Redirecting you to
Blog Post Nov 13, 2020

As Term Lengths Shorten Again, Automatic Certificate Management Is Key

Any digital certificate that authenticates the identity of a website carries risk. There is risk that its private key has been secretly stolen, or that a heretofore unknown technique will render its cryptography insecure. There is risk that the domain has changed ownership since the certificate was issued, or that an undiscovered flaw in the requesting operating system has rendered its key predictable. There could even be a massive, brute force attack against its key underway right now.

Naturally, mitigating these risks is a high priority for users, and one of the most effective methods for doing so is by shortening the certificate lifespan. For some time, 27 months was the standard term length for public-trust TLS/SSL certificates, but that length has now been cut in half.

Fortunately, recent innovations in certificate automation have made managing large numbers of certificates easier than ever for users.

Unilateral Action Precipitates a Major Shift

Late last year, the CA/Browser Forum voted on shortening TLS certificate term limits to 397 days, and although the ballot failed, the final tally included positive votes from all voting browser developers, indicating their clear preference for shorter limits. It was, therefore, not surprising when, in February 2020, Apple decided to unilaterally slash the acceptable TLS certificate term length to 398 days (thirteen months) across the Apple platform, including iOS, MacOS, iPadOS, and Apple’s many services.

Due to the power and ubiquity of the Apple platform, this decree had the de facto effect of limiting all public SSL certificates to thirteen months—after all, no business wants its website to appear unsafe on every Apple device. In June, Google announced that it would follow in Apple’s footsteps, similarly limiting certificate terms to 13 months on its browsers and devices, and in July, Mozilla joined the chorus. On September 1, 2020, those changes became official, effectively rendering one-year SSL certificates the new normal throughout the industry.

Trending Toward Stronger Security

Although businesses may be wringing their hands over the added work needed to manage their certificates on an annual basis, the fact that automation has made certificate management significantly easier almost certainly played a role in browsers’ belief that the security benefits outweigh the administrative risks. Furthermore, many browsers have been advocating for shorter certificate durations for years, so industry observers have been anticipating such a move for some time now. In fact, it wasn’t long ago that leading CAs offered SSL certificates that lasted as long as six to eight years, so the previous limit of two years already represented a major departure from prior precedent. The decision made by the major browsers to reduce the limit to a single year is just the latest in an ongoing trend of SSL certificate term length being reduced in the name of greater security.

How has automation helped? Well, it’s impossible to deny that manual certificate management can be a burden on IT teams. Setting reminders and tracking expiration and renewal dates is an option, but it’s hard to completely eliminate human error. Busy network admins may forget things, lose track of dates, or even just struggle to prioritize their tasks. Changes in roles and responsibilities can create a knowledge gap that remains undiscovered until an outage reveals it the hard way. Certificate automation options that were unavailable even just a few years ago now enable effortless and error-free certificate issuance, management, and renewal.

Purpose-built certificate management platforms like the Sectigo Certificate Manager are becoming increasingly popular for web servers, client certificates, IoT, DevOps environments, and more. Meanwhile, protocols like ACME and SCEP have also grown more widely accepted, enabling interoperability among many different technology platforms and products. Microsoft even offers a built-in CA for Windows products, meaning that many enterprises may be engaging in automatic certificate management without even knowing it. These automation capabilities mean that the reduction in certificate term length is nothing to fear for IT departments. In reality, the adoption of automated certificate deployment and lifecycle management is likely to reduce workload, limit the likelihood of errors, and enable consistent, compliant certificate issuance throughout the organization.

Choose Safety

The decision made by major browsers to decrease certificate trust duration is a valuable step in improving security. And the exploding availability of certificate automation options streamlines certificate renewal and management, radically mitigating the concerns raised about shortened certificate term length. Organizations no longer need to choose between security and convenience. Thanks to today’s advances in automation, tools like the Sectigo Certificate Manager are making it easy for them to have both.