Why the Finance Sector Must Lead the Shift to Post-Quantum Cryptography

Uncategorized

Quantum computing is not some far-off theory anymore, and the threat to today’s encryption is real with the clock running for organizations to be resilient. And for banks and finance organizations sitting on mountains of sensitive data, the urgency to prepare for post-quantum cryptography (PQC) is growing.

With Q-day (the day a powerful quantum computer breaks today’s RSA and ECC algorithms) possibly arriving as early as 2028, today’s encryption won’t hold for much longer. That puts financial institutions—prime targets with high-value customer data, transactions, and proprietary models—at risk of cyberattacks targeting broken encryption.

If any industry should be leading the charge on post-quantum cryptography, it is financial services. Not just because the risks are high—but because the fallout from a cyberattack would be catastrophic. Around the world, regulators and industry groups are sounding the alarm and laying out roadmaps to guide financial institutions toward PQC readiness. In this blog, let’s dive into what that really means and why now is the time to start preparing.

The Fast Approaching Quantum Threat

Quantum computing threats are accelerating beyond early predictions. While today’s quantum computers can’t yet break our strongest encryption, the hardware required will close the gap rapidly. What felt like a 2030s problem now threatens to arrive earlier. This means today’s widely used asymmetric algorithms like RSA and ECC are at high risk of being cracked by then, putting critical financial systems and data at serious risk.

“For the financial industry, the advent of quantum computers poses a risk to customer confidentiality and peer communications, authentication processes, and trust in digital signatures which enable dynamic legal agreements.”

Quantum Safe Financial Forum – A call to action Report by Europol

Moreover, “Harvest Now, Decrypt Later” attacks are underway. Threat actors are capturing encrypted data today so they can decrypt it in the future using powerful quantum computers. That means sensitive financial records, customer data, intellectual property, and internal communications could all be exposed down the line—even if they’re presumed to be secure right now.

For financial organizations handling high-value data that needs to be stored and protected for years to come, the message is clear: don’t wait—begin your preparation for PQC migration today. Waiting until quantum threats are visible or until the threat becomes imminent could lead to data breaches, hefty financial losses, and lasting reputational damage.

Why PQC?

Think of the NIST approved PQC encryption algorithms as the new vault for your most critical assets—built on mathematical problems so tough that neither today’s supercomputers nor tomorrow’s quantum computers can crack them. By swapping in PQC algorithms, you can lock down customer data, preserve transaction integrity, and ensure long-term privacy against quantum‑powered attacks.

You Must Prioritize Post-Quantum Cryptography (PQC) and Shorter TLS Validity Readiness

But there is an even bigger win: retroactive protection. When PQC algorithms are in place, any encrypted data an attacker harvests today stays unreadable tomorrow—even by the most powerful quantum computers. In short, PQC protects both your future communications and everything you’re securing now.

Key Roadblocks to Post-Quantum Cryptography Adoption

Post-quantum cryptography promises unparalleled security, but rolling it out isn’t straightforward. Previous migrations—like SHA-1 to SHA-2—spanned over a decade; transitioning to quantum-secure algorithms is even more complex—and will demand significantly more time and resources.

  • Lack of Cryptographic Asset Visibility

There is no centralized view of keys and certificates scattered across on-prem servers, cloud environments, endpoints, and third-party services. Security teams are unaware of where sensitive encryption lives or how it’s used. That insight gap makes it significantly harder to assess quantum-risk exposure or prioritize migration efforts.

  • Integration and Performance Hurdles

Quantum-safe algorithms behave very differently from today’s classical algorithms: they use larger keys, produce bulkier signatures, and demand more compute power. As a result, applications, protocols, and hardware modules often require substantial code rewrites, deep testing, and workflow overhauls—yet real-world PQC expertise remains scarce, making staffing these projects a struggle.

  • Operational Burden Without Disruption

It all must happen without disrupting critical services or breaching data-retention and compliance mandates. That means extracting legacy encryption from software and hardware, modernizing infrastructure, updating policies, and coordinating cross-team migrations flawlessly—because any slip-up could stall trading platforms, payment systems, or customer portals.

Without a clear, step‑by‑step roadmap, financial institutions risk falling behind as quantum threats materialize. To stay ahead, organizations must start planning, testing, and laying the groundwork for a smooth and secure transition to PQC.

Global Momentum for PQC Adoption

PQC is now a global priority. In the United States, the National Institute of Standards and Technology (NIST) is leading the charge with formal efforts to standardize PQC algorithms that can withstand quantum-level threats.

Over the last two years, NIST has finalized and published three official standards:

  1. FIPS 203 (ML-KEM) – The primary standard for general encryption
  2. FIPS 204 (ML-DSA) – The primary choice for digital signatures
  3. FIPS 205 (SLH-DSA) – A digital signature algorithm designed as a fallback option in case vulnerabilities are discovered in ML-DSA.

NIST’s roadmap also includes consideration for two additional algorithms: Falcon and HQC (Hamming Quasi-Cyclic). Once standardized, HQC will provide another option for key encapsulation mechanisms (KEM), while Falcon will support quantum-resistant digital signatures.

Global Guidance on PQC Migration for Financial Organizations

Several countries across the world have released roadmaps for PQC readiness and transition to spur real progress on post-quantum cryptography, especially in the finance sector.

1. NIST’s Deadline

NIST has laid out two critical deadlines: by 2030, classical cryptographic algorithms will be deprecated, and by 2035, they’ll be fully phased out. That’s not as far off as it sounds, especially for financial institutions managing complex infrastructures and long-lived data.

2. Europol’s Call to Action (QSFF – Feb 2025)

In February 2025, Europol’s Quantum Safe Financial Forum (QSFF) issued a clear call to action for financial institutions, vendors, and policymakers to jump into PQC migration without delay, recommending that they:

  • Prioritize PQC adoption – Make the transition to quantum‑safe cryptography a top strategic objective.
  • Coordinate roadmaps – Align goals planning and implementation of PQC across stakeholders.
  • Use a voluntary framework – Leverage regulator‑industry partnerships instead of new laws.
  • Modernize crypto governance – Treat this as an opportunity to enhance key and certificate management practices.
  • Foster global collaboration – Run joint pilots and share insights across private and public sector actors on quantum-safe initiatives.

