Digital keys and certificates act as machine identities that authenticate connections and communications. In other words, these machine identities control the flow of sensitive data to trusted machines in a wide range of security and operational systems. Enterprises rely on machine identities to connect and encrypt over 330 million internet domains, over 1.8 billion websites and countless applications. When these certificates expire unexpectedly, the machines or applications they identify will cease to communicate with other machines, shutting down critical business processes.
Starting tomorrow, September 1st, all publicly trusted TLS certificates will have a lifespan of 398 days or less. This is roughly half of the previous certificate lifespan. This latest change is an indication that machine identity lifetimes will continue to shrink. Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.
“This latest change in the certificate lifespan originated due to unilateral move from Apple to reduce machine identity lifespans, and it will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced.”
Bocek continues: “In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing. It seems inevitable that certificate-related outages, similar to those that have haunted Equifax, LinkedIn, and the State of California, will spiral out-of-control over the next few years.”
According to analysis by Venafi, the interval between changes in the length of certificate lifespans has been shrinking over the last decade:
- Pre-2011—8-10 years
Certificate lifespans were 96 months
- 2012—5 years
Certificate lifespans were shortened to 60 months, a reduction of 37%. This change was preplanned in CA/Browser Forum Baseline Requirements.
- 2015—3 years
Certificate lifespans were shortened to39 months, a reduction of 35%. This change happened three years after the five-year limitation was adopted.
- 2018—2 years
Certificate lifespans were shortened to 27 months, a reduction of 30%. This change happened two years after the three-year limitation was adopted.
- 2020—1 year
Certificate lifespans were shortened to 13 months, a reduction of 51%. This change happened one year after the two-year limitation was adopted.
Unfortunately, eliminating certificate-related outages within complex, multitiered architectures can be challenging. Ownership and control of these certificates often reside in different parts of the organization, with certificates sometimes shared across multiple layers of infrastructure. These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.
“If the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to 6 months by early 2021 and perhaps become as short as three months by the end of next year,” concludes Bocek. “Actions by Apple, Google or Mozilla could accomplish this. Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”
- Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?
- Majority of Businesses Still Experience Outages: Are You Protecting Your Certificates?
- GAO Report: Expired Certificate Allowed Extended Exfiltration
- How Big Is Your Risk of Certificate-based Outages?