Root Causes 347: 2023 Lookback - Shortening Certificate Lifespans

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

December 11, 2023

90-day SSL certificates is only part of it! 2023 has been a year of certificate lifespans getting shorter. We review these trends.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanIt’s the end of the year and as the end of the year, we usually try to do something about the previous year and the next year and so I think we’re going to do a couple lookback episodes and one look forward episode and what we want to do today is we want to focus on a specific theme. One of the things I think was a big theme of 2023, which is shortening certificate lifespans.

Jason SorokoYes, Tim. I remember the day. It was March 3, 2023, where Google made it really clear that - - for publicly trusted certificates specifically, they announced their intention to disallow at some point at some point everything other than anything that has more than a 90-day certificate lifespan. And that was a huge announcement, but it wasn’t the only one, Tim. Right?

Tim CallanSo, the March 3, 90-day – what do I want to say – telegraphed intentions from the Chromium project got a lot of attention and deservedly so. Right? Pretty important thing. You and I have discussed this in previous episodes how we do believe they are committed to this, how we do believe that it’s going to really happen. We don’t know exactly when, but we are pretty confident that it will. That’s a big deal and that’s causing a lot of people to take stalk but that is just the most visible example of an entire trend across the industry toward shorter and shorter certificate lifespans. And there are reasons for this. We’ve gone over it, why, but maybe it’s worth going over it again. What are the reasons why shorter certificates are better?

Jason SorokoTim, number one, right, if there’s any kind of a problem with the certificate, it’s a heck of a lot better to have a short-lived certificate out there than longer.

And of course, as a Certificate Authority, right, part of our heritage of being a Certificate Authority, Tim, from the business we work for, we really see the impact of certificate lifespans that are long that have issues or mistakes or errors or some sort of mis-issuance that we’ve spoken about and the other big one, Tim, and this is just so true, and nobody thinks about it very much but key compromise.

I gotta tell you, if your webserver is compromised, anywhere where that key might be stored, anywhere where obviously the private key – the key pair in general but the private key very specifically that is generated let’s say when you go through a CSR, a certificate signing request, function, that needs to be protected and it’s not always well protected and if that’s compromised in any kind of way, you’re in really bad shape.

Tim CallanAnd you might not know, right?

Jason SorokoYou might not know for a very, very long time and so, Tim, you know, it’s very true for publicly trusted certificates, it’s also very, very true for private trust use cases as well. And that could be anything from signing, encryption, authentication use cases. But in the SSL use case, right, the traditional web encryption use case, key compromise is a big deal and shorter certificate lifespans is a good idea.

Tim CallanSo, the reduced window for exploit, reduced window for error. Right? It’s a great thing. It’s not the only thing. Also, crypto agility is a big one and we’ve said this a bunch of times but when SHA-1 was deprecated, at that point, TLS certificates could still be three years in duration and so years later there were certs sitting out there using SHA-1 even though people had decided it was insecure. That was a big wakeup call. So crypto agility in general.

There’s also this concept of a domain certificate mismatch where if I get a domain and then I buy a long-lived certificate for that domain and I leave, I give up ownership of the domain, I sell it or I don’t renew it, now I have a certificate for a domain I don’t control. A legitimate issued, validly issued certificate for a domain I don’t control and the idea of minimizing the amount of that mismatch is generally considered to be healthy for the ecosystem.

And then, of course, shorter lived certificates encourage the use of automation. Automation is better in lots of ways. It helps error – I don’t want to say error free but less errored appointment and use of certificates. It helps with error free or less error renewal and installation. Like all of these things just make shorter-lived certificates encourage automation and automation makes all those things better.

And then of course the last one is PQC readiness. Right? There will be a time when we have to swap out for post quantum cryptography and under those circumstances shorter lived certificates are gonna let them - - it’s gonna be a shorter period of time before we are on a true safe PQC cryptographic platform. So, for all of those things together, those are the reasons why shorter certs are better.

So, you mentioned 90-day SSL/TLS. Obviously, that’s a big one and we talked about that a lot. But there’s a bunch of other things that went on in 2023 as well. So, one of the big ones is that two of the major root programs have announced – and these effects go into effect in 2024 – announced that they are going to limit the time for a root. Right? For certificate root. And the past roots can be any term. Any duration. If you wanted to issue 100-year root you could and that is not gonna be the case anymore. They are capping it. Chromium and Mozilla are capping it at 15 years from the time the key is generated until the time they deprecate the root and Chromium has telegraphed its intention eventually, eventually, to get that down to 7. Now I think that 7 is years from now but, once again, that’s the same thing. That’s a shortening of the certificate lifespan for all the same reasons we already discussed. Right?