3. The UK’s NCSC Milestones

The United Kingdom’s National Cyber Security Centre (NCSC) is also urging the banking and financial services sector to act early on PQC. To help organizations stay on track, the NCSC has outlined three key milestones:

  • 2028 – Complete discovery of all cryptographic assets
  • 2031 – Migrate critical systems to PQC
  • 2035 – Achieve full migration across all systems, services, and products

4. Switzerland’s Seven‑Step Roadmap (FIND)

Switzerland, too, is echoing the urgency. The Swiss Financial Innovation Desk (FIND) recently released its Action Plan to a Quantum-Safe Financial Future, providing a clear, seven-step roadmap to help financial institutions take the lead in preparing for quantum risk:

  1. Establish quantum risk governance
  2. Assess impacted business and technology components
  3. Minimize new legacy through quantum-safe procurement
  4. Address immediate “Harvest Now/Decrypt Later” risks
  5. Implement a structured PQC migration plan
  6. Align with industry standards and regulatory expectations
  7. Continuously review and refine your quantum strategy

For financial institutions worldwide, this action plan offers a practical playbook to stay ahead of the curve and build long-term resilience against quantum threats.

Get PQC-Ready Today to Power Quantum-Safe Innovation Tomorrow

As financial services race to deliver faster and smarter experiences, post‑quantum cryptography is more than a security upgrade—it’s a strategic advantage. Leading global banks, including JPMorgan, HSBC and Intesa Sanpaolo, are already investing in quantum computing to achieve breakthroughs in credit scoring, fraud detection, and pricing models. But without weaving PQC into your long‑term roadmap, those quantum investments won’t pay off. Transitioning to PQC and building true quantum resilience is the only way to lock out tomorrow’s threats, safeguard customer trust, and fully capitalize on quantum’s promise for the finance sector.

To help get your PKI and certificate infrastructure ready for the PQC shift, AppViewX AVX ONE CLM accelerates your PQC readiness with end-to-end certificate lifecycle management and crypto-agility, giving you comprehensive visibility, closed-loop automation, and complete policy control of your certificates—all in one powerful solution.

Additional AppViewX Solutions for PQC Readiness

  • PQC Assessment Tool – A purpose-built solution designed to help organizations prepare for the PQC migration by generating a Cryptographic Bill of Materials (CBOM), delivering a PQC readiness score, and providing remediation steps by scanning code, dependencies, configurations and certificates in enterprise environments.
  • PQC Test Center – A dedicated free online resource built to help you assess your organization’s PQC readiness by generating and testing quantum-safe private trust certificates prior to their integration into existing systems, applications, workloads, and machines.
  • PQC-Ready PKI – A modern, agile, and secure private PKI solution, designed to support PQC-enabled certificate issuance.

Explore AVX ONE CLM or talk to one of our experts today to get started!

Why the Finance Sector Must Lead the Shift to Post-Quantum Cryptography

Uncategorized

Quantum computing is not some far-off theory anymore, and the threat to today’s encryption is real with the clock running for organizations to be resilient. And for banks and finance organizations sitting on mountains of sensitive data, the urgency to prepare for post-quantum cryptography (PQC) is growing.

With Q-day (the day a powerful quantum computer breaks today’s RSA and ECC algorithms) possibly arriving as early as 2028, today’s encryption won’t hold for much longer. That puts financial institutions—prime targets with high-value customer data, transactions, and proprietary models—at risk of cyberattacks targeting broken encryption.

If any industry should be leading the charge on post-quantum cryptography, it is financial services. Not just because the risks are high—but because the fallout from a cyberattack would be catastrophic. Around the world, regulators and industry groups are sounding the alarm and laying out roadmaps to guide financial institutions toward PQC readiness. In this blog, let’s dive into what that really means and why now is the time to start preparing.

The Fast Approaching Quantum Threat

Quantum computing threats are accelerating beyond early predictions. While today’s quantum computers can’t yet break our strongest encryption, the hardware required will close the gap rapidly. What felt like a 2030s problem now threatens to arrive earlier. This means today’s widely used asymmetric algorithms like RSA and ECC are at high risk of being cracked by then, putting critical financial systems and data at serious risk.

“For the financial industry, the advent of quantum computers poses a risk to customer confidentiality and peer communications, authentication processes, and trust in digital signatures which enable dynamic legal agreements.”

Quantum Safe Financial Forum – A call to action Report by Europol

Moreover, “Harvest Now, Decrypt Later” attacks are underway. Threat actors are capturing encrypted data today so they can decrypt it in the future using powerful quantum computers. That means sensitive financial records, customer data, intellectual property, and internal communications could all be exposed down the line—even if they’re presumed to be secure right now.

For financial organizations handling high-value data that needs to be stored and protected for years to come, the message is clear: don’t wait—begin your preparation for PQC migration today. Waiting until quantum threats are visible or until the threat becomes imminent could lead to data breaches, hefty financial losses, and lasting reputational damage.

Why PQC?

Think of the NIST approved PQC encryption algorithms as the new vault for your most critical assets—built on mathematical problems so tough that neither today’s supercomputers nor tomorrow’s quantum computers can crack them. By swapping in PQC algorithms, you can lock down customer data, preserve transaction integrity, and ensure long-term privacy against quantum‑powered attacks.

You Must Prioritize Post-Quantum Cryptography (PQC) and Shorter TLS Validity Readiness

But there is an even bigger win: retroactive protection. When PQC algorithms are in place, any encrypted data an attacker harvests today stays unreadable tomorrow—even by the most powerful quantum computers. In short, PQC protects both your future communications and everything you’re securing now.

Key Roadblocks to Post-Quantum Cryptography Adoption

Post-quantum cryptography promises unparalleled security, but rolling it out isn’t straightforward. Previous migrations—like SHA-1 to SHA-2—spanned over a decade; transitioning to quantum-secure algorithms is even more complex—and will demand significantly more time and resources.

  • Lack of Cryptographic Asset Visibility

There is no centralized view of keys and certificates scattered across on-prem servers, cloud environments, endpoints, and third-party services. Security teams are unaware of where sensitive encryption lives or how it’s used. That insight gap makes it significantly harder to assess quantum-risk exposure or prioritize migration efforts.

