Air-Gapped Systems and 47-Day Certificates: A Compliance Nightmare

Your nuclear power plant control room runs on an air-gapped network. So does the manufacturing floor at the pharmaceutical company down the street. And the classified government system handling sensitive intelligence data. These networks exist in isolation for good reason—they’re too critical to risk connecting to the outside world.

But here’s the problem: SSL/TLS certificate lifespans are shrinking fast, and these isolated systems are about to face a compliance crisis that most organizations haven’t even started thinking about.

The 47-Day Reality Check

On April 11, 2025, the CA/Browser Forum approved Ballot SC-081v3, setting in motion a dramatic shift in how we manage digital certificates. The timeline looks like this:

• March 15, 2026: Maximum certificate validity drops to 200 days
• March 15, 2027: Further reduction to 100 days
• March 15, 2029: The final 47-day limit takes effect

That last number isn’t a typo. In just over three years, your certificates will expire roughly every six weeks. And the domain validation data that backs those certificates? It’ll only be reusable for 10 days.

For IT teams managing internet-connected infrastructure, this is a significant challenge. For teams running air-gapped systems, it’s potentially devastating.

Why Air-Gapped Systems Face Unique Challenges

Air-gapped networks exist in some of the most security-sensitive environments imaginable: operational technology (OT) in manufacturing plants, SCADA systems controlling critical infrastructure, healthcare systems managing protected health information, classified government networks, and financial trading systems.

These environments rely on physical isolation as a primary security control. The network can’t reach the internet, and the internet can’t reach it. That isolation is the whole point.

But certificate management traditionally depends on connectivity. Certificate authorities need to validate domain ownership. Automated renewal systems like ACME need to reach external servers. Certificate revocation checks need access to CRL or OCSP endpoints.

When an operator inside an isolated network tries to install signed software, the system attempts a revocation check by contacting an external server. In an air-gapped environment, that connection is blocked. The installation hangs indefinitely, or fails with a cryptic error message that doesn’t explain the actual problem.

The Math Doesn’t Work Anymore

Let’s run the numbers on what 47-day certificates mean for manual management.

Managing a single certificate manually takes roughly four hours when you factor in the request, validation, installation, and testing. With 398-day certificate lifespans (the old standard), an organization with 1,000 certificates would spend about 4,000 hours annually on certificate management.

Under 47-day validity periods, those same 1,000 certificates require roughly 12 times as many renewal events per year. That’s 48,000 hours—the equivalent of 23 full-time employees doing nothing but certificate renewals.

Now add the complications specific to air-gapped environments:

• Physical access requirements to update systems
• Out-of-band update processes involving secure file transfers
• Coordination across disconnected teams
• Change management procedures that can take weeks in regulated environments
• Documentation requirements for compliance audits

What once required scheduling a technician once a year now demands constant attention. The logistics alone become unmanageable.

Industry-Specific Compliance Complications

Healthcare: HIPAA Meets Certificate Chaos

Healthcare organizations face strict requirements under HIPAA for protecting electronic protected health information (ePHI). The regulation requires:

• Encryption of data in transit using TLS 1.2 or higher
• Inventory of all certificates and keys
• Defined rotation policies
• Audit trails for all certificate activity
• Escalation paths for expiration notifications

Healthcare IT teams managing air-gapped systems—think isolated medical device networks or protected research environments—already struggle with these requirements. An audit finding of expired certificates or manual spreadsheet tracking can result in serious compliance violations.

With certificates expiring every 47 days, the window for error shrinks dramatically. Miss one renewal on an air-gapped diagnostic system, and you’re looking at a potential HIPAA violation on top of the operational disruption.

Government: Classified Networks and FISMA Requirements

Federal agencies must comply with FISMA, which requires comprehensive security controls for all information systems—including those operating in air-gapped environments.

FISMA mandates:

• Complete system inventory
• Risk categorization of all systems
• Security controls based on NIST SP 800-53
• Continuous monitoring and assessment

Classified networks add another layer of complexity. These systems often require Authority to Operate (ATO) approvals for any changes, and certificate updates definitely count as changes.

Getting a certificate renewed on a classified network might require:

• Documentation of the change request
• Security review of the new certificate
• Approval from a Designated Approving Authority
• Scheduled maintenance window
• Physical access to the secure facility
• Post-change security validation

When certificates lasted a year, this process was manageable. When they last 47 days, you’re essentially in perpetual change-management mode.

