There is also the false economy of wildcards. A $100 wildcard may appear cost-effective compared to single-domain or multi-domain certificates, but those savings can quickly evaporate. When a wildcard expires or gets compromised, it can easily escalate into a million-dollar outage or breach. In fact, some businesses, such as private equity firms, now demand their portfolio companies remove wildcard certificates entirely after repeated costly failures.

I have seen this firsthand. In one instance, a large enterprise believed they had automation until Sectigo pulled it apart and found they only had a portal for certificate requests. No deployment. No renewals. Just requests.

The reality is that true end-to-end automation already exists. For many administrators, the breakthrough comes the first time they see a certificate deployed directly from an interface without ever logging into the web server. The next realization is that setting up automation is often faster than continuing with manual installations.

This blog explores seven common automation missteps that slow teams down, and how to approach automation in a way that is practical, forward-thinking, and sustainable.

Misstep 1: Centralized key management is not automation

The problem: Centralized key vaults worked when certificates lasted a year or more. PKI administrators could stash certificates, and application teams pulled them when needed.

Where it falls short: In practice, most organizations do not have certificates deployed to endpoints with automation. Instead, system administrators, cloud administrators, and network administrators still must pull the certificate from the vault, download it, and install it manually. That may feel like automation to the PKI administrator, but it does not scale in a 30-to-47-day renewal world. It also spreads the private key into multiple locations instead of keeping it bound to the device.

A better path: Push automation to the edge. True automation issues certificates directly to the device. The private key never leaves, the certificate signing request (CSR) goes securely to the Certificate Authority (CA), and renewal and installation happen end-to-end.

Misstep 2: Request-only workflows are not automation

The problem: Many organizations call themselves “automated,” but in reality what they have built is faster requests. A CSR may auto-generate and flow to the CA, but someone still must log in, download, and install the certificate.

Where it falls short: It is progress, but only halfway. Certificates pile up waiting for clicks, and outages happen when that “last mile” does not get finished. One large enterprise I worked with believed they were automated until we discovered their process was only a request portal. No deployment. No renewal.

A better path: Automation should cover the full lifecycle: request, issuance, installation, and renewal. If your team is still logging in every cycle, you have only solved part of the problem.

Misstep 3: Format worries stall automation

The problem: Teams stall automation because of certificate formats: PFX, PEM, PKCS#12. They worry about incompatibility or lock-in.

Where it falls short: This “format paralysis” delays progress while certificates continue to expire.

A better path: Use a certificate lifecycle manager (CLM) that supports multiple formats natively. Automation should deliver certificates in whatever format the device requires without extra work from your team. Simply don’t worry about it, automate it.

Misstep 4: Change management bottlenecks break automation

The problem: Change management is essential but often applied too literally to certificates. Some organizations create change requests for every renewal, requiring administrators to log in and approve or install a certificate every 30 to 40 days.

Where it falls short: That is not governance: it is button-click automation. It creates delays, wastes administrator time, and breaks completely during change freezes, when certificates can still expire.

A better path: Keep change management where it belongs: approving automation workflows during setup, with the right checks and balances. Once automation is approved, let it run.

A real-world example: Sectigo worked with a PKI administrator who understood the risks of tying renewals to change management, but their InfoSec team pushed back. They believed every renewal approval was necessary for security. In theory, they were not wrong: governance matters. In reality, the process they enforced created more risk with certificates still expiring during freezes. After careful discussion and weighing the trade-offs, they recognized that automation with strong logging was the safer path forward.

Misstep 5: Treating ITSM as CLM blocks automation

The problem: Many organizations try to rebuild certificate management inside ITSM platforms like ServiceNow or Remedy. It feels logical to track certificates like other assets, but ITSM platforms were not built for full certificate lifecycle management.

Where it falls short: ITSM systems can log certificates and tie them to inventory, but they cannot discover, renew, or deploy them at the speed of 47-day cycles. I have worked with clients who invested in custom ITSM workflows, only to abandon them later because of the development and management overhead.

