There was a time when renewing an SSL certificate was an annual chore. You did it once, filed it under “things that can wait,” and got on with your year. Maybe your provider reminded you. Maybe you set a calendar reminder. Maybe you didn’t, and found out the hard way when a browser threw a full-page security warning at your customers.

Those days are ending. Not because anyone asked, but because the certificate authorities and browser vendors who set the rules have decided that shorter is safer. And they’re right. They’re also about to make a lot of operations teams very tired.

A certificate you renewed once a year will soon need renewing roughly every six weeks. And that’s a whole lot more. The same task, done eight times more often, across a portfolio that might run into the hundreds or thousands of domains. Manual tracking doesn’t scale to that. Nothing manual does.

So today we’re launching the BrandShelter SSL API with ACME protocol support. It’s our answer to a problem the whole industry is dealing with: certificate management is no longer a task you complete. It’s a process you run. And processes that run continuously need to be automated, or they break.

SSL Certificate Management Is Changing

For most of the last decade, a TLS certificate could live for over a year. The maximum was 398 days, which in practice meant an annual renewal and not much thought in between. Comfortable. Predictable. Easy to ignore.

That number is now on a steep downward slope, and the schedule is already public:

• In March 2026, the maximum certificate lifespan dropped to 200 days.

• In March 2027, it drops again to 100 days.

• In March 2029, it lands at 47 days.

Forty-seven days. From a once-a-year task to something you’ll be doing roughly every six weeks. And it’s not just the certificate itself that renews more often. Domain Control Validation, the process that proves you actually own the domain you’re securing, has to happen more frequently too. More renewals, more validations, more chances for something to slip through a crack.

The reason for this change is perfectly sensible. Shorter-lived certificates limit the damage a compromised certificate can do, and they reduce reliance on revocation systems that have never worked as well as anyone hoped. Security improves. The trade-off is that the operational burden lands squarely on the people managing the certificates. That would be you. And us.

The point is this: a system designed around an annual event does not survive when that event now happens eight times a year. Something has to give. Usually it’s a certificate, at 2am, on the one domain you forgot was in the portfolio.

The Hidden Operational Cost of Manual Certificate Management

If you’ve been following along, you won’t be surprised by the “hidden cost”.

When certificates renew once a year, manual management is annoying but survivable. A spreadsheet, a couple of calendar reminders, one person who “owns” certificates and mostly remembers to act. It’s fragile, but it holds. Most organisations have run exactly this way for years and never thought twice.

Shorten the lifespan and that fragility turns into problem. The same spreadsheet now needs updating constantly. The one person who owns certificates becomes a single point of failure who cannot take a holiday. Renewals that were once a quiet afternoon become a monthly chore, and everyone misses chores sometimes.

The costs stack up in ways that are easy to underestimate:

• Renewal complexity multiplies. Each certificate has its own timeline, its own validation requirements, and its own quirks. Tracking one is simple. Tracking eight hundred, each renewing every six weeks, is a full-time job nobody was hired to do.

• Visibility fragments. Certificates get issued by different teams, from different providers, for different parts of the infrastructure. Nobody has the full picture, which means nobody can tell you with confidence which certificate expires next.

• Operational overhead grows without anyone deciding it should. The work expands until it’s consuming real engineering time that should be going somewhere more useful.

• Outage risk climbs. An expired certificate isn’t a soft failure. It’s a hard, visible, customer-facing outage, complete with an alarming browser warning that kills trust in seconds. The more renewals you juggle manually, the more likely one gets dropped.

• Validation workloads increase alongside everything else. More frequent DCV means more records to publish, more checks to pass, and more ways for a renewal to stall halfway through.

None of these problems are dramatic on their own. They’re the slow kind. The kind that accumulates until a missed renewal takes down a payment page during a sale, and suddenly certificate management is the most important thing in the building. Because the reputational damage can be catastrophic, both to your brand, and to you when tech reporters are asking you to comment on a prolonged outage.

We’d rather you never had that day.

Modern Certificate Management Requires Automation

If the problem is that certificate management has become continuous, the solution is to stop treating it as a series of discrete tasks and start treating it as infrastructure. Infrastructure that manages itself.

That framework has a few parts to it.

The first is API-driven workflows. When certificate operations are handled through an API, they stop being something a human does by hand and become something your systems do on your behalf. Ordering, renewing, revoking, checking status: all of it becomes a call your infrastructure can make automatically, on schedule, without a person in the loop remembering to do it.

The second is continuous lifecycle management. Instead of reacting to expiry dates as they loom, automation tracks the entire life of a certificate from request to retirement and acts at the right moment every time. No reminders. No spreadsheet.

