This month, the Google Chromium Project published a roadmap document called Moving Forward, Together, which outlines the organization’s intention to reduce TLS certificate lifespans from 13 months, or 398 days, to just 90 days. Transport Layer Security (TLS) certificates are used to secure websites and other online communications.
While Google has made it clear that they will enforce shorter certificate lifespans, technically certificate lifespans are mandated by a group called the Certificate Authority/Browser (CA/B) Forum, which is a consortium of browser makers, certificate authorities, and other stakeholders in the digital certificate ecosystem. The CA/B Forum has voted to shrink certificate lifespans several times over the past few years.
The move to shorten certificate lifespans has been largely driven by the need to make it harder for cybercriminals to compromise or misuse certificates, which have become a lucrative threat vector in recent years. GlobalSign sums up the value of shorter certificate lifespans, “Think about it this way, an SSL/TLS certificate is what browsers use to verify the identity of a web server. The longer the duration between verifying that information, the less reliable that validation becomes. Think about how much can change over the course of just a year - companies fold, transactions and mergers occur, companies evolve – to maintain the most reliable level of authentication that information needs to be verified regularly.”
Here's a brief timeline of certificate lifespan reductions:
- 8-10 years: Pre-2011, certificate lifespans were 96 months
- 5 years: 2012, certificate lifespans shortened to 60 months, a reduction of 37%.
- 3 years: 2015, certificate lifespans shortened to 39 months, a reduction of 35%.
- 2 years: 2018, certificate lifespans shortened to 27 months, a reduction of 30%.
- 1 year: 2020, certificate lifespans shortened to 13 months, a reduction of 51%.
- 90 days: Soon, certificate lifespans may be shortened to 3 months, a reduction of 77%
Can Google really force the hand of the industry to move to shorter certificate lifespans? While only the CA/B Forum has the authority to mandate certificate lifespans across the industry, individual browsers are free to implement their own root program requirements, which include certificate lifespans. Given the massive market share of Google Chrome, any change made in that browser would have such a significant impact that it would become the de facto standard for the rest of the industry.
To their credit, Google is willing to play nice, suggesting the change to 90 days could be made either as a future policy update or as a CA/B Forum Ballot Proposal.
This is not an entirely unique approach. The reduction of certificate lifespans from 2 years to 1 year in 2020 was driven by a similar move by Apple, who indicated that they would limit certificate validity periods to 1 year and thus escalated the reduction in certificate lifespans that was ultimately ratified by the CA/B Forum.
The impact of moving to 90 day certificate lifespans is likely to be born organizations, rather than CAs or browsers. With shorter certificate lifespans, organizations will need to renew their digital certificates more often—four times a year instead of just once. That means they must be prepared to identify certificates that are about to expire, request that new ones are issued and revoke the expiring certificates. Without automation, this is an arduous task, given that the number of certificates that organizations are using is growing exponentially.
Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations. These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.
Does your organization have a machine identity management solution that can automate the entire certificate lifecycle?