A recent CA/Browser Forum ballot sponsored by Google stands to limit SSL certificate lifespans to 397 days starting in March 2020. Should this pass, organizations using two-year SSL certificates will need to change their practices to only one-year certificates moving forward. Fortunately, automation options are available.
According to the ballot, existing certificates will be honored for the duration of their lifespans, so no certificate will need revocation and replacement as a result of this action by the CA/Browser Forum.
Even in the event that the ballot fails, Google always has the option of simply distrusting certificates of longer duration, which would effectively arrive at the same outcome for all but a few specific use cases. Google has made similar unilateral moves in the past, including its distrust of Symantec TLS certificates and its requirement for CAs to log their certificates in CT logs.
Businesses employing two-year certificates typically choose them to reduce workload and potential error. These same objectives can be met through automation of certificate issuance and deployment.
The good news for Sectigo customers is that Sectigo Certificate Manager supports multiple integration alternatives, including SCEP, our RESTful API, agent-based integration, and most recently the ACME protocol. ACME (Automated Certificate Management Environment) can fully automate key generation, domain control validation, certificate creation, and installation on the server. The protocol is supported by more than 130 open source tools supporting most popular operating systems including Apache, IIS, NGINX, F5 BIG-IP, and Citrix NetScaler.
Now might be an excellent time to familiarize yourself and your organization with ACME or another of these options as a way to use automation to increase the accuracy, reliability, and efficiency of your SSL certificate operations.