On March 3, Google announced in its “Moving Forward, Together” roadmap the intention to reduce the maximum possible validity for public TLS certificates from 398 days to 90 days, in a future policy update or a CA/B Forum Ballot Proposal. This drop to only 90 days maximum validity will mean major changes for the industry.
The trend of shrinking certificate lifespans is one Sectigo predicted as far back as 2019. In recent years the maximum term for a public TLS (also called SSL) certificate has dropped from three years to two to one, and now Google has stated that it intends to further reduce this lifespan to 90 days. Though the specific timing is unknown, it’s likely this 90-day maximum is in effect by the end of 2024.
In this article, the Sectigo team will go over: what this announcement means and how it will impact certificate management as well as the importance of automated certificate management and how to implement it.
Google’s announcement of 90 day certificates and what it means
Google’s statement that it will enforce this via “a future policy update or CA/B Forum Ballot proposal” is a subtle but important detail worth noting. Google appears to be saying that if the CA/B Forum chooses to make this industry change through a balloting process, that’s great. However, Google is prepared to unilaterally force this change by making it a requirement for the Chrome root program, which would make it a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements, this change can occur even in the absence of a CA/B Forum mandate.
Google is deliberately telegraphing its intentions to give industry and certificate consumers time to prepare for the inevitable transition and the implications that come with it.
For CISOs and their teams, the most obvious implication is how they will approach the management of digital certificates with shorter lifespans. Manually managing certificates will become an unsustainable practice, and it will be essential to start thinking about the switch to automation.
The risks of manual certificate renewals
While enterprises technically can still manually manage digital certificates with 90-day maximum lifespans, manual renewal and deployment will rapidly become more and more risky. The risks of manual management include:
Prone to errors - More renewals means more potential for human error, as this task will need to be completed four times per year vs. once.
Requires significant resources - 90-day certificates not only mean four times the risk of human error but also four times the work IT security teams currently spend on this already arduous task.
Not scalable - As organizations grow and have more digital certificates to manage, manually issuing and renewing certificates will become less sustainable.
Potential outages and data breaches - The incorrect use of digital certificate renewals can lead to SSL/TLS outages and data breaches.
Overall cybersecurity risks - Malicious actors are always creating more sophisticated techniques to exploit weaknesses in an organization’s cybersecurity, which can lead to serious ramifications. One huge vulnerability that they’ll be quick to exploit? The lack of encryption that an SSL certificate provides.Compounding these risks is the fact that for almost all organizations, the number of digital certificates they are required to manage continues to grow rapidly. This isn’t about one certificate that must be dealt with four times per year, it’s about dozens, hundreds, or thousands of digital certificates. .
Add in existing difficulties like rogue certificates, visibility on cryptographic decisions, and individual deployment, and manual management becomes unworkable. This is not a job that can be easily done manually today and, in the future, organizations still taking a manual approach will almost certainly pay the price.
The path forward is clear: it’s time to automate.
The importance of automated certificate lifecycle management
Bad actors are often one step ahead and they will be poised to take advantage of organizations that fail to rethink their approach to human and machine identity management in the wake of shortening digital certificate lifespans. Now is the time to act. Ultimately, organizations must have an end-to-end solution to automate the lifecycles of digital certificates, at scale.
To reduce risk, automation is crucial. It’s not just the lifespan of certificates going down but also the length of domain validation reuse. Today, the Baseline Requirements allow for the reuse of data or documents related to previously completed domain validations for up to 398 days. Google has also stated its intention to reduce domain validation reuse periods to 90 days, saying “more timely domain validation will better protect domain owners while also reducing the potential for a CA to mistakenly rely on stale, outdated, or otherwise invalid information resulting in certificate mis-issuance and potential abuse.” This is an important detail to note, because enterprises must not only manage the digital certificates in their systems but also re-verify their domains every 90 days.
How to automate certificate issuance and renewals
With the right tools and platform, automating certificate management is a seamless process. First, finding a CA agnostic certificate lifecycle management (CLM) platform is key. This type of certificate management solution helps with discovery of digital certificates across vast enterprise environments, regardless of the issuing Certificate Authority, notifying you of impending certificate expirations, and automatically provisioning and installing renewal and replacement certificates. In so doing, they help avoid outages and breaches due to the incorrect use or renewal of digital certificates while making it easy for your team to track the lifecycles in one centralized location
Adapting to shorter certificate lifespans
When making the shift to automation, it’s important to use a CLM from a trusted Certificate Authority. This is where Sectigo comes in. Sectigo Certificate Manager (SCM) is the most robust CA agnostic CLM on the market. SCM is built to automate the lifecycles of all digital certificates, regardless of their origin. SCM offers:
Support for Automated Certificate Management Environment (ACME) protocol.
Secure Certificate Enrollment Protocol (SCEP) support.
Support for Enrollment Over Secure Transport (EST).
A proprietary automation tool which enables the management of certificates for a variety of systems, including Apache Tomcat, Windows IIS web servers, and F5 Big-IP load balancers.
REST API: In some instances, companies prefer to integrate applications more tightly with Sectigo, which is possible using Sectigo’s REST API.
SCM also integrates with a broad set of technology vendors. IT teams can automate the issuance and management of Sectigo digital certificates, alongside those from other public CAs and private CAs such as Microsoft Active Directory Certificate Services (ADCS), AWS Cloud Services, and Google Cloud Platform (GCP).
This is in addition to integrations with popular DevOps platforms like Kubernetes, Docker, HashiCorp, and more than a dozen leading technologies including leading Load Balancer platforms such as Amazon, Google, F5, A10 Networks and Kemp, popular CDNs like Akamai and Amazon, and even notification applications like Microsoft Teams and Slack.
See why Sectigo Certificate Manager is the first and most comprehensive CA agnostic CLM on the market.
Learn more by downloading our webinar on 90 Day Certificate Validity.