  • Integration and Performance Hurdles

Quantum-safe algorithms behave very differently from today’s classical algorithms: they use larger keys, produce bulkier signatures, and demand more compute power. As a result, applications, protocols, and hardware modules often require substantial code rewrites, deep testing, and workflow overhauls—yet real-world PQC expertise remains scarce, making staffing these projects a struggle.

  • Operational Burden Without Disruption

It all must happen without disrupting critical services or breaching data-retention and compliance mandates. That means extracting legacy encryption from software and hardware, modernizing infrastructure, updating policies, and coordinating cross-team migrations flawlessly—because any slip-up could stall trading platforms, payment systems, or customer portals.

Without a clear, step‑by‑step roadmap, financial institutions risk falling behind as quantum threats materialize. To stay ahead, organizations must start planning, testing, and laying the groundwork for a smooth and secure transition to PQC.

Global Momentum for PQC Adoption

PQC is now a global priority. In the United States, the National Institute of Standards and Technology (NIST) is leading the charge with formal efforts to standardize PQC algorithms that can withstand quantum-level threats.

Over the last two years, NIST has finalized and published three official standards:

  1. FIPS 203 (ML-KEM) – The primary standard for general encryption
  2. FIPS 204 (ML-DSA) – The primary choice for digital signatures
  3. FIPS 205 (SLH-DSA) – A digital signature algorithm designed as a fallback option in case vulnerabilities are discovered in ML-DSA.

NIST’s roadmap also includes consideration for two additional algorithms: Falcon and HQC (Hamming Quasi-Cyclic). Once standardized, HQC will provide another option for key encapsulation mechanisms (KEM), while Falcon will support quantum-resistant digital signatures.

Global Guidance on PQC Migration for Financial Organizations

Several countries across the world have released roadmaps for PQC readiness and transition to spur real progress on post-quantum cryptography, especially in the finance sector.

1. NIST’s Deadline

NIST has laid out two critical deadlines: by 2030, classical cryptographic algorithms will be deprecated, and by 2035, they’ll be fully phased out. That’s not as far off as it sounds, especially for financial institutions managing complex infrastructures and long-lived data.

2. Europol’s Call to Action (QSFF – Feb 2025)

In February 2025, Europol’s Quantum Safe Financial Forum (QSFF) issued a clear call to action for financial institutions, vendors, and policymakers to jump into PQC migration without delay, recommending that they:

  • Prioritize PQC adoption – Make the transition to quantum‑safe cryptography a top strategic objective.
  • Coordinate roadmaps – Align goals planning and implementation of PQC across stakeholders.
  • Use a voluntary framework – Leverage regulator‑industry partnerships instead of new laws.
  • Modernize crypto governance – Treat this as an opportunity to enhance key and certificate management practices.
  • Foster global collaboration – Run joint pilots and share insights across private and public sector actors on quantum-safe initiatives.

3. The UK’s NCSC Milestones

The United Kingdom’s National Cyber Security Centre (NCSC) is also urging the banking and financial services sector to act early on PQC. To help organizations stay on track, the NCSC has outlined three key milestones:

  • 2028 – Complete discovery of all cryptographic assets
  • 2031 – Migrate critical systems to PQC
  • 2035 – Achieve full migration across all systems, services, and products

4. Switzerland’s Seven‑Step Roadmap (FIND)

Switzerland, too, is echoing the urgency. The Swiss Financial Innovation Desk (FIND) recently released its Action Plan to a Quantum-Safe Financial Future, providing a clear, seven-step roadmap to help financial institutions take the lead in preparing for quantum risk:

  1. Establish quantum risk governance
  2. Assess impacted business and technology components
  3. Minimize new legacy through quantum-safe procurement
  4. Address immediate “Harvest Now/Decrypt Later” risks
  5. Implement a structured PQC migration plan
  6. Align with industry standards and regulatory expectations
  7. Continuously review and refine your quantum strategy

For financial institutions worldwide, this action plan offers a practical playbook to stay ahead of the curve and build long-term resilience against quantum threats.

Get PQC-Ready Today to Power Quantum-Safe Innovation Tomorrow

As financial services race to deliver faster and smarter experiences, post‑quantum cryptography is more than a security upgrade—it’s a strategic advantage. Leading global banks, including JPMorgan, HSBC and Intesa Sanpaolo, are already investing in quantum computing to achieve breakthroughs in credit scoring, fraud detection, and pricing models. But without weaving PQC into your long‑term roadmap, those quantum investments won’t pay off. Transitioning to PQC and building true quantum resilience is the only way to lock out tomorrow’s threats, safeguard customer trust, and fully capitalize on quantum’s promise for the finance sector.

To help get your PKI and certificate infrastructure ready for the PQC shift, AppViewX AVX ONE CLM accelerates your PQC readiness with end-to-end certificate lifecycle management and crypto-agility, giving you comprehensive visibility, closed-loop automation, and complete policy control of your certificates—all in one powerful solution.

Additional AppViewX Solutions for PQC Readiness

  • PQC Assessment Tool – A purpose-built solution designed to help organizations prepare for the PQC migration by generating a Cryptographic Bill of Materials (CBOM), delivering a PQC readiness score, and providing remediation steps by scanning code, dependencies, configurations and certificates in enterprise environments.
  • PQC Test Center – A dedicated free online resource built to help you assess your organization’s PQC readiness by generating and testing quantum-safe private trust certificates prior to their integration into existing systems, applications, workloads, and machines.
  • PQC-Ready PKI – A modern, agile, and secure private PKI solution, designed to support PQC-enabled certificate issuance.

Explore AVX ONE CLM or talk to one of our experts today to get started!

Google Chrome to Distrust Chunghwa Telecom and Netlock Certificate Authorities (CAs)—What’s Next?

Uncategorized

Recently, Google announced that starting August 1, 2025, the Google Chrome browser will no longer trust TLS certificates issued by Chunghwa Telecom and Netlock Certificate Authorities (CAs). According to Google, the decision follows a pattern of compliance failures and a lack of measurable progress in addressing publicly reported issues.

Chunghwa Telecom is Taiwan’s largest integrated telecom service provider and operates a public Certificate Authority (CA) called ePKI, which issues digital certificates for secure web communications. Netlock, based in Hungary, is a specialized CA offering digital certification services, including TLS/SSL certificates, electronic signatures, and time stamping.