A better path: Use ITSM for governance and visibility but let CLM do what it is built for: discovery, issuance, deployment, and renewal. Sectigo, for example, integrates directly with ServiceNow (and other ITSMs through APIs) so you get the best of both worlds: records in ITSM, automation in CLM, and less overhead overall. Use as many off the shelf integrations as possible.

Misstep 6: Reusing certificates across locations undermines security

The problem: Some organizations still use the same certificate and key pair across multiple servers. They will automate to one server, then copy it to others.

Where it falls short: This undermines both security and automation. It is like a hotel where every room has the same key card: convenient, but risky.

A better path: Treat each endpoint with unique private key. If you need the same common name in different places, say, an F5 load balancer and an IIS server, provision separate certificates and key pairs for each.

A special note on wildcard certificates

Wildcard certificates have historically been used to save time even stretching a single wildcard across a thousand-plus devices. It used to be common practice; I was guilty of using them in the past too.

With automation, that shortcut no longer makes sense. A wildcard creates a single point of failure. If it expires or is compromised, every device that shares it is impacted.

Can we automate a wildcard certificate? Absolutely.
Does it make sense? No.

That $100 wildcard might look cheap compared to single-domain or multi-domain certificates, but the false savings can turn into a million-dollar outage or breach. The bottom line? Treat each endpoint with unique private key.

Misstep 7: Trying to solve everything at once

The problem: Some teams believe certificate automation has to be tackled in one massive project, issuing and replacing every certificate all at once.

Where it falls short: That approach usually leads to paralysis. The scope feels overwhelming and nothing moves forward while certificates continue to expire.

A better path: You do not need to flip your PKI overnight. With the right automation in place, you can let certificates renew naturally, replacing them automatically as they come up. Breaking the problem into smaller steps makes the transition smoother, faster, and less risky. True automation is about momentum, not boiling the ocean.

One common myth: Automation is harder than manual

The fear: Many administrators assume real automation requires huge resources.

The reality: In practice, it is often faster. In my lab, I compared manual deployment (4 minutes 12 seconds) versus full automation (2 minutes 44 seconds including agent setup). In real-world environments, manual installs often take hours because of missing pre-validation or trust anchors.

What surprises administrators most is deployment. Historically, they have had to hunt down servers, figure out the install process, schedule downtime, and plan around risk. With automation, deployment happens in seconds: no guesswork, no scheduling, and no downtime.

The takeaway: Automation does not add work; it removes it. Once it is in place, every renewal happens without you lifting a finger.

Closing thoughts

If you still have manual steps anywhere in your process, it’s time to look into ways to automate. If you do not have automation, you do have risk. I have watched administrators’ eyes light up the first time they see a certificate deployed directly to a device without touching the server, and then realize it is actually faster than doing it manually. That is the “aha moment” that changes everything. That said, it is not realistic to automate every certificate today. Some processes and programs do not yet have APIs or hooks for full automation, and that is fine. What matters is automating the bulk of your certificates.

When you are ready to take the next step, explore our 47-Day Survival Guide to see exactly what real automation should look like in practice or calculate the average ROI of switching to an automated CLM platform with our 47-Day ROI Calculator.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

How to prevent data breaches in enterprise organizations

The role of certificate lifecycle automation in enterprise environments

Why SSL certificate renewal automation is essential for businesses of all sizes

Cryptography underpins trust, compliance and risk management across an organization and one of the most visible applications of cryptography is in SSL/TLS certificates. Every certificate contains a public key, and its issuance, renewal and expiration are governed by cryptographic standards. With the dawn of quantum computing approaching, C-level leadership and boards need to recognize that achieving cryptographic agility is a key driver of successful business risk management, regulatory compliance and operational resilience. One practical lever for building crypto agility is through certificate agility, which forces organizations to modernize how they manage cryptographic assets.

