Security vendor CyberArk has unveiled a TLS Certificate Renewal Impact Calculator and a TLS Certificate Discovery Scan, two new tools designed to help IT and security leaders prepare for the upcoming reduction in Transport Layer Security (TLS) certificate lifespans.
Understanding exposure and reducing disruptions
The tools arrive ahead of major changes to TLS certificate validity periods, which are expected to drop from 398 days to 200 days by March 2026, and then further down to 47 days by 2029.
“Shorter certificate lifespans are more than a compliance shift — they are a business risk. Organizations will face a surge in renewals that manual processes simply cannot keep up with,” said Kurt Sand, general manager of machine identity security at CyberArk.
“The result is higher costs, operational strain, and potential system outages that can result in financial and reputational impact. Our new tools make it simple for security leaders to understand their exposure and build a strong case for automation before disruptions occur.”
The tools are a response to the CA/Browser Forum’s phased mandate to reduce public TLS certificate validity. Once fully implemented, organizations will be required to renew certificates at least eight times per year — and likely, monthly as well.
According to CyberArk, teams that rely on manual processes will be the most impacted from the change. They noted that a company managing 500 certificates today spends roughly 2,000 labor hours per year on the task. By 2029, they foresee that figure rising to more than 24,000 hours.
To address this, CyberArk’s certificate calculator and scanning tools help organizations:
- Understand their exposure: Visualize how the shift to 47-day certificate lifespans will affect renewal volumes and labor needs.
- Make informed decisions: Quantify operational costs and the ROI of automation to build a business case for modernization.
- Stay ahead of the change: Use CyberArk guidance to proactively transition to automated certificate lifecycle management, reducing outages, saving time and improving resilience.
Preparing for outage-related costs
The security company also highlighted how the increase in renewals can leave organizations at risk of outage-related costs — making the new tools even more crucial as 2029 approaches.
“CyberArk research shows 72% of security leaders experienced at least one certificate-related outage in the past year, with 67% facing outages monthly and 45% weekly,” CyberArk said.
“As renewal frequency rises, so too will outage-related costs.”
The new tools are part of CyberArk’s broader effort to educate the market on certificate management capabilities within the CyberArk Identity Security Platform. Organizations can now access the TLS Certificate Renewal Impact Calculator and the TLS Certificate Discovery Scan on CyberArk’s official website.
In October, CyberArk rolled out new discovery and context capabilities for its Machine Identity Security portfolio. Learn more about how the new features allow for better visibility and control across enterprise identities.