Short SSL/TLS Certification Life Spans, PQC: Report Reveals IT Leaders’ Preparedness For PKI Disruption

Midsize and larger enterprises have been slow to implement public key infrastructure strategies to reduce or eliminate any disturbances to business operations that digital public certificate or post-quantum computing disruptions may bring.

With TLS/SSL certification life spans soon to expire every 47 days and post-quantum computing’s threat to traditional cryptography, a new report reveals how prepared organizations are for these two disruptions in the public key infrastructure (PKI) space.

Sectigo, a provider of digital certificate lifestyle management solutions, Tuesday released its report, “The State of Crypto Agility 2025.” The report presents findings from a June 2025 survey of 272 IT decision-makers in midsize to large enterprises across the U.S. and EMEA.

Overall, the report found that while most IT leaders are familiar with the new guidelines on certificate life spans and the threat that PQC poses to encrypted data, most organizations have been slow to implement strategies to reduce or eliminate any disturbances to business operations that certificate or PQC issues may bring.

Here’s How Prepared Organizations Are For New 47-Day Digital Certificate Life Span Guidelines

The report asked IT leaders about their organizations’ preparedness for shorter certificate life spans.

Earlier this year, the CA/Browser Forum set new guidelines that reduce the maximum allowed validity period of SSL/TLS certificatesfrom currently 398 days to 47 days by 2029. Also, last year, Google said that it would no longer trust Entrust TLS certificates as of Nov. 1, 2024.

[RELATED: TLS, SSL Certificate Lifespans Set To Expire In 47 Days: What You Need To Know]

Certificate management can be a complex and costly process for organizations. The new certificate guidelines are expected to complicate certificate management even more.

• 96 percent of those surveyed said they are concerned about the impact shorter SSL/TLS certificate life cycles will have on the business.
• 94 percent said that they understand the 47-day SSL/TLS certificate requirements and deadlines.
• 28 percent said they had a complete certificate inventory for their organization.
• 13 percent said they feel extremely confident they are tracking all certificates.
• Less than one in five said they felt “very well prepared” to support the shortened certificate life cycle.

[RELATED: Here’s What Mismanaged Digital Certificates Are Costing Organizations]

There was an overall lack of investment in automating certificate management among the IT leaders. Ninety-five percent said they remained “partially dependent” on manual processes for managing certificates, and only 5 percent had fully automated solutions in place.

Organizations Are Bracing For Post-Quantum Computing Era

As quantum computing power becomes more in reach of the masses, there are valid concerns that hackers will use quantum computers to break current encryption methods.

[RELATED: ‘Q Day:’ What Midmarket IT Leaders Need To Do To Prepare Now]

Organizations will need to employ post-quantum cryptography encryption, which is designed to resist quantum computing cyberattacks, experts have warned. The report shows that while just about half of IT leaders surveyed are in the planning stages, most organizations have no concrete strategies deployed now to deal with post-quantum computing hacking.

Here are some detailed takeaways:

• 100 percent said they expect to increase investment in PQC in the next two to three years.
• 51 percent said they are inventorying cryptographic assets.
• 51 percent said they were conducting risk assessments related to PQC.
• 47 percent said they were researching PQC algorithms.
• 41 percent said they were developing migration road maps.
• 21 percent are engaging vendors.
• 19 percent are training and upskilling internal teams.
• 16 percent are launching pilot projects.
• 80 percent have a PQC migration strategy in mind.
• 27 percent said they would adopt a “gradual phase-in” of PQC migration technology.
• 43 percent said they are in a “wait-and-see” holding pattern.
• Ther rest either had no current strategy in mind or are waiting for more mature solutions.

"The data underscores a critical inflection point for enterprises," said Rik Turner, chief analyst, cybersecurity, at Omdia (which partnered with Sectigo for the report), in a news release.

"Managing shorter certificate life cycles cannot be treated as a separate IT task; it is central to building crypto agility necessary for the PQC transition. The coming years will test organizations’ ability to adapt their cryptographic infrastructure at scale under pressure, and those who fail to prepare now face heightened operational and cybersecurity risk.” Turner added.

Sectigo’s full report is available here.