The pressure to modernize

Our State of Crypto Agility Report, in partnership with global research firm Omdia, has revealed that organizations are facing unprecedented pressure to modernize their cryptographic systems. Two major forces are driving this shift:

• The shortening of SSL/TLS certificate lifespans to 47-days by 2029
• The looming threat of quantum computing

While these technical changes are well understood by CISOs and IT leaders, the report reveals a troubling gap in executive engagement, one that could jeopardize business continuing and long-term resilience.

Certificates as a catalyst for crypto agility

Shorter certificate lifespans are a forcing function towards crypto agility. By requiring frequent renewals, they compel organizations to:

• Inventory their cryptographic assets
• Automate certificate lifecycle management
• Improve visibility into where and how cryptography is used
• Coordinate across teams to avoid outages and misconfigurations

In other words, managing certificates effectively is a gateway to managing cryptography effectively.

The visibility gap is a business risk

Our research found that:

• Only 28% of organizations have a complete certificate inventory
• Only 13% feel extremely confident they are tracking all certificates (including rogue or shadow certificates)

This lack of visibility means many organizations are flying blind, unaware of where their cryptographic assets even reside, let alone how vulnerable they may be. To IT teams, this might be considered a technical oversight but in reality, it’s a business risk. Certificate-related outages can lead to service disruptions, compliance failures, and reputational damage.

As SSL/TLS certificate lifespans cut in half to just 200 days by March 2026 – requiring IT teams to renew certificates every six months – the operational burden of managing renewals will increase dramatically. By 2029, those certificates will need renewing on a monthly cadence. Alarmingly, less than 1 in 5 organizations feel ‘very prepared’ to handle monthly renewals.

A strategic opportunity for leadership

Short-lived certificates offer a unique opportunity for executive leadership to engage with cryptographic strategy in a tangible way. By treating certificate agility as a business priority, organizations can:

• Reduce the risk of outages and compliance violations
• Build the foundation for Post-Quantum Cryptography migration
• Improve cross-functional coordination between security, IT, and operations
• Establish governance frameworks like a Crypto Center of Excellence (CryptoCOE)

Ultimately, cryptographic agility starts with certificate agility. And certificate agility starts with executive awareness and investment. Forward-looking organizations should see SSL/TLS certificates and managing their shrinking lifespans as a catalyst for building the cryptographic agility needed to secure the future.

Want the full data, insights, and recommendations?

Learn how organizations are preparing (and where they’re falling short) on crypto agility, certificate management, and PQC readiness.

Related posts:

• Webinar: From the shadows to the spotlight: digital certificates have entered center stage
• Root Causes 520: How prepared are IT teams for 47-day certificates?
• Root Causes 521: How Prepared Are Enterprises for PQC? (Part 1)
• Root Causes 522: How Prepared Are Enterprises for PQC? (Part 2)

This visual branding is made possible through digital certificates that support the Brand Indicators for Message Identification (BIMI) standard. The two main types are Common Mark Certificates (CMC) and Verified Mark Certificates (VMC).

Both enhance visual trust by displaying logos while also boosting email security and brand visibility. However, the distinction between trademark requirements can cause confusion.

VMCs require trademark validation and, in supported email platforms like Gmail, they also display a blue checkmark next to your logo, signaling that the sender has been fully verified.

CMCs are easier to obtain and more affordable because they don’t require trademark validation.

Not sure which digital certificates are best suited to safeguard email communication? Your decision should depend on your brand’s goals, whether you have a registered trademark, and the level of email security you need. In this article, we’ll break down the differences between CMC and VMC certificates and explain how each contributes to building trust and visibility in the inbox.

What is a VMC?

Verified mark certificates (VMCs) use brand logos to signal trust in email communication. Trademark registration is a core element of the VMC, promising enhanced credibility and security. These certificates are only available to those who submit trademarks registered through official channels such as intellectual property offices.

