Guide
What Is Certificate Lifecycle Management? A Plain-Language Guide
Certificate lifecycle management (CLM) covers discovery, issuance, renewal, and revocation.
Certificate Lifecycle Management
Certificate Lifecycle Management — From Issuance to Renewal, Fully Automated
CertControl manages the full certificate lifecycle — automated discovery, continuous TLS monitoring, ACME renewal automation, and compliance reporting — in one platform built for security and operations teams.
14-day free trial · No credit card required · EU hosted · Dedicated instance per customer
The five lifecycle stages
Every stage of the certificate lifecycle, covered
Certificate lifecycle management means handling every stage — not just the visible ones. Here is what CertControl covers end-to-end.
01
Discovery
Automatic identification of all certificates in use — via Certificate Transparency logs, active scanning, and an on-premise agent for internal networks. Including the certificates you did not know existed.
02
Inventory
A structured, continuously updated register of all certificates: domains, expiry dates, issuing CA, responsible owner, and which systems are protected. Always current — never a spreadsheet from six months ago.
03
Monitoring
Continuous scanning for expiry, cipher suite weaknesses, chain errors, OCSP revocation status, protocol issues, and CT log anomalies. A+ to F TLS grading per endpoint, updated automatically.
04
Renewal
Manual workflow support for certificates requiring CA processing, plus full ACME automation for Let's Encrypt and compatible CAs. With 47-day certificates arriving in 2029, automation is the only scalable approach.
05
Compliance reporting
Executive summaries, expiry forecasts, operational risk reports, and drift detection — all with an audit-log history that proves continuous management. NIS2 Article 21-ready.
+
Revocation tracking
OCSP status monitoring that detects revoked certificates still in use. CT log monitoring that catches unauthorised certificate issuances for your domains before attackers can exploit them.
47-day certificates — the forcing function
Why certificate lifecycle management is urgent now
The CA/Browser Forum has voted unanimously. TLS certificate lifetimes will be reduced to 47 days by March 2029. For organisations with hundreds or thousands of certificates, this is not a gradual change — it is a forcing function for automation.
8×
Increase in renewal frequency from today to 2029. 1,000 certificates becomes 8,000 annual renewals.
0
Manual renewals needed when ACME automation is in place. Zero. The lifecycle runs itself.
Mar 2026
200-day maximum begins. The transition is not coming — it has started.
Frequently asked questions
Certificate lifecycle management — questions answered
What is certificate lifecycle management?
Certificate lifecycle management (CLM) is the end-to-end process of managing TLS/SSL certificates — from discovery and issuance through monitoring, renewal automation, and compliance reporting. CLM software replaces manual spreadsheets with automated, continuous control.
How does CLM relate to NIS2 compliance?
NIS2 Article 21 requires documented risk analysis and technical controls for information systems — explicitly including TLS/PKI infrastructure. CLM software provides the continuous monitoring, inventory management, and audit-log history that supervisory authorities expect to see during inspections.
What is ACME automation in the context of CLM?
ACME (Automated Certificate Management Environment) is a protocol that automates certificate issuance and renewal with Let's Encrypt and other compatible CAs. CertControl offers two ACME modes: as an ACME client (Business plan), CertControl requests certificates from Let's Encrypt or another supported CA on your behalf — HTTP-01 automatic, DNS-01 validated in a single step. As an ACME Server (Scale plan, RFC 8555), CertControl acts as the ACME endpoint for your internal Linux and Windows servers — certbot, acme.sh, or Posh-ACME connect to CertControl, which issues or forwards orders to a supported upstream CA. With a DNS plugin configured, renewal is fully zero-touch — including certificate installation on the server. The Scale plan also includes ARI (Automatic Renewal Information, RFC 9773): CertControl signals the optimal renewal window to each ACME client, enabling coordinated fleet renewals and one-click mass-revocation. CertControl monitors the full lifecycle and surfaces issues as actionable warnings.
Can CLM software cover internal certificates, not just internet-facing ones?
Yes. CertControl includes an on-premise agent that scans internal networks and integrates internal certificate data into the same lifecycle management platform as internet-facing certificates. Most certificate-related outages originate from internal systems nobody was tracking.
Related resources
Read the guide →
Read the guide →
Read the guide →
Read the guide →
Read the guide →
Guides for certificate lifecycle management and automation
Guide
Manual vs Automated Certificate Management: Why the Difference Matters
Manual certificate management creates operational risk, compliance gaps, and avoidable outages.
Guide
How to Prepare for 47-Day Certificate Lifetimes
By 2029, TLS certificates will max out at 47 days.
Guide
47-Day Certificate Lifetimes: The Real Organisational Cost in 2029
100 manually managed TLS certificates at 47-day lifetimes means roughly 1,560 renewal hours per year.
Guide
ACME Server and ARI: Zero-Touch Certificate Renewal for Internal Servers
CertControl's built-in ACME Server (RFC 8555) and ARI (RFC 9773) automate TLS certificate renewal for internal server fleets — certbot, acme.sh, and Posh-ACME connect directly, with full audit visibility and 47-day lifetime readiness.