The world of digital certificates is rapidly evolving, as evidenced by the Google Chromium Project’s recent plans to further reduce the lifespan of Transport Layer Security certificate, or Secure Socket Layer certificates (SSL/TLS certificates) from 13 months, or 398 days, down to a mere 90 days. This transformative shift, announced in Google’s “Moving Forward, Together” roadmap, intends to bolster the security of online communications and provide more robust defenses against cyber threats.
Certificate Lifespans
TLS certificates play a crucial role in securing websites and online communication. Certificate Authorities (CAs) issue these certificates with a defined expiration date. Over the past decade, the lifespan of these certificates has steadily decreased. Before 2011, certificates had a lifespan of up to 96 months. In 2012, this was reduced to 60 months; in 2015, it was 39 months; in 2018 it was 27; and in 2020 it was eventually 13 months. Each reduction aimed to enhance security and mitigate the misuse of these certificates.
A shorter lifespan means the digital identities of websites are verified more frequently. With the constant flux of the business world, domains may change ownership and companies may evolve, merge, or even fold, making the previous validation information unreliable. Google’s roadmap suggests that domain validation should ideally remain reliable for only six weeks. The proposed 90-day lifespan brings us closer to that ideal, presenting a more dynamic and secure approach to validation.
The Certificate Authority/Browser (CA/B) Forum is a consortium of browser makers, CAs, and other stakeholders that technically dictate certificate lifespans. However, individual browsers can still establish their own requirements. Given Google Chrome’s massive market share, any change implemented in Chrome could become a de facto standard for the entire industry.
Obstacles
The significant reduction in certificate lifespan presents new challenges, particularly for organizations with a large number of certificates, as certificate lifecycle management becomes considerably more complex and tedious. Without the right systems in place, organizations would need to manually identify expiring certificates, get new ones issued, revoke the old ones, and deploy the new certificates–a process that would need repeating four times a year for each certificate.
Automation
This is where the Automated Certificate Management Environment (ACME) protocol comes into play. Designed by the Internet Security Research Group (ISRG), ACME automates the certificate lifecycle management process, helping to ease the burden of the impending shift. An ACME agent installed on a web server manages certificate requests, domain validations, installations, and renewals for the websites on the server. Companies such as GlobalSign offer ACME services, facilitating both domain-validated (DV) and organization-validated (OV) SSL/TLS certificates.
While ACME significantly streamlines certificate lifecycle management, it is still vital for organizations to prepare for this upcoming change. Given Google’s lack of a specified timeline, industry experts predict the new validity period will likely take effect by the end of 2024. This time frame allows organizations to gain visibility and control over their keys and certificates, establishing robust, automated systems to prevent unexpected certificate expirations and potential outages.
The move towards 90-day SSL/TLS certificate validity might seem like a daunting prospect for organizations. Still, with automated certificate lifecycle management solutions and careful preparation, it’s an evolution that promises greater security and reliability in our increasingly interconnected world. It’s time for earnest discussions and strategic planning around certificate lifecycle management in every organization.
Accutive Security Management Services for SSL/TLS Certificates
At Accutive Security, we offer comprehensive certificate lifecycle management services. Our experts leverage their extensive knowledge of certificate-based security and machine identities to assist organizations in implementing CLM automation and maintaining a strong security posture. Proudly partnered with organizations like Venafi, KeyFactor, and AppViewX, we work to strengthen your security, provide you with insight, and help you develop effective governance protocols. Schedule a demo using the link below to learn more.
Comment