Jason SorokoYou got it, Tim. Look, so much has just been said here and 2023 was huge on these topics. Just huge. How do you prepare? How do you go into 2024 feeling prepared for all of this? And I gotta think of two things. You hit one of them real well, Tim – automation. Right?

And there’s many ways to automate. A lot of people think, the first thing that comes to my mind – the ACME protocol. That beautiful little agent that is able to go off and reach out to your certificate authority and then put the certificate where it needs to be. It could even help if you wish to do things such as automate the webserver configuration. What a great, great coming together of all the best practices. What a great open standard for automation. But there are others. There are others and you can check into those things.

But one thing that cannot be forgotten - and you brought up PQC, you brought up other forms of crypto agility, Tim – you can’t manage and you can’t automate the renewal of something you don’t know you have and so you gotta be thinking about the other pillars of CLM and that includes discovery.

Being able to use discovery tools in a proper CLM will help to really solve those problems and you can have confidence that what certificates you are actually using, especially in a world where shadow IT is not something that might happen. It’s become quite the norm out there. Shadow IT means you might have certificates you don’t know about. Discovery will solve that. And folks, if you are dealing with publicly trusted or private trust certificates in any kind of use case, you need to have that pillar of visibility to all of your certificates. It’s just so important and a good certificate life cycle management system will give that to you.

So, that’s what to go do. It’s essentially do inventory of all of your cryptographic systems, do inventory of where all your certificates are and what certificates you are using and then automate all of them in 2024. Automate everything. And then what, all of these things Tim just said to you, right, everything from the good old problems of mis-issuance all the way to things like PQC, right? Post quantum, the post quantum world that we are all gonna live in, you will be ready for those inevitabilities.

And let me give you one that might happen. I don’t know if it’s 2024. I don’t know if it’s 2025 but this is a true reality that might happen before the post quantum timing and that is, the RSA algorithm itself. Tim, you mentioned SHA-1 as a good example of a deprecated cryptographic primitive. I would say that the RSA algorithm, look, it’s fantastic. It’s been with us for years and years. RSA-2048 probably the majority of publicly trusted certificates out there today are running that. But what happens? What happens in an enterprise scenario where you have to scramble because one day there’s a big announcement. You might even hear it from us. Trust me, if it happens, you will hear it from us. RSA deprecation. What would you do if that happened? And you all have to switch. Not necessarily to a post quantum algorithm but to ECC.

Tim CallanSure.

Jason SorokoLet’s just say tomorrow we have to snap our fingers and every single person in the world has to go to ECC-based certificates. Would you be ready for that? And everything that Tim and I just said, which is automation, discovery and visibility, if you are already doing that and if you make that something you absolutely do in 2024, if you haven’t done already in 2023, these issues, these topics such as shortening certificate lifespans, you’ll be sitting behind your desk going bring it on. Bring it on. I’d be happy for shorter certificate lifespans.

Tim CallanAnd you bring up this RSA thing. Like just to clarify – this isn’t theoretical. Like we know empirically from things people have published that there are qualified cryptographers around the world that are trying to find ways to – break is kind of an overstatement – but to reduce the attack time necessary to break RSA and they do this through a variety of techniques and methods and new techniques and methods are still being found. So, nothing has occurred yet that makes us say we can’t use RSA anymore but it is a possibility and so what you are discussing here isn’t just a hypothetical. This is a thing that really could happen or someone might be working on that right now. And so, this idea of being able to switch off RSA in a very agile fashion in advance of the PQC algorithms, in advance of Kyber is a real thing. And we really need to consider.

Jason SorokoYeah. And the only reason I bring it up, the main reason I bring it up, and it’s not to foment panic, it is to simply say if you are prepared for that potential event, you’re prepared for just about everything else. If you think about it hard enough, you’ll realize thank goodness that you as an enterprise have gone down to a 90-day certificate or less.

You’ll be really glad that your certificates for your domains are only lasting 90 days or less because in those scenarios you don’t want certificates to just be floating around that are still valid. You know, masses of certificates that are still valid under those kinds of scenarios. It would be preferable if they just died a very timely death.

