47 Day Certificates

The CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA./Browser Forum has announced that by 2029, TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate lifespans will be limited to just 47 days. This shift means organizations must adopt frequent certificate rotations as the new normal. Manual certificate management will no longer be sustainable—especially for enterprises with large certificate inventories. Automation is no longer a luxury; it’s a necessity.

To meet this shortened lifecycle, organizations will need fully automated, end-to-end certificate lifecycle management solutions. Without automation, managing certificate renewals every few weeks could become impractical—or even impossible. For more details, see:

https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/

Manual steps in the rotation process introduce risk and slowdowns. The goal should be to eliminate manual intervention for routine certificate deployments, allowing teams to focus their attention on more complex or critical scenarios that truly require human oversight.

Automated, End-to-End Certificate Lifecycle Management

A complete automation solution for certificate lifecycle management should include the following key stages:

1. Certificate Enrollment and Renewal

Automation begins with securely requesting and issuing certificates. This includes:

Authorization Checks

The requesting entity (user or device) must demonstrate authorization to request a certificate for:
- Subject fields (e.g., CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).=, O=, L=, ST=, DC=)
- Subject Alternative Names (SANs) such as DNS The Domain Name System is a service that translates names into IP addresses. names, IP addresses, URIs, or email addresses
- Key usages and extended key usages, typically defined by the certificate profile or template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.
CA Routing and Signing

The request must be routed to the correct Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (CA) and signed according to policy.

2. Certificate Deployment

Once issued or renewed, the certificate must be installed in the appropriate locations with minimal delay. Deployment targets may include:

Available Solutions

Several suggested solutions are available on the Keyfactor client support portal. Use the following links to explore your options, and refer to Table 8: Solutions Table (Pros/Cons) for a comparison of solution advantages and trade-offs.

Solution Options:

Use Certbot with ACME on EJBCA

Automate certificate issuance using Certbot and the ACME protocol against an EJBCA instance.
Use kfutil to bulk create Windows IIS bindings

Efficiently deploy certificates by generating IIS bindings across multiple Windows servers.
Use kfutil to bulk create JKS bindings

Automate the deployment of certificates into Java KeyStores (JKS) at scale.
Use kfutil to bulk create PEM bindings

Streamline PEM-based certificate deployments for systems or applications that consume PEM format.

Table 8: Solutions Table (Pros/Cons)

Approach	Pros	Cons	More Information
ACME (Automated Certificate Management Environment)	Industry-standard protocol for automated renewal Supported by popular tools such as Certbot and cert-manager Well-suited for web servers and Kubernetes environments	Requires DNS or HTTP challenge validation DNS validation setup may be restrictive or complex in some environments	Keyfactor ACME Documentation
SCEP (Simple Certificate Enrollment Protocol)	Widely supported by network devices and mobile device management (MDM) solutions Uses a simple shared-secret authentication model Suitable for legacy or constrained environments	Weaker authentication model compared to modern protocols Aging protocol with limited extensibility Primarily useful for legacy systems and not recommended for modern, high-security use cases	Keyfactor SCEP Documentation
EST (Enrollment over Secure Transport)	Secure, TLS-based certificate enrollment protocol Offers stronger security and authentication than SCEP Suitable for environments that require modern cryptographic standards	Less widely supported in enterprise applications and infrastructure Configuration and setup are more complex than SCEP or ACME	Keyfactor EJBCA EST
Keyfactor Command Issuer (external issuer for cert-manager)	Integrates with cert-manager using native Kubernetes CertificateRequest resources Issues certificates via the Keyfactor API Supports Helm-based deployment and cluster-wide automation Enables use of Keyfactor Command certificate enrollment patterns and metadata Leverages Kubernetes-native automation for issuance and renewal workflows	Kubernetes-only solution Requires cert-manager and an additional controller, increasing resource overhead	Keyfactor Command Issuer for cert-manager
AD AutoEnrollment	Built-in feature of Windows; no agent installation required Seamless certificate issuance and renewal for domain-joined machines Centrally managed via Group Policy	Limited to Windows environments Requires an Active Directory domain Certificate subject information is derived from the AD computer or user account, limiting customization	The Keyfactor Cloud Gateway supports AD AutoEnrollment (see Cloud Gateway).
Workflows & Alerts (Keyfactor Command)	Enables proactive certificate renewal before expiration Helps prevent outages caused by unexpected expiration Supports configurable alerts and renewal triggers	Requires pairing with a deployment method (e.g., orchestrator, script, or custom REST API call) Does not handle certificate deployment on its own	Keyfactor Command Workflows (see Workflow Keyfactor Command Alerts (see Alerts)
Orchestrators & Certificate Store Integrations	Enables zero-touch certificate renewal and deployment Supports a wide range of certificate store types (IIS, Apache, F5, Kubernetes, etc.) Centralized management and visibility across diverse environments	May require agent installation on managed endpoints Not ideal for lightweight or resource-constrained devices Requires network connectivity and authentication access to target certificate stores	Keyfactor Command Orchestrators (see Orchestrators) Managing Certificate Stores in the Keyfactor Command Management Portal (see Certificate Stores)
Keyfactor API	Highly flexible for custom workflows and integrations Ideal for CI/CD pipelines and application-driven automation Enables fine-grained control over certificate operations	Requires custom scripting or application logic Involves higher development and maintenance overhead compared to turnkey solutions	Keyfactor API Reference

Was this page helpful? Provide Feedback

Version v25.3

On this page: