Sectigo released its inaugural State of Crypto Agility report, developed with analysis from global research firm Omdia. The report examines how prepared enterprises are for two major changes impacting digital trust: the CA/Browser Forum’s planned reduction of SSL/TLS certificate lifespans to 47 days by 2029, and the transition to post-quantum cryptography (PQC) by 2030.
“SSL/TLS public certificates and their underlying cryptography have been remarkably stable for 30 years, acting as an invisible component of IT infrastructure, but that era is over,” said Tim Callan, chief compliance officer at Sectigo. “Today, certificates are front and center in the fight to secure our digital future. Building certificate agility now is the fastest path to achieving the crypto agility required for post-quantum cryptography readiness later.”
Both changes individually represent significant operational and security challenges, but together they demand a transformative approach toward crypto agility. 90% of organizations recognize an overlap between their preparedness efforts for short-lived certificates and PQC readiness, with the transition to 47-day certificates serving as an essential onramp to PQC adoption. Yet overall organizational readiness for either remains critically low.
Key findings from 272 global IT decision makers across industries and business sizes include:
47-day SSL/TLS certificates
- 96% of organizations are concerned about the impact of shorter SSL/TLS certificate lifespans on their business. Less than 1 in 5 (19%) organizations feel very prepared to support the coming shift to 47-day certificate renewal cycles.
- Only 5% have fully automated certificate management, leaving a staggering 95% who remain at least partially dependent on manual processes, dramatically increasing operational and disruption risk as renewal frequencies accelerate.
- Just 28% have a complete certificate inventory, and only 13% are extremely confident they are tracking all (even rogue) certificates.
- 98% of organizations have or expect to experience challenges with PQC implementation and 92% expect to encounter some sort of barrier during PQC implementation.
- Only 14% have conducted a full assessment of quantum-vulnerable systems.
- Only 15% feel extremely confident in their ability to integrate PQC without major disruption.
- 90% have budgets allocated to PQC preparedness initiatives within the next 12 months and 92% expect to increase that investment over the next 2-3 years.
“The data underscores a critical inflection point for enterprises,” said Rik Turner, chief analyst, cybersecurity, at Omdia. “Managing shorter certificate lifecycles cannot be treated as a separate IT task; it is central to building crypto agility necessary for the PQC transition. The coming years will test organizations’ ability to adapt their cryptographic infrastructure at scale under pressure, and those who fail to prepare now face heightened operational and cybersecurity risk.”
