FigureAsia Reporting · Asia Leaders

Nikesh Arora Is Automating the Internet's Certificate Reset. Forty-Seven Days Will Expose the Gaps

Nikesh Arora is pushing Palo Alto Networks into cryptographic operations as certificate renewals accelerate and governments prepare for quantum-resistant standards. The opportunity sits inside every digital service; the risk is that failed automation can stop those services at the same scale.

Public certificate validity has already fallen to 200 days and reaches 47 days in 2029. Palo Alto Networks is betting the network can become the control point for renewal, outage prevention and post-quantum migration.

Nikesh Arora is preparing Palo Alto Networks for a deadline that will arrive repeatedly. Since 15 March 2026, publicly trusted server certificates have been limited to a maximum validity of 200 days, down from 398. The ceiling falls to 100 days in March 2027 and 47 days in March 2029 under the CA/Browser Forum's baseline requirements. What was an occasional administrative task is becoming a continuous operating process.

Eight days after the first reduction took effect, Palo Alto Networks launched Next-Generation Trust Security. The product combines certificate discovery and lifecycle management with network visibility and enforcement. It is intended to find unmanaged certificates, refresh them before expiry and help organisations replace cryptography as standards change. Arora is betting that the network can become the control point for digital trust rather than merely the place where encrypted traffic passes.

This is a different kind of expansion for a security company. A certificate outage is not necessarily an attack. It may be a forgotten expiry, a revoked authority, an incorrect chain or a failed key rotation. Yet the outcome can be as disruptive as malicious activity: applications reject connections, customers cannot transact and machines lose permission to communicate. Automating that operational layer gives Palo Alto Networks a route into a large, persistent problem. It also makes product reliability unusually consequential.

The renewal calendar has already changed

The 47-day figure is not a distant proposal. The staged transition is under way. Certificates issued between March 2026 and March 2027 may last no more than 200 days; the following two-year period carries a 100-day ceiling; certificates issued from March 2029 are limited to 47 days. Moving from 398 to 47 days multiplies the minimum renewal frequency more than eightfold for each public endpoint.

That arithmetic understates the operational burden. A large company can hold certificates across websites, application interfaces, load balancers, containers, cloud services, branch devices and development environments. Ownership is often fragmented. Some certificates are created outside the central security team, and others protect machines that were never included in a complete inventory. Shorter validity reduces the period during which a compromised or outdated credential remains useful, but it gives administrators less time to notice failure.

Automation becomes a requirement rather than an efficiency feature. Discovery must identify the certificate, renewal must prove control, a new key and certificate must be issued, dependent systems must be updated, and the old material must be retired without interrupting service. Each step can involve a certificate authority, a network device, a cloud platform, a hardware-security module and an application owner. A dashboard alone does not close the loop.

Palo Alto Networks argues that its network position provides a better inventory than a standalone database. Traffic reveals which certificates are actively used and where enforcement sits. Next-Generation Trust Security can connect that view with certificate-lifecycle controls and machine-identity intelligence. The appeal is practical: turn an asset already deployed at control points into a system that both sees a trust problem and acts on it.

The network sees much, not everything

Arora's architectural claim has limits. Public web certificates are only one part of enterprise cryptography. Internal certificate authorities, code-signing keys, document signatures, device identities, software-package verification and secrets inside cloud services may not all appear at a firewall. Encrypted traffic can take paths the vendor does not inspect. Development teams can create short-lived credentials through cloud-native systems that operate independently of a central network appliance.

A credible product must therefore ingest information from certificate authorities, cloud providers, identity systems, hardware-security modules and software-delivery tools. It must map ownership and business criticality, not merely list expiry dates. A certificate protecting a payment gateway requires different change controls from one used in a test environment. The product needs application context before it can decide how aggressively to automate.

Competition will be strong because certificate management is an established market. Specialist public-key-infrastructure vendors understand issuance and policy, cloud providers automate credentials within their own estates, and identity platforms manage machine credentials. Palo Alto Networks can differentiate through enforcement and installed network reach, but it cannot assume that a security buyer will replace tools that already manage complex certificate-authority relationships.

The commercial question is whether lifecycle automation becomes a separately valued subscription or a feature included to defend a wider account. Palo Alto Networks does not disclose revenue, customer count or renewal metrics for Next-Generation Trust Security. Its fiscal third quarter produced $3 billion of total revenue, including $2.41 billion from subscriptions and support, while next-generation security annual recurring revenue reached $8.1 billion. At that scale, a new category must generate measurable attachment and retention rather than only strengthen marketing.

Automation can centralise failure

Shorter certificates reduce some security risk by forcing more frequent validation and key turnover. Poor automation creates a different risk: a bad policy can be propagated across thousands of endpoints at once. The same control plane that prevents forgotten expiries could revoke the wrong certificate, deploy an incompatible chain or rotate keys before an application is ready.

