PKI: Focus Areas 2025

This article is part three of our series on cybersecurity topics that have been of particular interest to us over the past year. 2025 was characterized by announcements that could prove to be a turning point for digital trust infrastructure. While many organizations still view Public Key Infrastructure (PKI) as a static enabling technology, the pace of development is accelerating dramatically. Public TLS certificates are heading towards validity periods of a few weeks, browsers are forcing the end of “dual-use” certificates and post-quantum cryptography (PQC) is finding its way into production environments. Those who ignore these changes risk not only compliance problems, but also availability failures.

In our consulting practice at Temet, we clearly see that “set it up and forget it” is definitely over for PKI. This article highlights three developments that were formative in 2025 and will influence your IT and security strategy from 2026.

The end of manual management: 45 to 47 days of certificate validity

For years, certificate validity periods of 12 or 24 months were considered the standard. However, browser manufacturers - above all Apple and Google in the CA/Browser Forum - are pushing for a massive reduction in the validity periods of public TLS certificates. The timetable envisages a gradual reduction: On March 15, 2026, the validity period will drop to 200 days, exactly one year later to 100 days, until the target of 45 to 47 days of validity is reached on March 15, 2029. Many certificate authorities (CAs) are already not making full use of the maximum validity period. SwissSign, for example, deducts two days, DigiCert and Sectigo one day, and Let’s Encrypt is already at 90 days.

What is intended as a security gain through faster key exchange and crypto-agility becomes an operational stress test. With a 47-day runtime, clean lifecycle management effectively requires eight to nine renewals per year - or more if the deadline is not fully utilized - as well as significantly more frequent domain control validations (DCV). The risk of failure increases massively with manual processes: a forgotten certificate renewal is highly likely to lead to an incident with such a tight renewal window. We believe that manual processes, Excel lists and calendar entries are no longer viable. This turns automation, for example ACME-based, from a best practice into a business necessity.

The turning point 2026: The end of “dual-use” client authentication

An often underestimated but critical deadline is June 15, 2026. From this date, public CAs may only issue TLS certificates that only contain server authentication in the Extended Key Usage field; client authentication may no longer be included in new issues. According to the Google Chrome Root Program Policy (v1.6 / v1.7), public CAs will lose (browser) trust if they issue certificates with the EKU attribute “clientAuth” from this point onwards. The previously common combination of server identity and client identity in a single certificate will be prohibited in future. Leading CAs such as Let’s Encrypt, DigiCert, Sectigo and SwissSign have already announced that they will no longer issue such dual-use certificates in spring 2026.

This affects scenarios such as Mutual TLS (mTLS), API authentication, webhooks, machine and service identities and, in some cases, VPN architectures. We recommend a structured approach as a solution: The foundation is to update your asset inventory to know exactly where which certificates are used. We then recommend using a private PKI for client authentication certificates, as this is the cleanest and strategically correct approach for internal client authentication. Although the use of S/MIME certificates is technically feasible, it is not a long-term solution as another dual-use workaround.

PQC & Inventory: The foundation of crypto agility

Parallel to these operational changes, another cryptographic shift is taking place. With the finalization of the NIST standards (e.g. ML-KEM), the migration to post-quantum cryptography begins. With TLS 1.3, modern web servers/web services and browsers already rely on hybrid procedures to protect themselves against harvest-now-decrypt-later (HNDL) attacks.

But whether it’s ever-shorter certificate cycles, dual-use replacement or PQC migration, you can’t protect what you don’t know. To overcome this challenge, a two-stage, hybrid approach is recommended. First, active network scanning creates a complete overview of all TLS endpoints. In a second step, this inventory is subjected to a risk-based assessment, from which prioritized recommendations for action can be derived. Such a dynamic crypto inventory ensures that the necessary migration measures for each asset are clearly documented and can be retrieved quickly and easily in the event of an emergency.

Conclusion: PKI becomes strategic - or a risk

The combination of extremely shortened certificate validity periods, the regulatory end of dual-use and new cryptographic standards requires decisive action from IT departments. Those who wait until June 15, 2026 will have to react instead of designing.

We invite you to ask yourself the following questions:

• Do you know where you are using certificates and which use cases you are addressing?
• Do you use certificates for authentication that are affected by the dual-use ban?
• Are your renewal processes already sufficiently automated?

Temet supports you with a well-founded PKI assessment. Together, we will develop a roadmap for an automated, resilient and quantum-safe PKI future and support you in its implementation. Arrange a non-binding initial consultation with our PKI experts.