As we modernize for the future, the trend is for certificate lifespans to continue to shrink to become more secure, while matching the pace of continuous development and rapidly evolving threat landscapes. Google has indicated a strong preference for shorter certificate lifespans and is likely to reduce their certificate validity period from 398 days to 90. Google possesses the capability to implement this change through a ballot proposal in the CA/Browser Forum ballot proposal. However, should this approach not succeed, Google has the option to mandate the change by requiring a 90-day certificate validity period for certificates within the Chrome root program.. With Chrome holding a 62% market share, such an action would compel commercial public certificate authorities (CAs) to adopt a 90-day period as the default standard.
When ultimately ratified by the CA/B Forum, this movement will dramatically increase the staff hours and budget required to manage a continuously rotating certificate population. Even with 1-year certificate lifespans, most organizations are challenged by unfettered growth in the overall number of certificates they rely on. In a Venafi study, we learned that on average, CIOs at organizations with more than 10,000 employees estimated that they had more than 320,000 machine identities in their enterprises at the start of 2022. With constant growth rates, they’re likely to have more than quadruple that amount in 2025—in the neighborhood of 1.3 million certificates.
It’s also important to note that the expected 90-day certificate lifespans will place a huge burden on security teams to rotate TLS certificates much more frequently. Since best practices recommend renewing certificates 30-days prior to expiration, every certificate with a shortened lifespan will require 6 renewals a year.
Shorter certificate lifespans: Safer, but a LOT more work
Even though most organizations acknowledge that shorter certificate lifespans reduce the risk of compromise, handling a higher volume of certificates also heightens the risk of outages caused by missed renewals. The question arises: Can you (or should you) expand your staff sixfold to manually manage this surge? But who has that kind of luxury? The only practical way forward is to use automated certificate lifecycle management to keep your TLS/SSL certificates valid and safe.
5 immediate actions to brace for the shift to 90-day certificate lifespans
The ever-shortening trajectory of certificate lifespans drives home the need to automate certificate lifecycles for survival. So, why wait? Embrace automated workflows today and be ready before certificate lifespans shrink to 90 days or lower. Automation empowers you to seize control of your renewals and ensure no certificate is neglected, sparing you unnecessary pain and toil. Below, explore 5 ways automation can simplify your current operations and future-proof your TLS/SSL certificate lifecycle management.
1. Implement continuous certificate discovery and inventory
Understanding your certificate landscape is paramount. A complete inventory, including who owns each certificate, where it is installed and when it expires, is required. Given the daily or even hourly changes with short-lived certificates, manual tracking can’t keep up.
You’ll need a robust certificate lifecycle management solution that continuously automates discovery and maintains your network’s dynamic TLS/SSL certificate inventory. This visibility is crucial to ensuring business continuity and preserving security.
2. Automate certificate renewal processes
After pinpointing the locations and owners of your TLS/SSL certificates, you could set up a series of alerts for expiring certificates. However, as certificate lifespans shorten, relying on manual renewal becomes impractical and risky, and you’re forced to spend days and weeks manually following up with certificate owners.
When you automate renewals, you're not just saving time—you're making sure your certificates stay up to date, avoiding downtime caused by expired ones. But automation is not one-size-fits-all. You need a certificate lifecycle management solution that allows you to automate with ACME, APIs, SDKs, agents and more.
3. Configure global certificate policies and workflows
To ensure your certificates use the most stringent attributes, you must adopt global policies and workflows. Automating these safeguards through self-service prevents business units from going rogue with unauthorized or non-compliant certificates.
Start by setting up centralized policies and workflows that enforce compliance for the new, shorter certificate lifespans. This way, it’s easier for certificate owners to request and manage certificates. Also, don’t forget to set the right validity periods for new certificates and to make sure the renewal process matches up with the shorter lifespans.
4. Integrate certificate lifecycle management with DevOps tools
Your DevOps teams likely consume the largest number of certificates, especially in CI/CD environments. And for them, time is of the essence. So, if you are viewed as a bottleneck in handling certificate requests, these teams might start cutting corners or finding shortcuts, which puts the business at risk.
Make life simple for your developers by integrating your certificate lifecycle management solution with their existing tools. Turnkey, API-driven integrations enable automated provisioning of certificates in continuous deployment environments, ensuring strict adherence to the validity periods for certificates used in both new and existing applications.
5. Set up real-time certificate monitoring and reporting
Navigating 90-day certificate lifespans requires you to juggle a continuous flow of short-lived certificates. So, it’s vital you can immediately detect anomalies or when certificate usage deviates from expected behavior.
By setting up continuous monitoring and reporting, you can ensure all certificates comply with the new, shortened lifespans and organizational policies. Regular, real-time audits help identify and rectify deviations, reducing the risk of security breaches or non-compliance penalties. This proactive approach ensures your TLS/SSL certificate landscape stays secure, compliant and aligned with best practices.
Bottom line: crypto agility is essential for business continuity
The TLS/SSL certificates you need to effectively run your business are in constant motion. Algorithms change. Applications change. Lifespans change. Keeping pace requires a certificate lifecycle management solution that enables you to turn on a dime with crypto agility. As new security risks or standards emerge, or business needs evolve, you’ll find that the ability to rapidly update certificates in bulk is not just good to have—it’s a business imperative.
Venafi TLS Protect delivers the crypto agility you need to thrive amidst shorter certificate lifespans, all while preparing your organization for future game changers like post-quantum computing. Put a robust solution in place today so that you make changes on the fly, without compromising your security posture or the availability of critical applications and services.
Learn how Venafi can help your organization automate your TLS/SSL certificate lifecycle management, no matter how many certificates you have. See what TLS Protect can do for you.