Arora must insist on operational safeguards that are less exciting than the launch. High-value changes need staged deployment, pre-production validation, rollback, maintenance windows and separation of duties. Renewal success should be measured from application response, not from issuance alone. Audit records must show who authorised a policy and which machine executed it. Emergency manual control must remain available when an automation rule behaves unexpectedly.

Availability will shape the economics. If automation reduces outages and staff hours, customers can justify a recurring fee from operational savings, not only cyber risk. If it requires substantial professional services or generates frequent exceptions, margins weaken and the product becomes another administrative layer. Palo Alto Networks should publish renewal success rates, coverage of active certificates, prevented expiry events and time required to restore failed changes.

The company also carries its own concentration responsibility. A widely adopted certificate-control service becomes critical infrastructure. A vulnerability, service interruption or incorrect global update inside it could affect many customers simultaneously. Product design must support regional resilience, customer-held approval and failure isolation rather than require blind dependence on a vendor cloud.

Certificate rotation is not quantum migration

Palo Alto Networks connects its launch to post-quantum readiness, and the relationship is real but should be precise. Reducing certificate validity does not make current public-key algorithms safe against a sufficiently capable quantum computer. It improves operational agility: organisations that can inventory and replace certificates rapidly are better prepared to change algorithms and keys when required.

The cryptographic transition has moved from research into standards. The US National Institute of Standards and Technology finalised ML-KEM for key establishment and ML-DSA and SLH-DSA for digital signatures in 2024. NIST says organisations should begin migration and expects quantum-vulnerable algorithms to be deprecated and ultimately removed from its standards by 2035, with high-risk systems moving earlier. In June 2026 it issued working drafts for adding post-quantum algorithms to federal personal-identity credentials.

This creates a second inventory problem. Companies need to know not only where certificates expire but which algorithms, libraries, key sizes and protocols protect each asset. They must test larger keys and signatures, confirm compatibility across hardware and software, and often operate classical and post-quantum methods together during transition. A lifecycle tool can orchestrate replacement, but it still depends on applications, devices and certificate authorities supporting the new standards correctly.

The danger is that a post-quantum label encourages customers to believe migration is a switch. It is a multi-year engineering programme involving procurement, software updates, performance testing and data-retention decisions. Information collected today may be stored and decrypted later, making long-lived sensitive data more urgent than an ordinary public website. Arora's product should expose those differences rather than reduce them to one readiness score.

Asia is moving from guidance to implementation

Asian governments are creating a market for cryptographic visibility and controlled migration. Japan updated its CRYPTREC list in March 2026 to add ML-KEM to the cryptography recommended for electronic government procurement. A Cabinet Secretariat working group is developing a government migration road map and surveying implementation. In April, Japan's National Institute of Information and Communications Technology and partners reported a proof of concept for moving certificate-authority infrastructure towards post-quantum cryptography through a secondary root certificate.

Singapore has taken a similarly explicit position. Its Cyber Security Agency said in 2026 that post-quantum cryptography will be the mainstream migration method and that Singapore will use NIST standards as a baseline. The agency had already released a quantum-safe handbook and readiness index and is supporting two nationwide quantum-safe networks. India is developing post-quantum public-key infrastructure and crypto tokens through its electronics ministry.

These programmes give Palo Alto Networks a route into governments, banks, telecommunications groups and critical-infrastructure operators. They also prevent a single global configuration from being sufficient. National procurement lists, certificate hierarchies, data-location rules and migration schedules differ. Customers may require local control planes and evidence that cryptographic inventories remain inside their jurisdiction.

Japan is particularly instructive because standards work and certificate-authority testing are happening together. A vendor that only discovers old algorithms is incomplete; one that automates replacement without local interoperability evidence is dangerous. Palo Alto Networks needs relationships with regional authorities, certificate providers and system integrators, not just a translated interface.

The metric is uninterrupted change

Arora has built his tenure around the proposition that broad visibility improves security. Certificate automation applies that idea to an operational system where the absence of an incident is the product. Success will look uneventful: certificates renew, applications continue responding and cryptographic transitions occur without users noticing.

The financial opportunity can be durable. Every digital service needs machine trust, renewal frequency is rising by rule, and post-quantum standards create years of migration work. Palo Alto Networks has more than 70,000 customers and a large installed base of enforcement points. It can attach lifecycle controls to relationships that already carry subscription revenue and executive access.

But urgency does not establish product leadership. Arora must show that network-based discovery finds assets other tools miss, that automated renewal reduces outages, and that post-quantum workflows handle the full application dependency rather than only replace a certificate. He must also show that customers pay for the capability rather than receive it as an inducement to buy something else.

The first deadline has passed; the maximum validity period is already 200 days. The next reduction arrives in 2027, and 47-day certificates follow in 2029. Those stages create an unusually clear product examination. Palo Alto Networks will have repeated opportunities to prove coverage, safety and commercial value. If renewals become invisible, Arora will have turned a standards mandate into infrastructure. If failures multiply, forty-seven days will not merely expose neglected certificates. It will expose the limits of his control point.