Financial Services: SOX, PCI DSS, and Banking Regulations

Financial institutions face overlapping regulatory requirements from SOX, PCI DSS, GLBA, and potentially the NYDFS Cybersecurity Regulation (23 NYCRR 500).

All of these frameworks require:

• Tracking of user access to systems containing sensitive data
• Up-to-date security controls
• Robust access management
• Audit logs for compliance reviews

Air-gapped trading systems or isolated payment processing environments must maintain compliance while operating in complete network isolation. PCI DSS non-compliance can result in fines of $5,000 to $100,000 per month until resolved. SOX violations can lead to delisting from stock exchanges.

The cost of getting certificate management wrong in financial services isn’t just operational—it’s existential.

OT and Industrial Control Systems: IEC 62443 and Safety-Critical Operations

The IEC 62443 standards provide the global framework for securing industrial automation and control systems (IACS). These standards explicitly address certificate-based authentication for industrial components.

Managing certificate lifecycles in industrial environments presents unique challenges:

• Many OT systems run 24/7/365 with no maintenance windows
• Production stoppages can cost millions per hour
• Safety systems must remain operational at all times
• Legacy equipment may not support modern certificate protocols

Industrial control protocols like Modbus, OPC DA, and EtherNet/IP should be restricted to isolated network segments. External connections should go through a DMZ using secure protocols like OPC UA over TLS or MQTT over TLS.

But when those TLS certificates expire every 47 days, even DMZ connections become a management burden.

The Air Gap Myth vs. Reality

Here’s an uncomfortable truth: many “air-gapped” systems aren’t as isolated as organizations believe.

According to Sean McGurk, former Director of the National Cybersecurity and Communications Integration Center at DHS: “In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks.”

True air gaps are rare. What most organizations actually have are “low-connection” environments with limited, controlled connections to external systems. Understanding this distinction matters for certificate management strategy.

If your “air-gapped” network actually has 11 connection points to the corporate network, you might have more automation options than you thought. But you also have 11 potential certificate dependencies you might not be tracking.

Strategies for Managing Certificates in Isolated Environments

So what can organizations do? Complete automation might not be possible, but there are practical approaches that can reduce the burden.

1. Internal PKI for Internal Systems

The 47-day requirement from the CA/Browser Forum only applies to publicly trusted certificates. If you’re using certificates solely for internal communication within your air-gapped network, you can run your own internal Certificate Authority with whatever validity periods make sense for your environment.

Internal PKI lets you:

• Set longer certificate lifespans (though not indefinitely—you still need rotation)
• Avoid external validation requirements
• Control your own root of trust
• Automate within your isolated environment

The tradeoff? You lose the automatic trust that comes from publicly recognized CAs. But for truly isolated systems, that trust relationship doesn’t matter anyway.

2. Certificate Discovery and Inventory

You can’t manage what you don’t know about. Before implementing any strategy, you need complete visibility into every certificate across your environment.

This means discovering certificates on:

• All servers in the air-gapped environment
• Network devices and appliances
• Application containers
• Load balancers
• Any system with TLS enabled

A certificate management system like CertMS can monitor Windows and Linux servers through lightweight agents, pulling certificate inventory into a central tracking system. Even in air-gapped environments, you can aggregate this data and gain visibility into what’s expiring and when.

3. Scheduled Maintenance Windows with Certificate Batching

If manual intervention is unavoidable, batch your certificate operations to maximize efficiency. Instead of handling certificates one at a time as they approach expiration, group renewals into scheduled maintenance windows.

With 47-day certificates, you might establish:

• Bi-weekly certificate review sessions
• Monthly maintenance windows for bulk updates
• Quarterly comprehensive audits

The key is building certificate management into your existing operational rhythm rather than treating it as an exception.

4. Proxy Solutions for Revocation Checking

One specific pain point in air-gapped environments is certificate revocation checking. Systems hang or fail when they can’t reach CRL or OCSP servers.

Specialized proxy solutions can act as a secure gateway for revocation data only. The proxy lives in your DMZ, validates all data passing through, and provides revocation status to your isolated systems without opening full internet connectivity.