Any certificates issued by these CAs on or before July 31, 2025, will remain valid. However, certificates issued after that date will trigger browser warnings—like the dreaded “Your connection isn’t private” alert—creating trust issues for website visitors. Google intends to roll out these changes with Chrome 139, scheduled for release in early August.

Why Is Google Distrusting These CAs?

Google’s decision to distrust Chunghwa Telecom and Netlock CAs wasn’t made lightly. Citing the reasons for distrust, Google stated, “Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”

What Should Affected Website Owners Do?

If you’re using certificates from either Chunghwa Telecom or Netlock, Google strongly recommends switching to a new, publicly trusted CA as soon as possible—ideally before your current certificates expire, if that is after July 31, 2025. Doing so helps avoid trust warnings and service disruptions and outages on your websites and internet applications.

While it’s technically possible to reissue certificates from either of the two distrusted CAs before the August 1, 2025, deadline to buy more time, that’s only a temporary fix. You’ll still need to complete a full migration eventually—and the longer you wait, the higher the risk of service disruptions.

Another CA Distrust Incident. Another CA Migration. How to Be Ready?

This isn’t the first time Google has pulled trust from a CA—and it likely won’t be the last.

Just last year, Google distrusted the Entrust CA. Thousands of organizations that relied on TLS certificates from Entrust were forced into a fast-paced migration to a new trusted public CA before the November deadline (in just about 4 months!). It was stressful, chaotic, and, for many, still ongoing.

In the broader picture, Google’s move should be welcomed as it reinforces the high standards expected of CAs and sends a clear message: trust must be earned through transparency, security, and accountability. That said, the responsibility for ensuring digital trust doesn’t end with browser vendors. Organizations must also step up—by implementing a multi-CA strategy and embedding CA agility and crypto-agility into their Certificate Lifecycle Management (CLM) practices.

  • Multi-CA Strategy: As CA distrust and revocation incidents become more frequent, relying on a single CA is increasingly risky. If that CA is distrusted or revoked—you’re scrambling to replace every certificate across every application. Instead, avoid CA lock-in by working with multiple trusted CAs—so if one fails, only a portion of your certificates are affected, minimizing the overall impact. It’s equally important to have other CAs set up alongside your primary issuing CA. Since onboarding a new public CA can take time due to legal agreements and setup processes, having fallback CAs ready to go ensures you can respond quickly in the event of a CA distrust.
  • CA-Agility and Crypto-Agility: CA-agility refers to the ability to quickly and seamlessly switch issuing CAs—whether public or private—to minimize the impact of a compromise or distrust event. It’s part of broader crypto-agility, which enables organizations to swap cryptographic assets (like algorithms and keys) without disrupting operations.

Quickly switch to any trusted CA of your choice

Why CA Migrations Are So Challenging?

Migrating from one CA to another is not just about setting up new CAs. It often means revoking and replacing thousands of certificates (across various certificate types and endpoints), retiring CA-related services, and coordinating efforts across multiple teams and systems.

Without a robust CLM solution, this process is prone to errors, bottlenecks, and missed deadlines. IT and security teams come under immense pressure, and the risk of certificate outages can ripple across applications and services.

Consider the recent Entrust CA distrust. For many enterprises operating without an automated CLM solution, CA migration has been a painful and complex process.

  • End users had to reinstall multiple certificates (like S/MIME and client certificates), hampering productivity
  • Failed certificate installs flooded IT with support tickets
  • Internal services using private TLS certificates needed a complete “rip-and-replace” across internal servers

AppViewX AVX ONE CLM Simplifies CA Migrations with Crypto and CA-Agility

Whether you’re affected by the Entrust, Chunghwa Telecom, or Netlock CA distrust—or simply want to be ready for the next one—here’s how AppViewX can help.

AppViewX AVX ONE CLM, a comprehensive certificate lifecycle management automation solution, delivers crypto- and CA-agility to make the whole process simple and fast through:

Visibility:

  • Automatically discover and build a consolidated inventory of all certificates (public and private trust)
  • From your consolidated inventory, easily identify and filter vulnerable certificates from distrusted CAs for targeted remediation

Automation:

  • From the list of impacted certificates–automate your CA and certificate migration, including reissuance, replacement, and revocation
  • Use the unique CA Switch feature to automatically re-provision and reinstall new certificates directly from new CA(s) in place of impacted certificates
  • Leverage CA-agnostic automation to reissue new certificates from various publicly trusted CAs
  • Leverage closed-loop automation workflows with enterprise ACME support to ensure end-to-end automated TLS certificate issuance and renewal

Control:

  • Define and automatically enforce policies around the use of approved Certificate Authorities, crypto-standards, validity periods, and more
  • Ensure compliance and simplify audits with role-based access control (RBAC) and detailed audit trails

Stay Secure, Stay Agile.

Browsers play a critical role in enforcing accountability and raising the bar for Certificate Authorities. But, their safeguards only go so far.

For organizations, true resilience comes from being prepared—by diversifying your CA portfolio, automating certificate lifecycle management, and embedding crypto-agility into your CLM strategy. That’s how you stay ahead of the next CA distrust event.

Check out the AVX ONE CLM: Seamless CA Switch Capability Datasheet to see how AppViewX is making CA migrations fast and frictionless.

Already impacted by Entrust, Chunghwa Telecom, or Netlock? talk to one of our experts today to make the switch with confidence.

Three Must-Have Capabilities to Prepare for 47-Day TLS Certificates

Uncategorized

Recently, the CA/Browser (CA/B) Forum approved Ballot SC-081v3, launching a gradual reduction of public TLS certificate lifespans—from today’s 398 days down to just 47 days by 2029. This landmark change ranks among the biggest in PKI in recent years and is already driving intense conversations about how reduced validity periods will reshape certificate lifecycle management (CLM) workloads and operations.

Here’s a break down of what the TLS validity reduction timeline looks like and the corresponding increase in CLM workload:

Year Max Validity Renewal Frequency Workload Increase
Now 398 days 1 renewal/year
March 15, 2026 200 days 2 renewals/year
March 15, 2027 100 days 4 renewals/year
March 15, 2029 47 days 12 renewals/year 12×

Essentially, by March 15 2029, certificates will need to be renewed every month—a big shift from the once-a-year cadence that PKI and security teams are used to now.

