Automated SSL/TLS Certificate Management Is No Longer Optional — UltraDNS + DigiCert CertCentral Integration
Certificate automation isn’t just a best practice anymore — it’s becoming a hard requirement.
In April 2025, the CA/Browser Forum finalized and approved a new policy that shortens TLS certificate lifetimes in stages, ending with a 47-day maximum in 2029. This change, driven by Apple and supported by Google and others, also drastically reduces the window in which domain validation can be reused — down to just 10 days.
To help our customers prepare, we’re launching a new integration between UltraDNS and DigiCert CertCentral. This feature will allow CertCentral to automatically create, verify, and clean up _dnsauth TXT records in UltraDNS via secure API operations.
The Problem: Shorter Lifespans, Higher Failure Risk
Let’s break this down:
Effective Date | Max TLS Certificate Lifetime | Max Domain Validation Reuse
------------------------ | -----------------------------------|------------------------------------
Now – Mar 15, 2026 | 398 days | 398 days
Mar 15, 2026 | 200 days | 200 days
Mar 15, 2027 | 100 days | 100 days
Mar 15, 2029 | 47 days | 10 days
If you’re not using automation, this means:
- You’ll need to issue and renew certificates 8x more frequently
- You’ll have to revalidate domain control almost every time
- Manual workflows will result in failed renewals, downtime, or expired certs
The CA/Browser Forum explicitly stated in the ballot rationale that “automation is no longer optional.” Browsers won’t wait for OCSP. Short-lived certificates are now the safest baseline.
UltraDNS + CertCentral Integration: What It Does
Starting in May, UltraDNS will support tight, event-driven integration with DigiCert CertCentral for all DNS-based DCV flows:
- Automated
_dnsauthrecord creation upon issuance or renewal request - Auto-cleanup of
_dnsauthrecords post-validation (no lingering artifacts) - All changes audit-logged within UltraDNS for full traceability
- Works with DNSSEC (sign-on-the-fly only) — no re-signing needed
- Minimal config required — just link via API token and select eligible zones
This feature supports DV, OV, and EV certificates — and is compatible with ACME, CertCentral’s REST APIs, and scheduled lifecycle operations.
Use Case: Scaling Cert Management for DNS-Centric Portfolios
Organizations managing thousands of zones (e.g., domain registrars, DNS operators, global infrastructure teams) will be among the first to feel the pain of 47-day certificates.
This integration provides:
- Zone-level visibility control — only expose what’s needed
- API-based validation ops — no human intervention required
- Resilience and hygiene — no cluttered TXT records or missed renewals
- Support for renewal testing — simulate 90/47-day rotation cadence today
How It Works – Step-by-Step
- In UltraDNS, navigate to Account Settings → DigiCert Integration and generate your Account ID and Secret.
- In DigiCert CertCentral, input those credentials in the DNS Provider Integration section.
- Designate the DNS zones that CertCentral can access via visibility flag.
- When CertCentral initiates a certificate issuance, it:
- Creates a
_dnsauth.example.com IN TXT "token" - Waits for DNS propagation and completes validation
- Deletes the record once validation succeeds
- Creates a
Each DNS update is made via secure API call and is fully auditable in UltraDNS.
Ready for Testing? Here's How to Prepare
Before rolling this out in production, we recommend:
- Selecting a subset of non-critical domains for testing
- Verifying that zones are valid, delegated, and resolvable
- Ensuring admin access to both UltraDNS and CertCentral
- Including renewal testing to simulate future 47-day windows
General Availability: May 2025
The UltraDNS + DigiCert CertCentral integration will be available to all customers starting in May. If you’d like early access, reach out to your account team to participate in a controlled rollout and receive implementation support.
The bottom line? TLS certificates are getting shorter. DNS-based validation workflows must adapt. With this integration, your certificate lifecycle can keep pace — securely, automatically, and at scale.