The recent browser mandate gradually reducing the maximum validity of public TLS certificates to just 47 days (around six weeks) by 2029 is not a minor technical adjustment; it is a seismic shift. This is not a gradual evolution but a rapid, high-impact change that will double operational risks and costs in a matter of months if organizations do not act now.
Public trust is becoming a default that is too often used out of convenience and the WebPKI industry is compelling organizations to use public TLS only where relevant. The operational consequences of inaction will be expensive.
Key takeaways
- WebPKI is becoming the riskiest, most expensive method for securing your infrastructure. The 47-day mandate is a direct challenge to the status quo.
- The time to rethink your certificate strategy and de-risk operational posture is now. If you are still relying on manual processes or outdated automation, you are already behind.
- For use cases related to internal systems, enterprise applications, and device authentication, private PKI is no longer optional – it is the safest choice with lower cost, lower risk, and with policies under your control.
The Growing Risks of WebPKI
WebPKI has long been used for securing both public and private-facing systems, for compliance, security, and especially convenience reasons. As the CA/Browser Forum (which consists of browsers and public certification authorities) moves toward stricter regulations, such as reducing the lifespan of WebPKI certificates, organizations are facing growing pressure to adjust to a more stringent and rigid approach to public trust management. Some key implications include:
- Mandatory public disclosure of certificate details via Certificate Transparency logs, even for internal systems
- Sudden certificate revocations – triggered by minor or benign issues, but also potentially random revocation requests for testing purposes
- Deprecation of multi-use certificates, such as certificates with multiple extended key usages, forcing more granular and frequent issuance
- Mandatory rotation every 47 days starting from 2029, introducing a constant churn that most infrastructures aren’t equipped to handle just yet
These changes are rooted in a shared industry goal: enhancing security, reducing the risk of certificate misuse, and preparing for future cryptographic challenges, including the post-quantum era. But they also undeniably increase risks of outages, operational disruption, and a growing burden on IT teams.
What You Must Do – Now
This disruption is your signal to start reassessing certificate management strategies from the ground up. Automation is of course no longer optional – it’s foundational, but it’s not the only effort to make; it’s now crucial to rethink certificate strategies and de-risk operational posture by reducing the use of WebPKI wherever possible.
WebPKI remains essential for public-trust scenarios – such as securing websites, public APIs, and customer-facing services. However, for internal systems, enterprise applications, and device authentication, private PKIs that do not rely on root CAs embedded in trust stores will offer a more tailored and flexible approach, at a lower cost and lower risk; for these use cases, the default should no longer be WebPKI.
What private PKI requires
Transitioning to private PKI isn’t a shortcut; it requires rigor. To match the security and trust of public CAs, organizations must:
- Protect keys using hardware security modules (HSMs) and key management software (KMS)
- Operate within environments that follow best practices, including people, process, and technology; a good standard to follow is WebTrust for CAs, which is a major standard that all public CAs are audited against
- Maintain tight governance over issuance, revocation, and lifecycle management
- Prepare PKI for post-quantum cryptography by deploying PQC-ready infrastructures
When WebPKI is unavoidable
For the use cases where WebPKI remains necessary, organizations must:
- Invest in automation to handle frequent rotations, revalidations, and rollbacks of certificates
- Adopt multi-CA support to mitigate risks from unplanned outages, revocations, or trust changes
- Deploy comprehensive certificate lifecycle management (CLM) solutions to ensure full visibility and control of a certificate estate. This means building a consolidated inventory, defining and applying policies, documenting each certificate’s purpose, reporting on progress over time, and alerting to high-risk items
- Closely monitor root store policies and CA/Browser Forum plans and decisions to stay ahead of increasingly onerous and disruptive compliance shifts
A strategic imperative
This isn’t just a technical challenge – it’s a strategic one. Organizations that proactively adapt will strengthen their security posture, reduce operational risk, and build resilience into their trust infrastructure. Those who don’t may find themselves caught in a cycle of expensive yet avoidable outages and escalating complexity.
Rather than resisting change, this is a moment to lead it – with thoughtful planning, modern tooling, and a clear-eyed view of where WebPKI fits in the broader enterprise trust strategy.
Resources to help you navigate the shift
At Entrust, we’ve aligned our product vision to directly address the challenges outlined above. From robust management capabilities to flexible PKI architectures, our solutions are designed to help organizations to transition smoothly to private PKI and to enable automation to reduce operational burden and meet the requirements of WebPKI.
Explore strategies to align public and private PKI, reduce risk, and scale certificate management with automation.