And it’s not just the renewal frequency that’s changing. The domain validation reuse period will also shrink to just 10 days by 2029. This means PKI and security teams will need to perform domain validation more frequently and accurately to avoid certificate issuance delays.

Although this shift unfolds over the next four years, the initial reduction to 200-day certificates takes effect in less than a year from now, doubling your renewal workload almost immediately. Given the tight prep window, the sooner you start planning, the better prepared you will be to handle increased renewal workloads by next year (2026).

Why Is This Happening?

At first glance, moving from annual to monthly certificate renewals feels like a monumental shift—and it is. In fact, it’s a full rethink of how TLS certificates have been managed for years.

But this change is necessary—and overdue. Think of it like changing the locks on your doors more frequently. It becomes costly and more difficult for attackers to break the locks that are regularly changing and even if they do break the lock, they only have a short window for misuse, limiting potential damage significantly.

And, more frequent domain validation (every 10 days) means certificates are always issued based on up-to-date, accurate ownership information—preventing mis-issuance and boosting trust in your infrastructure.

Yes, it’s more work, but it promotes stronger security—and with quantum computing on the horizon, that’s a trade-off we cannot afford to ignore.

You Must Prioritize Post-Quantum Cryptography (PQC) and Shorter TLS Validity Readiness

How to Prepare for Monthly Renewals

There is a good reason for shortening TLS certificate lifespans: to push organizations toward full CLM automation and crypto-agility.

Certificate management might look straightforward—enroll, provision, install, renew, and done. But in reality, it’s a complex and layered process, involving domain validation, endpoint binding, configuration checks, discovery, alerts, policy enforcement, and monitoring for cryptographic hygiene. That’s a lot of moving parts—and they all have to happen on time, in the right order, and in sync.

Relying on spreadsheets, separate CA-specific tools, and manual processes for all these processes won’t cut it when you’re juggling thousands of certificates across hybrid and multi-cloud environments. Automation and crypto-agility are the only ways to keep pace with monthly renewals.

AppViewX AVX ONE CLM: A Complete End-to-End CLM Solution for Crypto-Agility

Although the focus now is on automating renewals, it is just the starting point for the 47-day TLS transition. True readiness demands a full-spectrum certificate lifecycle management (CLM) solution that is efficient and crypto-agile (that can adapt to changes seamlessly now and in the future).

Achieving this means embedding three core capabilities into every step of the CLM process: Visibility, Automation, and Policy Control. AppViewX AVX ONE CLM is built precisely to deliver that–enabling crypto-agility. Here’s how we can help in the context of the shift to 47-day TLS.

1. Complete Certificate Visibility

  • Smart Discovery: Flexible scanning methods to automatically discover your public and private trust certificates from your IP networks, managed devices, cloud accounts, CAs, Kubernetes clusters, and CT logs. You can run these scans on demand or at scheduled intervals to continually discover new certificates.
  • Centralized Inventory: Consolidate all discovered certificates in a centralized inventory along with essential certificate information such as the certificate location, owner, issuing CA, expiry date, chain of trust, crypto standards, and more. This inventory serves as a single source of truth for all certificate types, from any public or private CA, across every endpoint, to help you effectively monitor certificate expirations, prevent outages, and mitigate vulnerabilities.
  • Actionable Insights: Use dedicated Short-Lived TLS dashboards to pinpoint your current certificate validity periods—and get ahead of the 200-day (March 2026), 100-day (March 2027), and 47-day TLS (March 2029) transitions.
  • Alerting: Custom alerts for certificate expiry notifications are sent to certificate owners to ensure timely renewals, approvals, or escalations. Alerts can be delivered via emails for manual actions or via simple network management protocol (SNMP) traps for automation and integration with ITSM and SIEM solutions.

Certificate Lifecycle Management with Visibility, Control and Insights – All in One Place

2. Powerful Automation

  • Closed-Loop Renewals: Unlike any other vendor in the market, AVX ONE CLM handles renewals end-to-end. From generating the key pair and CSR to submitting it to the appropriate Certificate Authority (CA), retrieving the renewed certificate, installing it, and binding it to the correct endpoint or application, every step is automated and seamlessly managed. This helps ensure the new certificate is fully configured and ready to use and eliminates the risk of certificate misconfigurations, vulnerabilities, and outages.
  • CA-Agnostic Control: AVX ONE CLM works with every major public and private CA, centralizing discovery, renewal, and management of all your certificates in a single console. This means your PKI and security teams can work from a single consolidated tool for enterprise-wide CLM vs fragmented CA tools without complete visibility.

3. Automation Workflows:

  • Out-of-the-box Workflows: AppViewX AVX ONE CLM offers an extensive catalog of pre-built workflows for automating routine certificate tasks like alerting/escalations, enrollment, provisioning, and installation, including the last-mile action of endpoint binding.
  • Customizable Workflows: No two PKI environments are the same. That’s why AVX ONE CLM’s automation framework is designed to allow deep customizations. Using a drag-and-drop visual workflow builder, you can fully customize workflows to tailor CLM processes to your unique needs. Whether it is implementing one-click approvals and renewals, or fully automating the entire renewal and provisioning process as zero-touch, AVX ONE CLM can accommodate that in your environment. For example, you can automate public TLS certificate issuance via ACME or customize ServiceNow workflows with layered approvals to align with your internal policies.
  • Broad Integration Ecosystem: AppViewX offers extensive pre-built integrations with public and private CAs, Cloud providers, DevOps toolchains, ITSM platforms like ServiceNow, MDM solutions like Microsoft Intune, and more for streamlining certificate management across cross-functional teams. In addition, REST APIs enable custom integrations—so you can automate exactly the way your environment demands.
  • Auto-Enrollment Protocols and ACME Support: AVX ONE CLM works with all the major auto-enrollment standards—ACME included—so you get the fastest path from certificate issuance to installation and renewal. But ACME by itself only tackles part of the challenge: it automates issuance and renewal, but it doesn’t discover certificates in your environment, enforce your security policies, or cover every PKI use case. That’s where AppViewX steps in. By integrating ACME into a full-featured CLM framework, AVX ONE CLM gives you the speed of ACME with end-to-end visibility, governance, and compliance—so there are never any gaps in your certificate management.

