The CA/B Forum 200-Day Certificate Mandate: What Azure Teams Need to Know

On July 22, 2025, the CA/Browser Forum passed Ballot SC-081, setting in motion the most significant change to TLS certificate management in over a decade. Starting March 15, 2026, the maximum lifetime for publicly trusted TLS certificates drops from 398 days to 200 days. And that's just the beginning.

If your team manages certificates in Azure Key Vault — or anywhere else — and you're still handling renewals manually, this is your wake-up call.

The New Timeline

The CA/B Forum's phased reduction schedule is aggressive:

• March 15, 2026: Maximum certificate lifetime drops to 200 days
• March 15, 2027: Maximum drops further to 100 days
• March 15, 2029: Maximum drops to 47 days

Both DigiCert and Sectigo have published guidance confirming these timelines and urging customers to adopt automated certificate lifecycle management immediately. DigiCert's announcement specifically calls out the need for "crypto-agility" — the ability to rotate certificates rapidly and at scale. Sectigo's guidance emphasizes that organizations still relying on spreadsheets and calendar reminders are heading for "a wall of operational pain."

They're not wrong.

Why This Matters More Than You Think

At 398 days, most teams could get away with annual renewal cycles. A shared calendar reminder, a quick manual process, maybe a ticket in ServiceNow. It wasn't elegant, but it worked well enough.

At 200 days, you're renewing every certificate roughly twice a year. At 100 days, it's nearly four times. At 47 days, you're looking at eight renewal cycles per certificate per year.

Now multiply that by the number of certificates in your environment. If you manage 50 certificates, 47-day lifetimes mean approximately 400 renewal events per year. For organizations with hundreds of certificates, you're looking at thousands of annual renewals.

Manual processes don't scale to that level. They break.

The Outage Risk Is Real

According to the Ponemon Institute's research on certificate-related outages, 54% of organizations have experienced a security incident or outage caused by an expired certificate. That statistic was collected when certificates lasted over a year.

With shorter lifetimes, the window for catching an expiring certificate shrinks dramatically. A certificate that expires in 47 days gives you less than seven weeks from issuance to plan the next renewal. Miss the window, and you're looking at:

• Production outages — TLS handshake failures take down APIs, web apps, and service-to-service communication
• Broken CI/CD pipelines — Expired certificates in deployment pipelines cause cascading build failures
• Customer-facing incidents — Browser warnings and connection refusals erode trust
• Compliance violations — Auditors take a dim view of expired certificates in regulated environments

The shorter the lifetime, the tighter the margin for error, and the higher the cost of getting it wrong.

What This Means for Azure Teams

Azure Key Vault is where most Azure-native teams store their certificates. Key Vault does support certificate auto-renewal for certificates issued by integrated CAs (like DigiCert), but there are important gaps:

Certificates from non-integrated CAs

If your certificates come from a CA that isn't directly integrated with Key Vault's auto-renewal feature, you're responsible for the renewal workflow yourself. That's a significant number of organizations.

Visibility across subscriptions

Most enterprises run multiple Azure subscriptions. Knowing which certificates are approaching expiration across all of them — and who owns each one — requires either custom tooling or a purpose-built solution.

Alert fatigue vs. alert absence

Azure Monitor can generate alerts based on Key Vault events, but setting up granular, team-routed expiration alerts with appropriate lead times (30 days? 14 days? 7 days?) requires configuration that most teams haven't done. You either get too many alerts or none at all.

Compliance documentation

When auditors ask "show me your certificate management process," pointing to a collection of ad-hoc scripts and hope isn't a compelling answer. Shorter lifetimes make the audit trail even more important — you need to demonstrate that every renewal was tracked and completed on time.

What You Should Do Now

The March 2026 deadline is close. Here's a practical roadmap:

1. Inventory your certificates

Know exactly how many certificates you have, where they live, when they expire, and who owns them. If you can't answer these questions today, you're not ready for 200-day lifetimes.

2. Assess your renewal process

For each certificate, document how it gets renewed. Is it automated? Semi-automated? Fully manual? Any certificate that requires a human to remember to renew it is a ticking time bomb under the new timeline.

3. Automate everything you can

Azure Key Vault's built-in auto-renewal works for integrated CAs. For everything else, you need automation — whether that's custom scripts, ACME protocol integration, or a monitoring solution that tracks expirations and alerts the right people before it's too late.

4. Establish ownership

Every certificate needs a clear owner. When a renewal alert fires at 30 days before expiration, someone specific needs to be accountable for acting on it. "The DevOps team" isn't specific enough.

5. Test your process

Simulate a renewal cycle. Can your team execute it end-to-end without scrambling? If the answer is no, fix the process before March 2026 — not after your first outage.

How VaultGuard360 Helps

We built VaultGuard360 specifically for this kind of operational challenge. It deploys directly into your Azure tenant as a Managed Application and continuously monitors every secret, certificate, and key across all your subscriptions.

For the certificate lifecycle changes specifically, VaultGuard360 provides:

• Expiration forecasting with configurable alert thresholds (90, 60, 30, 14, 7 days — whatever your renewal workflow requires)
• Team-based alert routing so the right people get notified about the certificates they own
• Multi-subscription visibility in a single dashboard — no more blind spots
• Audit-ready reports showing your complete certificate inventory and renewal history
• Integration with Teams, Slack, and webhooks to fit into your existing workflows

The CA/B Forum's timeline isn't going to slow down. Whether you use VaultGuard360 or another approach, the time to automate is now — before 200-day lifetimes become your reality in March.

---

Don't let shortened certificate lifetimes catch your team off guard. Explore VaultGuard360 to get proactive expiration monitoring across all your Azure subscriptions, or see pricing to find the right plan for your organization.