A new report from Sectigo and Omdia reveals that enterprises are dangerously underprepared for two converging megatrends shaking the foundations of Public Key Infrastructure (PKI): the radical shortening of SSL/TLS certificate lifespans and the looming transition to post-quantum cryptography (PQC).
The State of Crypto Agility 2025 study, based on a survey of 272 IT decision-makers worldwide, found a striking gap between awareness and execution. While nearly all organizations recognize the risks, most lack the automation, roadmaps, and internal alignment to meet the scale of the coming transformation.
Certificate Deadlines are Coming Fast
Following the CA/Browser Forum’s vote in April 2025, certificate validity periods will fall over the next few years, culminating in a 47-day maximum by March 2029. That means that by the end of the decade, enterprises will need to renew certificates roughly eight times as often as today.
- March 15, 2026: Maximum validity falls to 200 days (two renewals a year)
- March 15, 2027: Cut again to 100 days (four renewals a year)
- March 15, 2029: Final reduction of 47 days (seven to eight renewals a year)
For large enterprises, the math is daunting. A global retailer managing 50,000 active certificated today will need to process nearly 400,000 renewals annually by 2029. Each missed renewal risks outages that could disable websites, payment systems, or internal apps.
According to the survey, 96% of organizations are concerned about the change, but just 19% feel prepared to handle monthly renewals. Even more worrying, only 28% maintain a full certificate inventory, and just 13% are confident they track all certificates, including rogue ones that may be deployed outside official processes.
“Expired or revoked certificates break the trust between clients and the underlying services,” warned Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck. “Shortening expiration windows helps reduce the potential impact of key misuse while promoting automated management. But organizations that fail to adapt will face very visible downtime.”
Manual Management is a Ticking Time Bomb
Despite looming challenges, 95% of enterprises remain at least partially reliant on manual certificate processes, and only 5% have fully automated certificate lifecycle management (CLM).
Many organizations are trying to automate, but in fragments. About 67% use Certificate Lifecycle Management (CLM) platforms for central oversight, and 58% use the ACME protocol – the same technology behind Let’s Encrypt – for automated renewals. Yet only one-third automate deployment, leaving most certificates still installed manually.
This piecemeal approach means that even if a certificated is renewed on time, it may not be applied everywhere it’s needed. At a 47-day renewal cycle, such gaps could easily trigger widespread outages.
Rik Turner, Chief Analyst for Cybersecurity at Omdia, puts it:
“TLS certs have been absorbed into the ‘plumbing’ that just makes IT work. That’s why so many organizations seem unaware of the 47-day issue barreling down the pike. Manual methods simply won’t scale.”
Quantum Threats Push the Timeline Further
While certificate deadlines dominate the near-term agenda, quantum computing is the long-term threat. Some experts predict that by 2029, quantum machines may break RSA and ECC – the algorithms that currently protect most digital transactions. That said, this timeline is hotly debated.
Either way, NIST has already finalized new PQC standards, including ML-KEM (formerly CRYSTALS-Kyber) and ML-DSA (formerly CRYSTALS-Dilithium), and plans to formally deprecate RSA and ECC by 2040. But enterprises remain at the starting line.
The survey found:
- Only 14% have conducted a full assessment of quantum-vulnerable systems.
- Just 15% feel extremely confident they can integrate PQC without major disruption.
- 98% expect to face challenges with PQC migration, from system complexity to lack of expertise.
Meanwhile, cybercriminals are already preparing for a post-quantum future. More than 60% of organizations fear “harvest now, decrypt later” tactics, where attackers steal encrypted data today to decrypt once quantum tools are ready.
“It seems to me there are two reasons not to wait for Q-Day,” Turner said. “One is that technology has the ability to surprise us – like the explosion in AI after ChatGPT. The other is that threat actors aren’t waiting. If nation-states get quantum first, your most sensitive data could be exposed overnight.”
Migration: A Risk and An Opportunity
Security leaders agree PQC migration will be one of the decade’s most complex transformations. Ben Volkow, CEO of QIZ Security, framed it as both a challenge and a modernization opportunity:
“The urgency isn’t just about the quantum threat – it’s about untangling the cryptographic jungle built up over decades. PQC migration is falling behind the pace of threats, but it’s also a chance to rebuild cryptography management for today’s distributed, AI-driven world.”
However, today, 43% of organizations admit they’re in a wait-and-see mode, holding off until vendors deliver mature solutions. Only 16% have launched pilot projects, leaving most at the information-gathering stage.
Automation as the Path Forward
Experts stress that automation is the only way to bridge the gap between certificate agility and quantum readiness. Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, noted that automation is already the backbone of modern identity systems:
“Effective certificate management is a root of trust for online systems. ACME integrations have powered much of the cloud-native movement, and they’ll be just as essential for managing shorter certificate lifetimes and PQC’s heavier cryptographic loads.”
Ford added that PQC will introduce large certificates, heavier processing, and new libraries, requiring enterprises to test for increased compute demands and latency. Without automation, the operational burden could become too much for IT teams.
Enterprises Must Act Fast
Sectigo’s report makes one thing clear: enterprises must act now. Certificate renewals every six months begin in March 2026 – barely 18 months away. By 2029, the 47-day era will be in full force, while quantum computing threatens to upend all classic cryptography.
“Manual approaches to certificate management are no longer sustainable,” said Tim Callan, Chief Compliance Officer at Sectigo. “Deadlines are approaching fast, and the choices organizations make today will define their resilience in the quantum era.”
Enterprises that invest now in automation, visibility, and cross-functional crypto agility will not only avoid risk but position themselves to survive the coming quantum storm. Those that don’t, won’t.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.