ManageEngine has introduced post-deployment automation for TLS certificates in Key Manager Plus. The update completes the certificate lifecycle loop by automating renewal, deployment, and service restarts. This addresses the industry shift towards shorter validity periods, which will decrease to 47 days by 2029, making automated management essential for enterprise security and outage prevention.
Historically, most organizations did not have much incentive to automate certificate management. Even the ones that did adopt automation workflows limited it to discovery, periodic expiration alerts, and in some instances, automated renewals. That changed when the CA/Browser Forum voted to reduce the maximum validity of public TLS certificates, phasing down from the legacy 398-day validity period to a 200-day period in March 2026 (current cadence), which will drop to 100 days by March 2027, and finally 47 days by March 2029.
“We’re going from under 200 certificates to over 2,000, across a lot of domains, different server setups, credentials and post-deployment actions for nearly all of it. We’ve had to dedicate significant engineering time to certificate management alone since the change to 200 days. With the 47-day certificate renewals coming up, automation is the only way we can keep up, and Key Manager Plus’ CA-agnostic, certificate life cycle management has helped us automate the whole thing,” said Jonathan Choiniere, infrastructure manager at RevSpring, a payment solutions provider based in Nashville, Tennessee.
Automating the Last Mile of Certificate Renewal
Getting the certificate live is the last step in the renewal process, and this post-deployment task has primarily been handled manually by many teams. While this works when teams are renewing one certificate a year, as certificate lifespans shrink and the same steps repeat roughly eight times as often, manual errors become more likely and the cost of an outage can run into the millions.
“Certificate renewal is rarely the hard part. The work that piles up on teams is what comes after it, at scale: pushing certificates to the server, restarting the services, and confirming they actually went live. End-to-end automation is what turns a 47-day renewal cycle from a scramble into something that runs on its own. With Key Manager Plus, we are eliminating the last manual step in the life cycle management loop,” said Vasudevan Seshadri, director of product management at ManageEngine.
Quantifying the 47-Day Shift
To help organizations assess their own exposure to the reduced certificate validity mandate, ManageEngine has also released a 47-day TLS impact calculator. It lets enterprises quantify what the mandate means for them based on three factors: the size of their certificate estate, their current renewal labor, and their outage exposure. From there, it compares those numbers against what they will look like once their TLS certificate life cycle is fully automated. That automation is what Key Manager Plus delivers, and it runs identically whether teams deploy on-premises or in the cloud.
ManageEngine Key Manager Plus is a machine identity management solution that automates the life cycle of SSL/TLS certificates, Azure secrets, SSH keys, and other machine identities ere – better, safer, and faster. To learn more, visit www.manageengine.com.. It gives enterprises the ability to consolidate, manage, and automate those identities from one place. Available both on-premises and in the cloud, it helps teams move to a fully automated, hands-off approach to certificate life cycle management.