4. Continuous Policy Control

  • Zero-Touch Policy Enforcement: Enforce policies to gradually enforce shorter TLS lifespans by defining the use of approved CAs, crypto-standards, and more through automation and eliminate rogue/non-compliant certificates.
  • Granular Role-Based Access Control (RBAC): Shrinking TLS lifespans mean more certificates—and often more CAs—to manage. Implementing RBAC helps set clear permissions for who can request, approve, and issue certificates, preventing CA and certificate sprawl. At the same time, it empowers your cross-functional teams with certificate self-service, so they can request and issue security-approved certificates on their own, without extra handoffs.
  • Complete audit trails: Track every action with detailed logs to simplify external and internal audits. Generate regular compliance reports to keep up with industry and regulatory standards.

Lean Into This Change for a More Resilient Tomorrow

Shorter certificate lifespans aren’t just about creating more work (even if it feels that way right now). They’re about making your organization more secure with faster certificate rotations, smaller attack windows, and up-to-the-minute domain validation. So, it is important to see this 47-day TLS validity shift as an opportunity to level up your PKI and CLM practices. With the right end-to-end CLM solution in place, what feels like a daunting jump can become a competitive advantage: real-time visibility, automated renewals, and built-in compliance.

To learn more about AppViewX AVX ONE CLM and to see how it can help you prepare now for shorter validity TLS, request a demo.

Why the Finance Sector Must Lead the Shift to Post-Quantum Cryptography

Uncategorized

Quantum computing is not some far-off theory anymore, and the threat to today’s encryption is real with the clock running for organizations to be resilient. And for banks and finance organizations sitting on mountains of sensitive data, the urgency to prepare for post-quantum cryptography (PQC) is growing.

With Q-day (the day a powerful quantum computer breaks today’s RSA and ECC algorithms) possibly arriving as early as 2028, today’s encryption won’t hold for much longer. That puts financial institutions—prime targets with high-value customer data, transactions, and proprietary models—at risk of cyberattacks targeting broken encryption.

If any industry should be leading the charge on post-quantum cryptography, it is financial services. Not just because the risks are high—but because the fallout from a cyberattack would be catastrophic. Around the world, regulators and industry groups are sounding the alarm and laying out roadmaps to guide financial institutions toward PQC readiness. In this blog, let’s dive into what that really means and why now is the time to start preparing.

The Fast Approaching Quantum Threat

Quantum computing threats are accelerating beyond early predictions. While today’s quantum computers can’t yet break our strongest encryption, the hardware required will close the gap rapidly. What felt like a 2030s problem now threatens to arrive earlier. This means today’s widely used asymmetric algorithms like RSA and ECC are at high risk of being cracked by then, putting critical financial systems and data at serious risk.

“For the financial industry, the advent of quantum computers poses a risk to customer confidentiality and peer communications, authentication processes, and trust in digital signatures which enable dynamic legal agreements.”

Quantum Safe Financial Forum – A call to action Report by Europol

Moreover, “Harvest Now, Decrypt Later” attacks are underway. Threat actors are capturing encrypted data today so they can decrypt it in the future using powerful quantum computers. That means sensitive financial records, customer data, intellectual property, and internal communications could all be exposed down the line—even if they’re presumed to be secure right now.

For financial organizations handling high-value data that needs to be stored and protected for years to come, the message is clear: don’t wait—begin your preparation for PQC migration today. Waiting until quantum threats are visible or until the threat becomes imminent could lead to data breaches, hefty financial losses, and lasting reputational damage.

Why PQC?

Think of the NIST approved PQC encryption algorithms as the new vault for your most critical assets—built on mathematical problems so tough that neither today’s supercomputers nor tomorrow’s quantum computers can crack them. By swapping in PQC algorithms, you can lock down customer data, preserve transaction integrity, and ensure long-term privacy against quantum‑powered attacks.

You Must Prioritize Post-Quantum Cryptography (PQC) and Shorter TLS Validity Readiness

But there is an even bigger win: retroactive protection. When PQC algorithms are in place, any encrypted data an attacker harvests today stays unreadable tomorrow—even by the most powerful quantum computers. In short, PQC protects both your future communications and everything you’re securing now.

Key Roadblocks to Post-Quantum Cryptography Adoption

Post-quantum cryptography promises unparalleled security, but rolling it out isn’t straightforward. Previous migrations—like SHA-1 to SHA-2—spanned over a decade; transitioning to quantum-secure algorithms is even more complex—and will demand significantly more time and resources.

  • Lack of Cryptographic Asset Visibility

There is no centralized view of keys and certificates scattered across on-prem servers, cloud environments, endpoints, and third-party services. Security teams are unaware of where sensitive encryption lives or how it’s used. That insight gap makes it significantly harder to assess quantum-risk exposure or prioritize migration efforts.

  • Integration and Performance Hurdles

Quantum-safe algorithms behave very differently from today’s classical algorithms: they use larger keys, produce bulkier signatures, and demand more compute power. As a result, applications, protocols, and hardware modules often require substantial code rewrites, deep testing, and workflow overhauls—yet real-world PQC expertise remains scarce, making staffing these projects a struggle.

  • Operational Burden Without Disruption

It all must happen without disrupting critical services or breaching data-retention and compliance mandates. That means extracting legacy encryption from software and hardware, modernizing infrastructure, updating policies, and coordinating cross-team migrations flawlessly—because any slip-up could stall trading platforms, payment systems, or customer portals.

Without a clear, step‑by‑step roadmap, financial institutions risk falling behind as quantum threats materialize. To stay ahead, organizations must start planning, testing, and laying the groundwork for a smooth and secure transition to PQC.

Global Momentum for PQC Adoption

PQC is now a global priority. In the United States, the National Institute of Standards and Technology (NIST) is leading the charge with formal efforts to standardize PQC algorithms that can withstand quantum-level threats.

Over the last two years, NIST has finalized and published three official standards:

  1. FIPS 203 (ML-KEM) – The primary standard for general encryption
  2. FIPS 204 (ML-DSA) – The primary choice for digital signatures
  3. FIPS 205 (SLH-DSA) – A digital signature algorithm designed as a fallback option in case vulnerabilities are discovered in ML-DSA.

NIST’s roadmap also includes consideration for two additional algorithms: Falcon and HQC (Hamming Quasi-Cyclic). Once standardized, HQC will provide another option for key encapsulation mechanisms (KEM), while Falcon will support quantum-resistant digital signatures.

