The CA/Browser Forum vote to reduce maximum TLS certificate validity from 398 days down to 47 by 2029 has turned certificate management from an occasional administrative task into a near-continuous engineering obligation. Most organisations that deployed automation did so in parts: discovery, expiry alerts, sometimes renewal itself. The post-deployment step — pushing the certificate to the target server, restarting dependent services, confirming the new certificate is live — remained a manual job.
ManageEngine, the IT division of Zoho Corporation, has now automated that final stage in Key Manager Plus, its certificate lifecycle and machine identity management platform. The update adds CA-agnostic post-deployment automation that can push renewed certificates to target servers, execute configured scripts, restart services, and notify stakeholders without operator involvement. The company said the feature works identically across on-premises and cloud deployments.
To illustrate the problem the feature is designed to solve: RevSpring, a payment solutions provider based in Nashville, Tennessee, had fewer than 200 certificates under management before the 200-day validity mandate came into force in March 2026. After the change, they needed to track more than 2,000 certificates, across varied server configurations and credential sets, each requiring post-deployment steps. "With the 47-day certificate renewals coming up, automation is the only way we can keep up," said Jonathan Choiniere, RevSpring's infrastructure manager.
The post-deployment gap matters more as certificate lifespans shrink because the same steps that were acceptable to perform manually a handful of times a year become untenable at eight times the frequency. Manual steps at that cadence also increase the probability of misconfiguration and outage. According to ManageEngine, a certificate outage can run into millions of dollars in revenue loss per event.
Vasudevan Seshadri, director of product management at ManageEngine, said: "Certificate renewal is rarely the hard part. The work that piles up on teams is what comes after it, at scale: pushing certificates to the server, restarting the services, and confirming they actually went live. End-to-end automation is what turns a 47-day renewal cycle from a scramble into something that runs on its own."
Alongside the post-deployment automation, ManageEngine released a 47-day TLS impact calculator that lets organisations estimate what the mandate means for their specific certificate estate, factoring in current renewal labour, outage exposure, and the projected savings from full automation.
Key Manager Plus manages TLS/SSL certificates alongside Azure secrets, SSH keys, and other machine identities from a single platform.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter