smartenterprisewisdom

Outline

Share Article

Image with text "45-Day Certs? You've Got No Time to Lose!"
Paul Horn
Paul Horn is the Chief Technical Officer (CTO) of Accutive Security; he has over 30 years of cybersecurity and software development experience with a focus on data protection and cryptography
Posted on December 4, 2024
Picture of Paul Horn
Paul Horn
Paul Horn is the Chief Technical Officer (CTO) of Accutive Security; he has over 30 years of cybersecurity and software development experience with a focus on data protection and cryptography

Remember when we were bracing ourselves for 90-day certificates?  Google’s proposed move to 90-day TLS certificates felt like a game-changer, yet here we are, with a new curveball: Apple is now proposing to halve the validity period to only 45-days. At the fall 2024 meeting of the Certificate Authority / Browser (CA/B) Forum, Apple announced their proposal to shorten certificate validity periods to only 45 days by 2027. The proposal lays out a gradual reduction to certificate validity periods starting with 200 days by September 2025, followed by 100 days in September 2026, before reaching just 45 days in September 2027. Although this move designed to strengthen security, is causing ripples of anxiety for sysadmins and other IT professionals who are concerned about the major burden this will place on their workload. Manual management of 45 day certificates may require 10x more certificate renewals.

The stakes are high. If your organization is still wrestling with manual certificate management processes, the road ahead just got steeper.

What Are the Implications of Apple 45 Day Certs?

So, what’s the big deal about shorter certificates? While 45-day certs may reduce the risk window for exploitation, they also open up a whole new set of challenges. Imagine having to deal with 10x more certificate renewals. For organizations that rely on manual certificate management, this isn’t just a headache—it’s a ticking time bomb.

Managing certificates manually is already a resource-intensive balancing act with high stakes for missed renewals and delayed issuance. Add in 45-day renewals, and the margin for error shrinks considerably. Forgotten renewals, system outages, and compliance breaches are all very real risks when you’re dealing with such a compressed timeline. If you’re in a regulated industry like financial services or healthcare, the pressure is even greater.

How to Prepare for Shorter Certificate Validity Periods: Whether it’s Google 90 Day or Apple 45 Day Certs

The question isn’t whether you’re ready—it’s what do you need to be ready? And the answer is clear: Automated Certificate Lifecycle Management. If you are 90-day cert ready, the impact of 45-day certs is only marginally greater.

Automation is the key to ensuring that your certificates are renewed on time, properly tracked, and fully compliant – regardless of whether certificate lifecycles are 398, 90, 45, or 30 days. Solutions like Venafi TLS Protect Cloud and Keyfactor Command provide the automation needed to streamline renewals, offer real-time visibility, and reduce the administrative burden on your team. With these solutions in place, you’ll stay ahead of the curve—prepared for both 90-day and 45-day certs—without the risk of falling behind or losing control of your certificate management.

If you’ve been preparing for 90-day certificates, you’re already moving in the right direction. But with 45-day certificates now looming, it’s time to assess your current approach and build a future roadmap.

Every organization is at a different point in their readiness journey. That’s why having a clear roadmap is critical, regardless of where you are right now. Whether you’ve already started preparing for 90-day certs or are just getting familiar with the concept, here is a 5 step guide to help you get fully ready for both 90-day and 45-day certificates

Step 1: Where Are You Today? Understanding Your Current Infrastructure

Before planning for the future, you need a clear picture of where you stand. Ask yourself:

  • How many certificates are we managing right now?
    Do you have full visibility into all your certificates? Are they scattered across different departments, servers, or cloud environments? If you don’t know where your certificates are, you’re already on shaky ground.
  • Who is responsible for renewals?
    If certificate management is decentralized across multiple teams, it could lead to inconsistency, missed renewals, and gaps in security. You need a centralized view of certificate ownership and management to streamline your readiness plan.
  • Are we using a manual or automated process?
    If you’re still relying on manual processes to track and renew certificates, you’ll likely face serious challenges as cert lifecycles shrink. Manual management is prone to human error—one missed renewal, and your organization could face outages or breaches.

Step 2: What Needs to Change to be ready for 45 Day Certificates? Identifying Gaps in Process

Once you know where you stand, the next step is to identify areas where your current system might fail. Here are key gaps to look out for:

  • Limited automation
    If your team is renewing certificates by hand, you’re already behind. With the introduction of 90-day and 45-day certs, manual renewal cycles can quickly overwhelm your resources. Automated Certificate Lifecycle Management (CLM) solutions are critical to scaling certificate operations without overloading your IT team.
  • Lack of visibility
    If certificates are spread across multiple environments—on-prem, cloud, hybrid—you need a solution that gives you a single pane of glass for visibility. Otherwise, you risk missing certificates that are close to expiration or worse, already expired.
  • No centralized inventory
    Without a complete and accurate inventory of all your certificates, it’s nearly impossible to manage renewals efficiently. If you’re not sure how many certs you have or where they are, your readiness plan starts with building this inventory.

Step 3: Is Your Infrastructure and Security 45 Day Certificate Ready?

As you prepare for more frequent certificate renewals with 45-day certificates, it’s crucial to assess your infrastructure and ensure that automation can handle the increased frequency. A critical part of this preparation involves setting up the required integrations and protocols for automating certificate lifecycle management.

  • Integrating Automation Protocols?
    To effectively manage 45-day certificates, you’ll need to automate issuance and renewal processes for your public-facing certificates. ACME (Automatic Certificate Management Environment) is a protocol that automates interactions between certificate authorities (CAs) and servers, allowing certificates to be automatically requested, issued, renewed, and revoked. Ensure your infrastructure supports ACME for seamless certificate automation.
  • Infrastructure Integration? 
    Your CLM solution must integrate with various parts of your infrastructure, including web servers, load balancers, firewalls, and internal applications. This allows for automatic certificate deployment across your environment without manual intervention. Critical integration points include.

    • Web Servers: Ensure your CLM platform can automatically provision certificates for web servers (e.g., NGINX, Apache) via supported protocols.
    • Firewalls & Load Balancers: Integration with devices like F5 BIG-IP and Citrix Netscaler (previously Citrix ADC) is essential to update certificates on network infrastructure without service interruptions.
    • Cloud Services: For organizations using cloud platforms (e.g., AWS, Azure), ensure compatibility with services like AWS Certificate Manager and cloud-based ACME solutions for seamless cloud integration.
  • What about security?
    Shorter certificate lifespans reduce the risk window, but they also mean more frequent updates to critical systems. You’ll need to ensure that your CLM solution integrates seamlessly with your existing security infrastructure to avoid gaps in coverage during certificate updates.

Step 4: How Will You Implement Your Chosen CLM solution

Now, it’s time to start building out your plan. Here’s how to approach it:

  • Deploy the Solution
    Determine whether your CLM will be deployed on-premise, in the cloud, or as a hybrid. Ensure the deployment fits your infrastructure and security needs. Collaborate with IT and security teams to get it up and running smoothly.
  • Integrate with Existing Systems
    Ensure your CLM integrates with critical infrastructure, such as your PKI, SSO, directory services, VPNs, and firewalls. Test these integrations thoroughly to avoid disruptions and ensure smooth operations. Rapidly and easily conduct live demos and build proof-of-concepts using Accutive Security’s Innovation Lab.
  • Automate Certificate Renewals
    Configure the CLM to handle certificate renewals automatically. Set renewal policies, expiry alerts, and ensure that renewals happen well before certificates expire to minimize risks.
  • Centralize Certificate Management
    Before you can perform any automation, you will require a complete valid inventory. CLM platforms support various forms of discovery to ensure visibility into your organization’s current utilization.  While there are various forms of discovery, the two most common are CA Discovery and Network Discovery.
    CA Discovery performs a mass-import of all issued certs from a specific connected Certificate Authority. Network Discovery outlines all certificates and associated endpoints within the target location(s).
    CLM Platforms enable you to setup multiple discoveries to sufficiently scope the certificate usage within your organization.
  • Automate Certificate Renewals
    Configure the CLM to handle certificate renewals automatically. Set renewal policies, expiry alerts, and ensure that renewals happen well before certificates expire to minimize risks.
    CLM platforms support a wide variety of tools out-of-the-box, and also include integrations for DevOps tools such as HashiCorp Terraform and RedHat Ansible. These help enable pull-provisioning for specific use-cases.
  • Enforce Security and Compliance
    Customize the CLM to meet your organization’s security and compliance needs. Implement security protocols like encryption and access controls, and use the solution’s built-in compliance tools for auditing and reporting to stay aligned with regulatory requirements.

Step 5: How Will You Handle Future Certificate Changes?

Even with 90-day and 45-day certs, this might not be the end of the road. We’re already hearing whispers of 30-day certificates becoming a reality. The best way to prepare is to establish a future-proofed certificate management strategy.

  • Centralized management:
    Keep everything in one place. By implementing an automated certificate management software, you can manage certificates across different environments with real-time visibility.
  • Automated renewals:
    Don’t rely on humans to track expiry dates. Automate the entire lifecycle, from issuance to revocation, so that your team doesn’t spend their days chasing certificates.
  • Proactive compliance:
    Keep compliance front and center with built-in reporting and audit capabilities. Shorter certificates mean stricter oversight, so ensure your CLM solution aligns with regulatory demands.

Taking Action Now to Prepare for Apple 45 Day Certs

Whether it is Google’s 90 Day Certs or Apple’s 45 Day Certs, shorter certificate validity periods are coming and organizations need to be prepared. Relying on manual processes or outdated systems to handle this increased certificate turnover will put your infrastructure, security, and compliance at risk. The solution is clear: automation.

With Accutive Security’s expertise, implementing a CLM solution from Venafi or Keyfactor becomes seamless. We help you streamline certificate management, reduce the risk of outages, and stay ahead of rapid changes. Now is the time to act—the clock is ticking. Don’t wait until your 45-day certs are knocking on your door. Interested in learning more about the specific impacts of 90 Day (and 45 Day) certificates and how you can prepare? Watch our on demand webinar with our partner Venafi. 

Get a complimentary assessment of your framework and processes for managing digital certificates!

Click Here

Share Article

Comment

No Comments Found.

Leave a Reply

Step up your cybersecurity posture with Thales Hardware Security Modules

Seamless integrate HSMs into your cybersecurity stack

Download this Resource