Certificate handling used to be an annual chore. It is now an automation problem with a deadline: under CA/Browser Forum ballot SC-081v3, adopted in April 2025, the maximum public TLS certificate lifetime dropped to 200 days for certificates issued from 15 March 2026, falls to 100 days in March 2027, and lands at 47 days in March 2029 — with domain-validation reuse windows shrinking on the same schedule. Anything in your estate that involves a human renewing a certificate will break somewhere along that curve. Here is how to run certificates on a CDN so nothing does.
The lifetime collapse changes the job
Two practical consequences follow from the schedule. First, renewal frequency roughly doubles at each step — a certificate estate renewed annually becomes one renewed every six months now, quarterly next year, and near-monthly by 2029 (major CAs actually issue at 199 days to stay safely under the limit). Second, because domain-control validation can be reused for shorter periods, domain ownership gets re-proven far more often, which means the DNS records or HTTP endpoints used for validation must work unattended, every time. The strategic answer is the same for both: every certificate either becomes CDN-managed or gets an automated pipeline, and the audit question shifts from “when does it expire?” to “what renews it, and who gets paged when that fails?”
CDN-managed certificates: the default answer
Every major CDN will issue and renew certificates for the hostnames it serves, through integrations with public CAs, and this should be your default: the platform owns issuance, renewal, deployment to every edge node, and the validation dance — usually via a DNS record you delegate once or, where the CDN already serves your traffic, an HTTP token it answers itself. Onboarding takes minutes and the renewal risk drops to approximately zero. The decisions left to you are small but real: SAN certificates versus wildcards (wildcards cover forgotten subdomains but concentrate risk in one key; per-hostname certs are cleaner but multiply the inventory — a trade the shorter lifetimes tilt further toward managed wildcards), and whether shared certificates that bundle other customers’ hostnames are acceptable for your brand, since dedicated certs are often a paid tier. Verify the validation records survive DNS migrations — a zone move that drops the delegation is the classic silent renewal killer.
Custom certificates: when and how to automate
Some estates need certificates the CDN cannot mint: EV or OV certificates for policy reasons, certificates shared with non-CDN infrastructure, or corporate-CA issuance. Uploading them manually was tolerable at 398 days and is a standing outage risk at 100. If you must run custom certs, automate the full loop — ACME or your CA’s API for issuance, then the CDN’s certificate API for deployment — and treat any certificate that cannot be automated as a candidate for retirement before March 2027 rather than after an expiry incident. One thing not to do: certificate pinning against CDN-served endpoints. Pinned mobile apps have caused self-inflicted outages every time a provider rotated infrastructure certificates, and short lifetimes make rotation constant; pin nothing, or pin only to a private CA you control on internal traffic.
The origin side and the chain
The edge certificate is half the story: the CDN-to-origin connection needs its own certificate, and it should be verified — run full-validation modes, not the “accept anything” settings platforms still offer for onboarding convenience. Origin certificates can come from the same automation (ACME on the origin) or from CDN-issued origin CAs where offered, and they are subject to the same lifetime collapse if publicly trusted. While you are there, audit what the edge actually presents to clients: the full chain in the right order, no cross-signs a modern client does not need — an extra chain certificate costs bytes in every handshake — and revocation handled the modern way (the ecosystem has moved from OCSP toward CRL-based mechanisms since Let’s Encrypt ended OCSP in 2025; stapling settings are covered in tuning TLS at the edge and the background in our OCSP and chains explainer).
Monitoring, CT logs and failure drills
Automation fails quietly, so monitoring is the real safety net. Externally probe every production hostname for days-to-expiry and alert at two horizons — comfortably before expiry (enough time to fix a broken pipeline) and critically close (page someone) — scaling the thresholds down as lifetimes shrink; 30-day warning on a 47-day certificate is just noise. Watch Certificate Transparency logs for your domains too: every publicly trusted certificate appears there, so expected issuance confirms your automation ran, and unexpected issuance is either a forgotten team or a problem — either way worth an alert. Finally, drill the failure once: let a staging certificate’s renewal break, confirm the alert fires and the fix path works, and record how long it took. Certificate incidents are fully preventable outages; the estate-wide checklist lives in the quarterly security audit.
