hello@seconcyber.com
Public Key Infrastructure (PKI) plays a vital role in maintaining digital trust. Yet despite its foundational importance, many organisations still struggle with implementing and maintaining PKI in a way that’s both secure and scalable.
That’s why Secon recently hosted a Cyber Security in Focus webinar in partnership with Sectigo, focusing on how to manage PKI without the usual headaches. The session featured Martijn Katerbarg, a leading expert in PKI compliance and governance, who walked attendees through current industry updates, future risks, and practical next steps.
You can watch the full webinar recording below to explore the insights, real-world examples, and recommendations covered.
Understanding the Current PKI Landscape.
PKI is everywhere, from websites and email servers to VPN access, signed software, and even connected devices. However, as the digital ecosystem grows, the number of certificates is increasing rapidly. Managing this scale introduces new challenges, particularly when paired with tightening compliance standards and the need for greater automation.
As of January 2025, the number of SSL/TLS certificates detected on the internet has surpassed 302 million, reflecting a significant increase from previous years. This growth underscores the expanding reliance on secure digital communications across various sectors. This expansion means that even a single expired or revoked certificate can cause widespread outages and operational disruption. Several well-known global organisations have already experienced this, showing that the risk is not limited to smaller players.
The Impact of Shorter Certificate Lifetimes.
One of the most significant changes discussed in the session was the reduction of certificate lifespans, a trend already underway and formalised by updates from the CA/B Forum. The validity of TLS certificates will gradually decrease over the next few years, from today’s maximum of 398 days to just 47 days by 2029.
This shift has serious implications for certificate lifecycle management. Shorter lifetimes increase the likelihood of expiration-related outages and introduce more complexity for IT teams managing thousands of certificates. It also eliminates the option of manual renewals as a scalable solution, pushing automation to the forefront as a necessity rather than a convenience.
Why Automation Is Essential.
With certificate renewal intervals shrinking, automation is now essential for maintaining uptime and compliance. Tools that support Certificate Lifecycle Management (CLM) are designed to discover certificates across your environment, ensure timely renewals, handle revocation events automatically, and integrate with existing infrastructure.
Automated systems also provide visibility into certificates issued outside of IT oversight, so-called “shadow certificates”, which are often a hidden source of risk. Without automation and visibility, organisations are likely to face operational strain, compliance failures, and an increased risk of breaches or downtime.
Preparing for the Post-Quantum Threat.
The session also addressed the longer-term challenge of post-quantum cryptography (PQC). Standards bodies such as NIST have set a deadline of 2030 for organisations to be ready to transition to quantum-safe algorithms, as current encryption methods (like RSA and ECC) are expected to become vulnerable.
One of the most concerning risks in this area is the possibility of “harvest now, decrypt later” attacks, where encrypted data is stolen today with the intention of decrypting it once quantum computing advances. To mitigate this, organisations need to identify cryptographic assets, assess the sensitivity of encrypted data, and start building a post-quantum migration strategy now.
Using the Right CA for the Right Purpose.
A recurring theme in the discussion was the misuse of public certificate authorities (CAs) for internal functions like device authentication or VPN access. These use cases are better served by private CAs, which offer greater flexibility, control, and alignment with internal policies.
Choosing the appropriate CA type also helps avoid unnecessary compliance complexity, improves operational reliability, and reduces the risk of misconfiguration, especially as root stores and browsers continue to tighten requirements and eliminate outdated validation methods.
Managing PKI at Scale.
PKI isn’t just a set-it-and-forget-it technology. The evolving landscape demands a proactive approach that includes continuous monitoring, process automation, and clear governance. Investing in modern CLM tools and staying aligned with evolving standards will not only reduce operational risk but also free up technical teams to focus on more strategic work. Sectigo emphasise the importance of building a sustainable, secure, and compliant PKI strategy that aligns with your organisation’s risk profile and future-readiness goals.
Final Thoughts.
As PKI lifecycles get shorter, the time to act is now. Organisations must prepare for a future where manual certificate management is no longer viable and where quantum computing introduces a whole new category of risk.
Key actions include:
- Embracing automation through CLM platforms
- Avoiding reliance on public CAs for private systems
- Auditing and tracking cryptographic assets
- Developing a clear strategy for post-quantum readiness
By taking a strategic approach today, organisations can reduce complexity, improve compliance, and build a more resilient trust framework for the future.
If you’re looking to modernise your certificate management approach, get in touch with Secon, we’re here to help you stay ahead of the curve.