Two events are altering the world of Public Key Infrastructure (PKI): the shortening of SSL/TLS certificate lifespans and the transition to post-quantum cryptography (PQC). In new research from Sectigo/Omdia, it is revealed that a majority of organizations are unprepared for this future, as only 19% feel very prepared for the upcoming change to 47-day certificate renewal cycles, and a mere 15% are extremely confident in the organization’s ability to integrate PQC and avoid major disruption. 

Rik Turner, Chief Analyst, Cybersecurity at Omdia comments, “Perhaps because they have been around for three decades, it’s like TLS certs have kind of been absorbed into the ‘plumbing’ that simply makes IT work, at least in the perception of many of our respondents. That’s why it feels like not enough of them are aware of the 47-day issue that’s barreling down the pike towards them, and don’t seem to have thought through the need for automation that it is going to impose on their organization.”

Key findings from the report include: 

• Most organizations (96%) are concerned about how shorter SSL/TLS certificate lifespans will impact business. 
• 95% are at least partially dependent on manual processes for certificate management, as only 5% have filly automated the process. 
• 28% possess a complete certificate inventory; 13% are extremely confident they are tracking all certificates. 
• A majority of organizations (98%) have experienced or anticipate they will experience difficulties with PQC implementation, and 92% expect to encounter a barrier of some kind. 
• Few (14%) have completed a full assessment of quantum-vulnerable systems.

Turner remarks, “It seems to me that there are two reasons not to simply wait till Q-Day. One is that technology has the ability to surprise us: witness the absolute explosion in AI adoption since ChatGPT was launched on an unsuspecting world in November 2022. The other is the suspicion that the bad guys aren’t waiting. In other words, threat actors may be harvesting your most heavily encrypted data now, in the expectation of being able to decrypt it as soon as they get their hands on a QC. And of course, if they are backed by nation-states, they’ll gain access to one long before the average company does.”

Below, security leaders share their insights. 

Security Leaders Weigh In 

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:

Regulations, such as the EU Digital Operational Resilience Act, require businesses to prioritize cybersecurity activities based on risks to business operations. Expired or revoked certificates break the trust between clients and the underlying services — whether those clients are end users with browsers or encrypted channels between API powered business partners. Shortening expiration windows help reduce the potential impact of encryption key misuse while also promoting the use of automated key management systems.

Ben Volkow, Co-Founder and CEO at QIZ Security:

PQC migration is shaping up to be one of the biggest IT and cybersecurity challenges of the coming decade. The urgency isn’t just about the quantum threat — it’s also about untangling the cryptographic ‘jungle’ created over the last decade. We see the quantum risk as the catalyst for a new era of cryptography management — one that aligns with recent IT architecture shifts, the rise of AI, and the accelerating pace of advanced cyber threats.

PQC migration is already falling behind the pace of threat evolution — from rapid quantum advancements to the ‘harvest now, decrypt later’ risk and tightening regulatory timelines. What’s even more concerning is the lack of dedicated, automated tools — most migrations today are slow, service-heavy, and lack standardized frameworks.

The PQC risk is real, and most organizations are already behind the curve. But PQC migration isn’t just a defensive necessity — it’s a strategic opportunity to modernize cryptography management, much of which still relies on outdated architectures and concepts. This is a chance to align with today’s distributed IT models, AI-driven operations, and the risks of  next-generation cyber threats.

PQC migration is both the greatest cryptographic risk and the biggest modernization opportunity of the decade — one that demands we move from outdated, fragmented crypto management to AI-driven, automated, and quantum-ready security.

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd:

Effective certificate management is a root of trust for online systems, both in B2B and B2C operations, increasingly so in the modern cloud-native era.

Automated Certificate management environment (ACME) integrations have powered so much of the cloud-native movement, machine-to-machine authentication and IAM infrastructure relies heavily on automated provisioning and management, and Lets-Encrypt has brought this into the mainstream.

The implementation of PQC has a variety of complications that companies and technology providers will need to test for — larger certificates, heavier cryptographic processing loads, new ciphers and libraries to support them. Increased compute, thanks to heavier crypto in PQC, will add power and time sensitivity demands — requiring heavy testing and planning for implementation.

PQC addresses both components of the parkerian hexad (confidentiality and possession) as the load required to decrypt captured exchanges over time will be much higher, leading to more resilient, and thus higher trust and confidence in the safety of those communications.