VMCs must also be validated by a trusted certificate authority and work alongside email security protocols such as BIMI, DMARC, SPF, DKIM, and DNS to verify sender identity, prevent spoofing, and enable the display of trademarked brand logos in supported email clients.

One of the key benefits of a VMC is the visual trust signal it provides: in Gmail and other supported platforms, your logo is displayed, helping recipients instantly recognize legitimate messages. They also improve email engagement and deliverability.

VMCs offer strong protection against phishing attempts and generally have broader platform support compared to CMCs, making them a preferred option for brands with registered trademarks seeking maximum visibility and trust.

What is a CMC?

A common mark certificate (CMC) is a specialized digital certificate, designed to confirm organizational identity by displaying logos within email inboxes. Unlike VMCs, CMCs do not require a registered trademark. Instead, they rely on other forms of verification such as logo usage history and domain ownership to authenticate the sender’s identity and establish visual trust.

CMC certificates also work alongside established email authentication protocols such as BIMI, DMARC, SPF, DKIM, and DNS to help ensure that emails are legitimate and have not been spoofed or altered.

Key advantages of CMCs include the fact that no trademark registration is required, they can be issued quickly, and they are generally more affordable than verified mark certificates.

However, CMC support remains limited and is currently available in select platforms like Gmail, Yahoo, and Apple Mail, meaning your brand logo may not appear in all inboxes.

Key differences between CMC and VMC

CMCs and VMCs may seem similar, but their underlying mechanisms look a bit different, and these core differences carry ripple effects that impact pricing, issuance, brand visibility, and more.

Trademark registration and validation process

All differences surrounding CMC and VMC come down to one main distinction: VMCs require trademarked logos, which call for a more vigorous validation process. This process includes additional checks by a certificate authority to verify trademark ownership before approval. With CMCs, verification by a CA is still required, but it does not require a registered trademark logo. Instead, the CMC validation process centers around logo use history and domain ownership verifications.

Logo display and visual indicators

Both CMCs and VMCs make it possible to display brand logos in email inboxes. This drives instant recognition among email recipients. However, VMCs have an extra advantage in Gmail because the logo appears with a blue verified checkmark, signaling a fully validated sender. Organizations obtain these trademarks through intellectual property offices such as the United States Patent and Trademark Office (USPTO).

Platform support and deliverability

The advantages of logo-based visual trust matter little if compatibility issues stand in the way of logo rendering or limit badges that signal trust. VMCs offer broader compatibility with BIMI-supported email clients while CMC support is more limited and currently works with a smaller subset of providers.

Pricing and issuance complexity

The key advantages that elevate VMCs—validation processes that support a higher level of trust—also contribute to their main drawback: these certificates will take longer to issue and are more expensive.

With VMCs, issuance cannot be completed without trademark ownership confirmation. This calls for documentation above and beyond what is required for a CMC.

BIMI, email authentication, and certificate compatibility

The success of both VMCs and CMCs relies on a key standard: Brand Indicators for Message Identification (BIMI). This is what today's top email clients use to verify and display brand logos via inboxes.

BIMI draws on enforcement from DMARC (Domain-based Message Authentication, Reporting, and Conformance) protocols, which safeguard domains from unauthorized use. DMARC policies use DNS records to indicate how servers should handle any messages that fail strict authentication checks.

Authentication mechanisms such as SPF (Sender Policy Framework) confirm that emails come from authorized IP addresses, while DKIM (DomainKeys Identified Mail) adds cryptographic signatures for additional verification. When these standards are properly configured, they establish a strong foundation for BIMI to function.

While VMCs are typically used to enforce BIMI's strictest requirements, CMCs have a powerful role to play: they can eliminate some of the greatest roadblocks that stand in the way of BIMI, all while helping organizations display verified logos.

Which certificate is right for your domain?

Choosing between a VMC and a CMC depends on several key factors, including your brand’s trademark status, email security goals, budget, and the level of inbox visibility you want to achieve.