This won’t help with certificate issuance, but it can eliminate one common failure mode in air-gapped certificate management.

5. Documentation and Runbook Creation

When manual processes are unavoidable, detailed documentation becomes your safety net. Build runbooks that include:

• Exact steps for certificate renewal in each system
• Required approvals and change management procedures
• Rollback procedures if something goes wrong
• Contact information for emergency support

CertMS allows you to attach documentation directly to certificates, so renewal procedures travel with the certificate record. When an alert fires, the team responding has immediate access to the specific steps needed for that particular certificate.

Building Your Air-Gap Certificate Strategy

Here’s a practical framework for tackling this problem:

Phase 1: Discovery and Assessment

• Inventory all certificates in your air-gapped environment
• Map certificate dependencies and trust relationships
• Identify which certificates must be publicly trusted vs. internal-only
• Document current renewal processes and their actual time requirements

Phase 2: Architecture Planning

• Evaluate internal PKI options for appropriate use cases
• Design certificate management workflows that account for air-gap constraints
• Establish realistic maintenance schedules based on certificate validity periods
• Plan for the March 2026, 2027, and 2029 milestones

Phase 3: Tooling and Monitoring

• Implement certificate monitoring that works within your constraints
• Set up alerting with sufficient lead time for air-gap renewal procedures
• Create reporting for compliance evidence
• Integrate with change management and ticketing systems

Phase 4: Process Optimization

• Train teams on new procedures
• Conduct tabletop exercises for certificate emergencies
• Refine runbooks based on actual experience
• Build metrics to track improvement over time

The Cost of Getting This Wrong

Certificate outages are expensive under any circumstances. Estimates put the average cost at around $5,600 per minute of downtime. For air-gapped environments running critical infrastructure, the stakes are even higher.

A certificate expiration in an OT environment could halt a production line. In healthcare, it could disrupt life-critical systems. In financial services, it could stop trading operations. In government, it could compromise classified communications.

Beyond operational costs, there’s the compliance exposure. Auditors increasingly treat certificate management as a core security control. Poor practices—especially the “spreadsheet and calendar reminder” approach—are viewed unfavorably during assessments.

Looking Ahead: The Automation Imperative

According to Sectigo’s 2025 State of Crypto Agility Report:

• 96% of organizations are concerned about the impact of 47-day certificates
• Fewer than 1 in 5 organizations are prepared for monthly renewals
• Only 5% have fully automated certificate management

Those numbers are for all organizations, including those with full internet connectivity. For air-gapped environments, the preparedness level is almost certainly lower.

The industry is pushing toward automation as the only sustainable solution. Certificate Lifecycle Management (CLM) platforms are becoming standard infrastructure, not optional tooling.

For air-gapped environments, the path to automation is harder—but not impossible. The organizations that start planning now will have time to build sustainable processes. Those that wait until 2029 will face a crisis.

Start Now, Not Later

The first deadline is March 15, 2026, when certificates drop to 200-day maximum validity. That’s less than two months away as of this writing. If you haven’t started assessing your air-gapped certificate landscape, the time to begin is now.

Map your certificates. Understand your renewal processes. Identify your compliance requirements. Build your strategy before the shorter lifespans force your hand.

Air-gapped environments have always required more planning and deliberate process than connected systems. Certificate management is about to become another area where that careful planning pays off—or where its absence becomes painfully obvious.

---

Ready to get visibility into your certificate landscape? CertMS helps IT teams discover, track, and manage certificates across their infrastructure—including air-gapped and isolated environments. Our lightweight agents work within your network constraints while providing the centralized visibility you need to stay ahead of expirations.

Schedule a free demo to see how CertMS can help your organization prepare for the 47-day certificate future.

---

*Word count: 2,497*

Sources

• GlobalSign: Complete 47-day SSL/TLS Certificate Validity Q&A
• Sectigo: 47-Day SSL Certificate Lifespan Approved
• Keyfactor: Certificate Lifecycle Management Is Critical
• Agilicus: Navigating Certificate Revocation in Air-Gapped Networks
• ISA: ISA/IEC 62443 Series of Standards
• SSL.com: Digital Certificates for HIPAA-Compliant Communication
• Paubox: How Providers Can Prepare for New 47-Day Certificates
• Tofino Security: SCADA Security Air Gap Debate