Global Guidance on PQC Migration for Financial Organizations

Several countries across the world have released roadmaps for PQC readiness and transition to spur real progress on post-quantum cryptography, especially in the finance sector.

1. NIST’s Deadline

NIST has laid out two critical deadlines: by 2030, classical cryptographic algorithms will be deprecated, and by 2035, they’ll be fully phased out. That’s not as far off as it sounds, especially for financial institutions managing complex infrastructures and long-lived data.

2. Europol’s Call to Action (QSFF – Feb 2025)

In February 2025, Europol’s Quantum Safe Financial Forum (QSFF) issued a clear call to action for financial institutions, vendors, and policymakers to jump into PQC migration without delay, recommending that they:

  • Prioritize PQC adoption – Make the transition to quantum‑safe cryptography a top strategic objective.
  • Coordinate roadmaps – Align goals planning and implementation of PQC across stakeholders.
  • Use a voluntary framework – Leverage regulator‑industry partnerships instead of new laws.
  • Modernize crypto governance – Treat this as an opportunity to enhance key and certificate management practices.
  • Foster global collaboration – Run joint pilots and share insights across private and public sector actors on quantum-safe initiatives.

3. The UK’s NCSC Milestones

The United Kingdom’s National Cyber Security Centre (NCSC) is also urging the banking and financial services sector to act early on PQC. To help organizations stay on track, the NCSC has outlined three key milestones:

  • 2028 – Complete discovery of all cryptographic assets
  • 2031 – Migrate critical systems to PQC
  • 2035 – Achieve full migration across all systems, services, and products

4. Switzerland’s Seven‑Step Roadmap (FIND)

Switzerland, too, is echoing the urgency. The Swiss Financial Innovation Desk (FIND) recently released its Action Plan to a Quantum-Safe Financial Future, providing a clear, seven-step roadmap to help financial institutions take the lead in preparing for quantum risk:

  1. Establish quantum risk governance
  2. Assess impacted business and technology components
  3. Minimize new legacy through quantum-safe procurement
  4. Address immediate “Harvest Now/Decrypt Later” risks
  5. Implement a structured PQC migration plan
  6. Align with industry standards and regulatory expectations
  7. Continuously review and refine your quantum strategy

For financial institutions worldwide, this action plan offers a practical playbook to stay ahead of the curve and build long-term resilience against quantum threats.

Get PQC-Ready Today to Power Quantum-Safe Innovation Tomorrow

As financial services race to deliver faster and smarter experiences, post‑quantum cryptography is more than a security upgrade—it’s a strategic advantage. Leading global banks, including JPMorgan, HSBC and Intesa Sanpaolo, are already investing in quantum computing to achieve breakthroughs in credit scoring, fraud detection, and pricing models. But without weaving PQC into your long‑term roadmap, those quantum investments won’t pay off. Transitioning to PQC and building true quantum resilience is the only way to lock out tomorrow’s threats, safeguard customer trust, and fully capitalize on quantum’s promise for the finance sector.

To help get your PKI and certificate infrastructure ready for the PQC shift, AppViewX AVX ONE CLM accelerates your PQC readiness with end-to-end certificate lifecycle management and crypto-agility, giving you comprehensive visibility, closed-loop automation, and complete policy control of your certificates—all in one powerful solution.

Additional AppViewX Solutions for PQC Readiness

  • PQC Assessment Tool – A purpose-built solution designed to help organizations prepare for the PQC migration by generating a Cryptographic Bill of Materials (CBOM), delivering a PQC readiness score, and providing remediation steps by scanning code, dependencies, configurations and certificates in enterprise environments.
  • PQC Test Center – A dedicated free online resource built to help you assess your organization’s PQC readiness by generating and testing quantum-safe private trust certificates prior to their integration into existing systems, applications, workloads, and machines.
  • PQC-Ready PKI – A modern, agile, and secure private PKI solution, designed to support PQC-enabled certificate issuance.

Explore AVX ONE CLM or talk to one of our experts today to get started!

Three Must-Have Capabilities to Prepare for 47-Day TLS Certificates

Uncategorized

Recently, the CA/Browser (CA/B) Forum approved Ballot SC-081v3, launching a gradual reduction of public TLS certificate lifespans—from today’s 398 days down to just 47 days by 2029. This landmark change ranks among the biggest in PKI in recent years and is already driving intense conversations about how reduced validity periods will reshape certificate lifecycle management (CLM) workloads and operations.

Here’s a break down of what the TLS validity reduction timeline looks like and the corresponding increase in CLM workload:

Year Max Validity Renewal Frequency Workload Increase
Now 398 days 1 renewal/year
March 15, 2026 200 days 2 renewals/year
March 15, 2027 100 days 4 renewals/year
March 15, 2029 47 days 12 renewals/year 12×

Essentially, by March 15 2029, certificates will need to be renewed every month—a big shift from the once-a-year cadence that PKI and security teams are used to now.

And it’s not just the renewal frequency that’s changing. The domain validation reuse period will also shrink to just 10 days by 2029. This means PKI and security teams will need to perform domain validation more frequently and accurately to avoid certificate issuance delays.

Although this shift unfolds over the next four years, the initial reduction to 200-day certificates takes effect in less than a year from now, doubling your renewal workload almost immediately. Given the tight prep window, the sooner you start planning, the better prepared you will be to handle increased renewal workloads by next year (2026).

Why Is This Happening?

At first glance, moving from annual to monthly certificate renewals feels like a monumental shift—and it is. In fact, it’s a full rethink of how TLS certificates have been managed for years.

But this change is necessary—and overdue. Think of it like changing the locks on your doors more frequently. It becomes costly and more difficult for attackers to break the locks that are regularly changing and even if they do break the lock, they only have a short window for misuse, limiting potential damage significantly.

And, more frequent domain validation (every 10 days) means certificates are always issued based on up-to-date, accurate ownership information—preventing mis-issuance and boosting trust in your infrastructure.

Yes, it’s more work, but it promotes stronger security—and with quantum computing on the horizon, that’s a trade-off we cannot afford to ignore.

You Must Prioritize Post-Quantum Cryptography (PQC) and Shorter TLS Validity Readiness

How to Prepare for Monthly Renewals

There is a good reason for shortening TLS certificate lifespans: to push organizations toward full CLM automation and crypto-agility.

