By March 15, 2029, public TLS certificates will be valid for only 47 days. For our estate of — certificates with —% automation today, that translates to the headline number above. It combines manual renewal labor with revenue at risk from missed renewals.
If a renewal slips and a public service goes down, this is the downtime exposure on top of the labor cost above.
Today, a single certificate renews roughly twice a year. By March 2029, that becomes once every 31 days. Multiplied across our estate, that's — renewal events annually, every one a chance to miss, misconfigure, or lose track of.
Even with industry-typical 99.5% manual success rates, the math forces outages. Automation cuts the per-renewal failure rate by two orders of magnitude (99.99% per ACME and managed-CA benchmarks).
Lifting our automation coverage to the maximum our environment supports (excluding the —% of certs that genuinely cannot be automated, such as HSMs, embedded devices, and compliance-bound systems) reduces the labor side from — to — per year.
On the revenue side, it cuts expected misses from — to — per year. The remaining residual risk lives entirely in the non-automatable floor.
Each row holds our certificate count, automation mix, and downtime cost steady, so only the certificate validity period changes. The shorter the validity window, the more renewal cycles pile up. The work multiplies as the number shrinks.
See how ACME, integrated CA support, and continuous discovery turn the 47-day deadline into a non-event. We'll model your specific environment with you.
Renewal frequency:renewals/year = 365 ÷ (max_validity × 2/3), the ACME and Let's Encrypt default renewal point. Manual labor: covers CSR generation, validation, installation, verification. Outage frequency: per-renewal success rates 99.5% manual / 99.99% automated. These are our chosen defaults, calibrated to be consistent with industry availability targets in Uptime Institute 2025 and ITIC 2024. Outage duration: the 90-minute default is a configurable assumption, not drawn from a specific cited source. Revenue exposure: per-minute defaults sit in the median—conservative end of ITIC 2024 bands (SMB sub-$5k/hr; Mid-market $300k—$1M/hr; Enterprise $1M—$5M/hr; Fortune $5M+/hr for top verticals such as Banking, Healthcare, Manufacturing, and Retail). Regulatory source:CA/Browser Forum Ballot SC-081v3, approved April 11, 2025.