The third is operational resilience, which is really the whole point. Automated systems don’t forget. They don’t go on leave. They don’t lose track of the one obscure subdomain that’s been quietly serving traffic since we knew what influencers were. A well-built automation pipeline transforms the shrinking certificate lifespan from a growing threat into a non-event, which is exactly what it should be.

Automation here isn’t a luxury feature for teams who like tooling for its own sake. At a 47-day lifespan, it’s the only approach that holds up. The alternative is hiring people whose entire job is renewing certificates, and nobody has the budget for that.

Introducing BrandShelter’s SSL API

This is where our new SSL API comes in. We built it to take certificate management off your plate and hand it to your infrastructure, where it belongs.

The API covers the full certificate lifecycle. You can order certificates, validate them, renew them, reissue them, revoke them, and update their metadata, all programmatically. It supports Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) certificates from the brands you already trust: DigiCert, Sectigo, GeoTrust, Thawte, PositiveSSL, InstantSSL, and RapidSSL. Whatever level of validation a given domain needs, the API handles ordering and lifecycle for it.

A few capabilities are worth calling out specifically.

Automatic DNS validation is built in for BrandShelter-managed DNS zones. If we host your DNS, the validation records get published for you. No copying long strings into a control panel, no waiting to find out you pasted one wrong. The validation just happens.

Automated lifecycle management covers the parts that used to require a human paying attention. Renewals, reissuance, revocation, and metadata updates can all run on their own, triggered by your systems rather than your memory.

Certificate information and status are available on demand, so you always know exactly where every certificate stands. That visibility problem from earlier, the one where nobody has the full picture? This is what fixes it.

And all of it integrates into your existing internal systems and operational workflows. The API is a building block, not a walled garden. It’s designed to slot into the way you already work rather than asking you to rebuild around it.

The result is straightforward. The work that right now takes one person’s afternoon, but will soon take over their life, becomes something your infrastructure handles quietly in the background. Isn’t it nice when technology is the solution, not just the problem?

ACME Support for Existing Infrastructure

Of course, if you’re ahead of the game, and have already started invested in certificate automation, we’ve got support for you too.

Alongside the SSL API, BrandShelter now supports the ACME protocol. ACME is the open standard that automated certificate management has coalesced around, and the tooling built on it is everywhere. If you’ve used Certbot, acme.sh, lego, win-acme, Caddy, or Traefik, you’ve used ACME, even if you never thought about it by name.

Here’s what that means in practice: you don’t have to rebuild anything.

If your infrastructure already speaks ACME, it can speak to BrandShelter. Point your existing ACME client at our service and certificates can be requested, validated, issued, deployed, renewed, and revoked through the automated workflows you’ve already built and tested. No new client to learn. No pipeline to tear down and reassemble. The automation you trust keeps working, with BrandShelter behind it.

The ACME path is built for automation-friendly certificates, which means Domain Validation certificates: single-domain, multi-SAN, wildcard, and wildcard-SAN. These are the certificates that lend themselves to fully hands-off issuance, and they’re what most high-volume, fast-moving infrastructure runs on.

For Organization Validation and Extended Validation certificates, where a human and a vetting process are part of the deal by design, you’ll need to use the standard SSL API workflows instead. OV and EV aren’t second-class citizens here. They’re fully supported through the API. They simply live on the path built for them rather than the path built for fully automated, validation-light issuance. The two approaches are complementary: ACME for the high-volume DV certificates that should renew without anyone watching, the API for the higher-assurance certificates that involve a verification step no protocol can skip.

That said, the point of all this isn’t the protocol. It’s what the protocol gives back to you. The hours you used to spend tracking renewals and chasing validations stay in your week. The pipelines you already built and trust keep running, without needing wholesale, expensive rebuilds. And the work of keeping certificates valid, which was about to get eight times heavier, quietly disappears into automation you don’t have to think about.

Preparing for a Future of Shorter Certificate Lifespans

Let’s go back to where we started. The annual certificate chore, the calendar reminder, the quiet year in between.

That world is gone, and it isn’t coming back. The lifespan is dropping to 200 days, then 100, then 47, and no amount of wishing returns it to 398. The organisations that come through this comfortably won’t be the ones with the most diligent spreadsheet owner. They’ll be the ones who stopped treating certificate management as a task and started treating it as automated infrastructure, well before 47 days forced the issue.

That’s what the BrandShelter’s SSL API and ACME support are for. Whether you want a comprehensive API to build certificate automation into your own systems, or you simply want to point your existing ACME tooling at a service that handles the rest, the path off manual certificate management is now considerably shorter than the certificates themselves are about to become.

The shift to shorter lifespans is going to catch a lot of teams unprepared. It doesn’t have to catch yours.

Talk to us about bringing your certificate management onto the BrandShelter SSL API, and let your infrastructure handle the renewals while you get back to the work you were actually hired to do. Click here to get started!

Share article