- Renewal automation is the only sustainable answer to 47-day TLS validity.
- ACME is the protocol of choice, but not every workload supports it.
- A platform must handle the exceptions cleanly, not pretend they do not exist.
- Blast-radius preview before approval is the difference between calm and chaos.
Why automation is the only sustainable answer
At 47-day validity, a single certificate renews roughly 7.7 times per year. At 10,000 certificates, that is 77,000 renewal events per year — over 200 per day on average. Manual approval at that volume is not a workflow; it is a full-time job for a team.
Automation lets human attention concentrate on the exceptions: high-risk services, policy violations, unfamiliar CAs. Everything else renews quietly.
ACME is the protocol of choice
ACME (RFC 8555) is the protocol the public CAs adopted for automation. Let's Encrypt, DigiCert, Sectigo, GlobalSign, Entrust — all support ACME for the certificates that matter most.
MachineCert speaks ACME v2 natively, including DNS-01 and HTTP-01 challenges. It can orchestrate ACME against any compliant CA, public or private.
Handling the exceptions
Not every workload supports ACME. Legacy load balancers, vendor appliances, and some internal PKI deployments still need a request-and-install workflow.
For those, MachineCert routes renewal requests through the native CA API, downloads the issued certificate, and triggers a managed deployment — or surfaces an approval request to the service owner if policy requires it.
Why blast-radius preview matters
Before approving a renewal — especially a renewal that requires a service restart — MachineCert shows exactly which downstream services depend on the certificate. The Trust Graph makes this visual.
An engineer approving a renewal at 2 am can see whether they are touching a leaf service or the auth gateway that 30 other services depend on. That context is the difference between a calm renewal and an unplanned outage.