Certificate management might look straightforward—enroll, provision, install, renew, and done. But in reality, it’s a complex and layered process, involving domain validation, endpoint binding, configuration checks, discovery, alerts, policy enforcement, and monitoring for cryptographic hygiene. That’s a lot of moving parts—and they all have to happen on time, in the right order, and in sync.

Relying on spreadsheets, separate CA-specific tools, and manual processes for all these processes won’t cut it when you’re juggling thousands of certificates across hybrid and multi-cloud environments. Automation and crypto-agility are the only ways to keep pace with monthly renewals.

AppViewX AVX ONE CLM: A Complete End-to-End CLM Solution for Crypto-Agility

Although the focus now is on automating renewals, it is just the starting point for the 47-day TLS transition. True readiness demands a full-spectrum certificate lifecycle management (CLM) solution that is efficient and crypto-agile (that can adapt to changes seamlessly now and in the future).

Achieving this means embedding three core capabilities into every step of the CLM process: Visibility, Automation, and Policy Control. AppViewX AVX ONE CLM is built precisely to deliver that–enabling crypto-agility. Here’s how we can help in the context of the shift to 47-day TLS.

1. Complete Certificate Visibility

  • Smart Discovery: Flexible scanning methods to automatically discover your public and private trust certificates from your IP networks, managed devices, cloud accounts, CAs, Kubernetes clusters, and CT logs. You can run these scans on demand or at scheduled intervals to continually discover new certificates.
  • Centralized Inventory: Consolidate all discovered certificates in a centralized inventory along with essential certificate information such as the certificate location, owner, issuing CA, expiry date, chain of trust, crypto standards, and more. This inventory serves as a single source of truth for all certificate types, from any public or private CA, across every endpoint, to help you effectively monitor certificate expirations, prevent outages, and mitigate vulnerabilities.
  • Actionable Insights: Use dedicated Short-Lived TLS dashboards to pinpoint your current certificate validity periods—and get ahead of the 200-day (March 2026), 100-day (March 2027), and 47-day TLS (March 2029) transitions.
  • Alerting: Custom alerts for certificate expiry notifications are sent to certificate owners to ensure timely renewals, approvals, or escalations. Alerts can be delivered via emails for manual actions or via simple network management protocol (SNMP) traps for automation and integration with ITSM and SIEM solutions.

Certificate Lifecycle Management with Visibility, Control and Insights – All in One Place

2. Powerful Automation

  • Closed-Loop Renewals: Unlike any other vendor in the market, AVX ONE CLM handles renewals end-to-end. From generating the key pair and CSR to submitting it to the appropriate Certificate Authority (CA), retrieving the renewed certificate, installing it, and binding it to the correct endpoint or application, every step is automated and seamlessly managed. This helps ensure the new certificate is fully configured and ready to use and eliminates the risk of certificate misconfigurations, vulnerabilities, and outages.
  • CA-Agnostic Control: AVX ONE CLM works with every major public and private CA, centralizing discovery, renewal, and management of all your certificates in a single console. This means your PKI and security teams can work from a single consolidated tool for enterprise-wide CLM vs fragmented CA tools without complete visibility.

3. Automation Workflows:

  • Out-of-the-box Workflows: AppViewX AVX ONE CLM offers an extensive catalog of pre-built workflows for automating routine certificate tasks like alerting/escalations, enrollment, provisioning, and installation, including the last-mile action of endpoint binding.
  • Customizable Workflows: No two PKI environments are the same. That’s why AVX ONE CLM’s automation framework is designed to allow deep customizations. Using a drag-and-drop visual workflow builder, you can fully customize workflows to tailor CLM processes to your unique needs. Whether it is implementing one-click approvals and renewals, or fully automating the entire renewal and provisioning process as zero-touch, AVX ONE CLM can accommodate that in your environment. For example, you can automate public TLS certificate issuance via ACME or customize ServiceNow workflows with layered approvals to align with your internal policies.
  • Broad Integration Ecosystem: AppViewX offers extensive pre-built integrations with public and private CAs, Cloud providers, DevOps toolchains, ITSM platforms like ServiceNow, MDM solutions like Microsoft Intune, and more for streamlining certificate management across cross-functional teams. In addition, REST APIs enable custom integrations—so you can automate exactly the way your environment demands.
  • Auto-Enrollment Protocols and ACME Support: AVX ONE CLM works with all the major auto-enrollment standards—ACME included—so you get the fastest path from certificate issuance to installation and renewal. But ACME by itself only tackles part of the challenge: it automates issuance and renewal, but it doesn’t discover certificates in your environment, enforce your security policies, or cover every PKI use case. That’s where AppViewX steps in. By integrating ACME into a full-featured CLM framework, AVX ONE CLM gives you the speed of ACME with end-to-end visibility, governance, and compliance—so there are never any gaps in your certificate management.

4. Continuous Policy Control

  • Zero-Touch Policy Enforcement: Enforce policies to gradually enforce shorter TLS lifespans by defining the use of approved CAs, crypto-standards, and more through automation and eliminate rogue/non-compliant certificates.
  • Granular Role-Based Access Control (RBAC): Shrinking TLS lifespans mean more certificates—and often more CAs—to manage. Implementing RBAC helps set clear permissions for who can request, approve, and issue certificates, preventing CA and certificate sprawl. At the same time, it empowers your cross-functional teams with certificate self-service, so they can request and issue security-approved certificates on their own, without extra handoffs.
  • Complete audit trails: Track every action with detailed logs to simplify external and internal audits. Generate regular compliance reports to keep up with industry and regulatory standards.

Lean Into This Change for a More Resilient Tomorrow

Shorter certificate lifespans aren’t just about creating more work (even if it feels that way right now). They’re about making your organization more secure with faster certificate rotations, smaller attack windows, and up-to-the-minute domain validation. So, it is important to see this 47-day TLS validity shift as an opportunity to level up your PKI and CLM practices. With the right end-to-end CLM solution in place, what feels like a daunting jump can become a competitive advantage: real-time visibility, automated renewals, and built-in compliance.

To learn more about AppViewX AVX ONE CLM and to see how it can help you prepare now for shorter validity TLS, request a demo.