“They can spend their time advising internal customers,” he adds. “They can go to their web server team, their F5 team, or their ATM team and say, we planned for this change a year and a half ago. You don’t have to do anything; we just want to let you know.”
Knock on effects
Even organizations already managing and renewing TLS certificates at scale need to pay attention, says Chris Swan, a senior engineer at Atsign. He describes the changes as relatively straightforward for the systems he manages, but not entirely anxiety free since a shorter renewal window — just 17 days by 2029 — has other implications.
Monthly renewals may impact patching and restart schedules. “While IIS can take a cert renewal on the fly and you don’t need to restart services, for some applications like Tomcat, you have to restart services,” says Jeff Hagen, PKI and IAM security architect at Hyland. “We currently schedule that with our patch window, but we’re likely going to need to do something different because if maintenance windows are monthly, that might be cutting it tight.”