Start by reviewing your email authentication setup. Both CMCs and VMCs require DMARC, SPF, DKIM, and DNS records to be properly configured, so ensuring these basics are in place will narrow your choices.

• Trademark ownership. In most cases, the VMC vs CMC debate comes down to one key factor: if your organization already has a registered trademark, VMC is the best option. This approach is even more important when navigating strict trademark governance. For businesses that lack trademarks, however, CMC can provide a valuable bridge, offering a similar form of protection along with a much-needed signal of digital trust.

• Budget. Businesses need to strike a delicate balance between safeguarding email communications and maximizing their digital certificate ROI. CMCs influence this equation because they generally cost less than VMCs. These savings stem from less intensive validation; both certificates undergo verification processes, but CMCs are freed from the added burden of trademark verification. If cost is a key barrier, CMCs may be the better choice, promising similar protection at a lower price point.

• Email client compatibility. If broad compatibility is a priority, it's important to note that while CMCs are supported in major platforms like Gmail, Yahoo, and Apple Mail, VMCs are better suited for organizations seeking the widest and most reliable reach across BIMI-supported email clients.

• Security and brand marketing goals. VMCs and CMCs support similar goals, but their impact can vary. VMCs provide stronger trust signals through trademark validation and more visible branding. CMCs offer flexibility but may not deliver the same level of identity assurance or brand credibility.

How to get a VMC certificate

It can take up to six weeks to secure a VMC certificate, so be prepared for a lengthy process that includes verifications and documentation. To obtain a VMC certificate you need to:

1. Secure a registered trademark. A mark certificate does not qualify as a verified mark certificate until it is accompanied by a registered trademark. Take steps to secure this through USPTO or, if needed, similar recognized offices from other jurisdictions.

2. Create an SVG version of the logo. Trademarked logos should be saved as SVG square format to meet BIMI (Brand Indicators for Message Identification) requirements. These vector graphics are uniquely scalable and promise sharp image quality.

3. Ensure DMARC enforcement is active. DMARC policies should be set to quarantine or reject (p=quarantine or p=reject).

4. Purchase from a trusted certificate authority. Vet certificate authorities carefully to ensure that strict standards are followed through every step of the issuance process. This strengthens credibility and overall peace of mind. Look for a CA with a strong reputation and robust support services, such as Sectigo.

How to get a CMC certificate

The process of obtaining a CMC largely echoes VMC requirements, except for the absence of registered trademark validation. Get started by following these steps:

1. Prepare an SVG logo. The logo must be in SVG Tiny 1.2 format and should include an embedded color profile. This logo need not be trademarked, but it will need to clear other requirements. A logo should have been publicly used for at least 12 months on your domain, although modified versions of registered trademark logos may also qualify.

2. Confirm active DMARC enforcement. Follow the previously described steps to confirm DMARC quarantine or reject policies.

3. Seek validation from the right CA. As with VMCs, CA selection is crucial. Be prepared to undergo identity verification protocols that may include notarized IDs or live video calls with CA validation agents.

Why email authentication matters for cybersecurity and brand trust

Email authentication forms a crucial layer of digital security, making it far more difficult for bad actors to impersonate trusted brands. This verifies senders' legitimacy so that recipients are less vulnerable to sophisticated spoofing attacks. By strengthening trust, authentication also improves overall visibility, leading to higher open rates and improved engagement.

While many safeguards contribute to strong email authentication, CMCs and VMCs enhance this protection by adding visual trust indicators that leverage the power of brand recognition.

Get started with VMC or CMC certificates through Sectigo

Enhance visual trust with common mark certificates and verified mark certificates—both available through Sectigo. As a digital certificate leader, Sectigo offers industry-leading solutions to help you navigate the validation process with confidence. Start your path to visual trust in the inbox today.

Related posts:

Email security best practices to protect your business in 2025

What are Verified Mark Certificates & how do they help authenticate emails?

Root Causes 98: DMARC and Verified Mark Certificates for Email