Tim CallanSo a couple more, I guess three more things, in terms of shortening certificate lifespans that were part of 2023 and going into 2024. First one is fairly straightforward but with the S/MIME BRs, with the institution of the S/MIME BRs, one of the consequences of this is that the term for an S/MIME, a public S/MIME cert, is now bounded.

Prior to the BRs, in principle you could make an S/MIME cert as long as you wanted. If I wanted to issue you a ten-year S/MIME cert, I could. Now we didn’t and I think most CAs didn’t, but you could. And now it’s bounded and it’s bounded to three years for what they call the legacy profile and two years for all the other profiles and then that’s further going to decrease because the legacy profile is going to be deprecated and probably not deprecated in 2024 but I bet you in 2025 it is. And there was discussion at the last CA/Browser Forum face-to-face, the one in October, about starting that process of how do we deprecate the legacy profile. That is a real reduction of lifespan for a different certificate type, which is important because it’s not just TLS. This is happening. It’s TLS leaf certs. It’s also root certs. It’s also S/MIME certs. So, this is happening across certificates of all types.

Jason SorokoTim, I just want to add to that. And other types as well. So, it’s almost like we could do multiple episodes on the numbers of different kinds of credential types out there. Whether they’re certificate-based or TLS or not. I’ll give you a good example. SSH keys. Even if you are not bounding them within certificates and putting a lifespan on them, I’m noticing that the trend in SSH is to issue the SSH keys for a very short period of time and, you know, essentially for the length of time it takes to finish the job and then those things are killed. So in almost everything we see it’s the shortening lifespan of whether it’s a certificate or key or any sort of credential. Narrowing the window for the attack is just a good idea.

Tim CallanYep. Absolutely. This basic concept applies really to any type of certificate. Any type. Fundamentally.

The last thing I think that deserves a nod is the idea of a very short-lived public TLS/SSL certificate. And what I mean by that is I mean ten days or less. And so, in 2023, the CA/Browser Forum passed a ballot making OCSP optional but part of what was in that ballot was that if a certificate is ten days or less in duration then all revocation checking is optional. So, if I’m a public CA and I’m issuing you 10-day certs or 7-day certs or 3-day certs, I don’t need to have revocation checking at all. I don’t have CRL. I don’t have OCP. I can avoid all of that entirely and just let the certificates age out as the revocation enforcement mechanism. Right? As the quality enforcement mechanism. Now you don’t have to. You can still have CRL if you want but you can remove those. Now we can’t get rid of OCSP yet because it’s still a requirement in one major root program but that ballot being passed is not meaningless because it clears the way for a time in the future where OCSP will be optional and revocation checking at all will be optional on sub 10-day certs.

And then connected to that and the concept of sub 10-day certs, Lets Encrypt recently published its annual report and I’m gonna quote a line from it – “We’ve added shorter-lived certificates in our 2024 roadmap. We’re committing to this work because sub 10-day certificates significantly reduce the impact of key compromise and it broadens the universe of people who can use our certs.” Right? So, there you are right there. Sub 10-day certs coming out as a product in Let’s Encrypt for all the reasons that you and I just discussed. So, we really see this as a theme I think looking back in 2023 but also this is gonna continue into 2024 and 2025 in terms of the shortening certificate lifespan trend that is picking up steam and is going faster. The pace at which certificate lifespans are shortening is faster than it was in the past.

Jason SorokoThe first derivative and second derivative here are increasing as we speak. So I want to very quickly mention for Let’s Encrypt, their callout of mitigating key compromise sounds very in the weeds but it’s real.

I already mentioned it already in this podcast, they called it out in their report. It’s real. Folks, shorter and shorter certificate lifespans – in other words, sub 10-days for a publicly trusted certificate. The writing is not just on the wall. It’s now been blogged by Google. It’s now been announced as roadmap Let’s Encrypt and you are hearing it here on this podcast. It’s coming folks. So, if you were shocked by 90 days, just get ready for 10 days and less.

Tim CallanTen days and less.

Jason SorokoTim nailed it. The acceleration of the shortening of certificate lifespans, we can now say 2023 concluded that thought and you better prepare in 2024.

Tim CallanExactly. This is it. This is the trend. I believe that we are gonna see that in the year to come as well and we’ll definitely keep our eye on that.

Jason SorokoWe certainly will. But thanks for summarizing that, Tim. There was so much to go on on that topic in 2023.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!