The issuance of Let’s Encrypt’s first 90-day certificate in 2015 marked the start of an industry shift toward shorter certificate lifespans, moving from three years down to one year by 2020. Shorter certificate validity can be a good thing; it limits damage from key compromise and mis-issuance, encourages certificate lifecycle automation for ease-of-use, and is essential for moving the entire web to HTTPS. Google, recognizing these benefits, plans to adopt a 90-day certificate policy, commonly known as the Google 90 day certificate standard, which may become a norm by the end of 2024. This shift requires organizations to be prepared for more frequent renewals, a potential challenge for those without automated systems or clear visibility of their machine identities. However, for those well-prepared with automation and comprehensive knowledge of their keys and certificates, these shorter certificate lifecycles offer enhanced security and control.
This month, the Google Chromium Project published a roadmap document called Moving Forward, Together, which outlines the organization’s intention to reduce SSL/TLS certificate lifespans from 13 months, or 398 days, to just 90 days. Transport Layer Security (TLS) certificates (previously called SSL certificates) are used to secure websites and other online communications.
While Google has made it clear that they will enforce shorter certificate lifespans, technically certificate lifespans are mandated by a group called the Certificate Authority/Browser (CA/B) Forum, which is a consortium of browser makers, certificate authorities, and other stakeholders in the digital certificate ecosystem. The CA/B Forum has voted to shrink certificate lifespans several times over the past few years.
The move to shorten certificate lifespans has been largely driven by the need to make it harder for cybercriminals to compromise or misuse certificates, which have become a lucrative threat vector in recent years. GlobalSign sums up the value of shorter certificate lifespans, “Think about it this way, an SSL/TLS certificate is what browsers use to verify the identity of a web server. The longer the duration between verifying that information, the less reliable that validation becomes. Think about how much can change over the course of just a year - companies fold, transactions and mergers occur, companies evolve – to maintain the most reliable level of authentication that information needs to be verified regularly.”
Here's a brief timeline of certificate lifespan reductions:
- 8-10 years: Pre-2011, certificate lifespans were 96 months
- 5 years: 2012, certificate lifespans shortened to 60 months, a reduction of 37%.
- 3 years: 2015, certificate lifespans shortened to 39 months, a reduction of 35%.
- 2 years: 2018, certificate lifespans shortened to 27 months, a reduction of 30%.
- 1 year: 2020, certificate lifespans shortened to 13 months, a reduction of 51%.
- 90 days: Soon, certificate lifespans may be shortened to 3 months, a reduction of 77%
Don’t Delay: 5 Urgent Actions to Prepare for 90-Day TLS/SSL Certificates
Can Google really force the hand of the industry to move to shorter certificate lifespans? While only the CA/B Forum has the authority to mandate certificate lifespans across the industry, individual browsers are free to implement their own root program requirements, which include certificate lifespans. Given the massive market share of Google Chrome, any change made in that browser would have such a significant impact that it would become the de facto standard for the rest of the industry.
To their credit, Google is willing to play nice, suggesting the change to 90 days could be made either as a future policy update or as a CA/B Forum Ballot Proposal.
This is not an entirely unique approach. The reduction of certificate lifespans from 2 years to 1 year in 2020 was driven by a similar move by Apple, who indicated that they would limit certificate validity periods to 1 year and thus escalated the reduction in certificate lifespans that was ultimately ratified by the CA/B Forum.
The impact of moving to 90 day certificate lifespans is likely to be born in organizations, rather than CAs or browsers. With shorter certificate lifespans, organizations will need to renew their digital certificates more often—four times a year instead of just once. That means they must be prepared to identify certificates that are about to expire, request that new ones are issued and revoke the expiring certificates. Without automation, this is an arduous task, given that the number of certificates that organizations are using is growing exponentially.
CIO Study: Automation Vital to Address Shorter Lifespans and Massive Growth of TLS/SSL Certificates
Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations. These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.
Shorter certificate lifespans: Safer, but a LOT more work
Even though most organizations acknowledge that shorter certificate lifespans reduce the risk of compromise, handling a higher volume of certificates also heightens the risk of outages caused by missed renewals. The question arises: Can you (or should you) expand your staff sixfold to manually manage this surge? But who has that kind of luxury? The only practical way forward is to use automated certificate lifecycle management to keep your TLS/SSL certificates valid and safe.
5 immediate actions to brace for the shift to 90-day certificate lifespans
The ever-shortening trajectory of certificate lifespans drives home the need to automate certificate lifecycles for survival. So, why wait? Embrace automated workflows today and be ready before certificate lifespans shrink to 90 days or lower. Automation empowers you to seize control of your renewals and ensure no certificate is neglected, sparing you unnecessary pain and toil. Below, explore 5 ways automation can simplify your current operations and future-proof your TLS/SSL certificate lifecycle management.
1. Implement continuous certificate discovery and inventory
Understanding your certificate landscape is paramount. A complete inventory, including who owns each certificate, where it is installed and when it expires, is required. Given the daily or even hourly changes with short-lived certificates, manual tracking can’t keep up.
You’ll need a robust certificate lifecycle management solution that continuously automates discovery and maintains your network’s dynamic TLS/SSL certificate inventory. This visibility is important to ensuring business continuity and preserving security.
2. Automate certificate renewal processes
After pinpointing the locations and owners of your TLS/SSL certificates, you could set up a series of alerts for expiring certificates. However, as certificate lifespans shorten, relying on manual renewal becomes impractical and risky, and you’re forced to spend days and weeks manually following up with certificate owners.
When you automate renewals, you're not just saving time—you're making sure your certificates stay up to date, avoiding downtime caused by expired ones. But automation is not one-size-fits-all. You need a certificate lifecycle management solution that allows you to automate with ACME, APIs, SDKs, agents and more.
3. Configure global certificate policies and workflows
To ensure your certificates use the most stringent attributes, you must adopt global policies and workflows. Automating these safeguards through self-service prevents business units from going rogue with unauthorized or non-compliant certificates.
Start by setting up centralized policies and workflows that enforce compliance for the new, shorter certificate lifespans. This way, it’s easier for certificate owners to request and manage certificates. Also, don’t forget to set the right validity periods for new certificates and to make sure the renewal process matches up with the shorter lifespans.
4. Integrate certificate lifecycle management with DevOps tools
Your DevOps teams likely consume the largest number of certificates, especially in CI/CD environments. And for them, time is of the essence. So, if you are viewed as a bottleneck in handling certificate requests, these teams might start cutting corners or finding shortcuts, which puts the business at risk.
Make life simple for your developers by integrating your certificate lifecycle management solution with their existing tools. Turnkey, API-driven integrations enable automated provisioning of certificates in continuous deployment environments, ensuring strict adherence to the validity periods for certificates used in both new and existing applications.
5. Set up real-time certificate monitoring and reporting
Navigating 90-day certificate lifespans requires you to juggle a continuous flow of short-lived certificates. So, it’s vital you can immediately detect anomalies or when certificate usage deviates from expected behavior.
By setting up continuous monitoring and reporting, you can ensure all certificates comply with the new, shortened lifespans and organizational policies. Regular, real-time audits help identify and rectify deviations, reducing the risk of security breaches or non-compliance penalties. This proactive approach ensures your TLS/SSL certificate landscape stays secure, compliant and aligned with best practices.