How to Avoid Outages as Google Reduces TLS Certificate Lifespans to 90 Days

"How often do digital certificates expire?" 

It's a commonly asked question, and there's a new answer.

On March 3, 2023, Google's Chromium Projects announced that the organization plans to reduce the maximum validity period for public Transport Layer Security (TLS) certificates from 398 days to 90 days. 

But first things first. What is a TLS certificate? It's the successor protocol to the Secure Sockets Layer (SSL), which authenticates web servers and protects online communications via an encrypted connection between a browser and a secure website, among other use cases. 

What happens if a TLS certificate expires? Do expired certificates still work? Unfortunately, no. Once a certificate expires, a website can't run secure transactions, which can prevent employees from accessing business-critical data or customers from making purchases. 

Here's how to avoid costly outages.

Google's 90-Day SSL Certificate Announcement: A Push for Enhanced Internet Security

Google's update to the lifespan of TLS certificates intends to increase speed, security, stability, and simplicity throughout the ecosystem by promoting automation and supporting the adoption of best practices for certificate lifecycle management. 

Shorter certificate lifespans can help prevent cybercriminals from exploiting old certificates that are "left behind" as companies close their businesses, merge with other organizations, or rebrand their identities. Google's move will shorten the duration the compromised certificate could be misused which will bolster the ecosystem’s integrity.

Additionally, the change will promote the agility required to transition the ecosystem to quantum-resistant algorithms, helping enterprises secure their sensitive data against possible future cyberattacks using quantum computers.

The Challenges of Manual Certificate Management

Organizations already need to manage a growing number of digital certificates, typically upwards of tens of thousands. Shorter certificate lifespans further increase the risks of breach or outages if renewals aren't performed in a timely manner. 

Manual certificate management can cause provisioning errors and potential delays. Failure to renew certificates on time can lead to application outages, causing costly downtime and frustrating customer or employee experiences. The frequent renewals and domain validation cycles also increase IT workload, diverting resources from strategic initiatives. Additionally, manual methods don't provide the tracking capabilities to support visibility and operational efficiency. With the paradigm of ever shrinking lifespan of certificates, manual management will not be scalable.

Certificate Management in a Multi-Cloud Environment Increases Complexity

The risk of certificate outages increases as the average enterprise has to manage numerous certificates in complex hybrid and multi-cloud environments. As organizations' digital ecosystems expand, manual processes make it extremely challenging to know if an SSL certificate has expired until application outages occur. 

Moreover, the 90-day validation period for the TLS certificate indicates the general trend of shortening digital certificate lifespans. IT departments must renew and deploy each server certificate at least four times per year, straining resources already spread thin. Four renewals yearly for dozens, hundreds, or even thousands of digital certificates makes manually managing these processes not just costly — it's simply impractical.

How Do I Fix Expired Certificates?

When experiencing certificate outages, an IT department must produce a new Certificate Signing Request (CSR) and select the right SSL certificate for the business. Then, perform a domain control validation (DCV) and install the SSL certification on the server. But certificate outages can also be a warning sign that things could be falling through the cracks in the organization's manual TLS/SSL certification management process. Businesses should automate certification management to ensure outages don't happen again.

Sectigo Certificate Manager (SCM) is an automated certificate lifecycle management solution that allows enterprises to discover, issue, renew, and manage all their digital certificates through one single pane of glass. SCM helps enterprises "set and forget" certification renewals to avoid outages, reduce IT workload, prevent data breaches, avoid compliance violations, and streamline certification management. SCM employs Industry Standards based protocol, e.g., ACME to automate certificate management lifecycle.

SCM is a certificate authority (CA)-agnostic platform where organizations can manage public and private certificates in a single-pane-of-glass view. Its crypto agility helps secure web servers and load balancers, reinforce enterprise email security, protect networks and mobile devices, support a zero-trust architecture, and manage cryptographic keys to protect sensitive data in the cloud. It also works with our quantum-safe hybrid TLS/SSL certificates to support quantum-safe algorithms.

A Future-Proof Solution for Enterprise Certificate Management

Google's proposed 90-day TLS certificate lifespan highlights the importance of adopting automated certificate management. The Sectigo Certificate Manager gives enterprises a comprehensive platform to navigate the shifting security landscape effortlessly without risking certificate outages. 

Learn more about SCM and see how Sectigo can help implement secure and efficient certificate management.