Google recently announced its intentions to reduce the maximum possible validity for public TLS (also known as SSL) certificates to 90 days, down from 398 days. This is not an announcement to ignore because the drop will mean major changes for the industry in the year ahead, and organizations are well-advised to begin preparations now.
So, what happened? On March 3, Google shared its “Moving Forward, Together” roadmap with the intention to reduce the maximum public TLS certificate validity to 90 days in either “a future policy update or a CA/B Forum Ballot Proposal,” a subtle but important detail worth understanding.
Google appears to be saying that if the CA/B Forum chooses to make this industry change through a balloting process, that’s great. However, Google is prepared to unilaterally force this change by making it the de facto standard that every commercial public Certificate Authority (CA) will need to follow. As browsers control their own root program requirements, this change can occur even in the absence of a CA/B Forum mandate. Google is deliberately telegraphing its intentions to give industry and certificate consumers time to prepare for the inevitable transition and the implications that come with it.
Though the specific timing is unknown, it is likely this 90-day maximum is in effect by the end of 2024, so organizations should take advantage of this early warning and prepare for the looming implications.
Certificates are the gold standard for establishing digital trust
Before going into what enterprises should do to prepare for this change, it’s first helpful to provide more context around the importance of SSL certificates and their ubiquity in today’s digital world.
The world’s data is secured with public key infrastructure (PKI) digital certificates, technology that acts in some ways like a passport. They contain identity information related to the holder, and in a digital world, certificates act as a “passport” for humans and the machines (such as software, code, bots, IoT/OT, laptops, and devices) that they use.
Public key cryptography underpins literally everything in digital life and ultimately ensures that enterprises can securely transact business within their own networks and wider. They secure almost limitless systems and processes from a printer in a home office to sophisticated IoT devices in a factory to systems supporting critical national infrastructure, and everything in between. Think of certificates as a digital trust stamp to verify and authenticate the massive (and growing) amounts of human and machine identities accessing sensitive data every second of the day.
In recent years the maximum term for a public TLS/SSL certificate has dropped from three years to two to one, and now Google has stated its intent to further reduce this lifespan to 90 days.
The number of digital certificates and their use cases continues to grow, which creates a very real operational challenge for businesses: managing them at scale. Just one overlooked certificate can lead to major financial and reputational harm. Now, tack on the drop in TLS/SSL certificate lifespans to just 90 days and management just got even more difficult. Therefore, the most obvious implication of Google’s announcement relates to the management of certificates, and the solution is clear – automation.
Certificate management just got 4X harder; automated certificate management is a must
While enterprises technically can still manually manage certificates with 90-day maximum lifespans, manual renewal and deployment will continue to become more burdensome and error-prone over time. This upcoming development demands that organizations automate management of certificates.
Manually handling the renewal and deployment of each server certificate more than four times per year will be incredibly difficult, requiring more than four times the work IT security teams currently have for an already arduous task. This is a significant increase, especially given the fact that most enterprises do not have a small number of certificates overall. This isn’t about dozens of certificates that must be dealt with four times per year, it’s about hundreds, or thousands of certificates. This is not a job practically that can be done manually today and certainly not in the future. Add in existing difficulties like rogue certificates, visibility on cryptographic decisions, and individual deployment, and manual management becomes unworkable.
Automation becomes even more crucial here, especially since it’s not just the lifespan of TLS/SSL certificates going down but also the length of domain validation reuse. Today, the Baseline Requirements allow for the reuse of data or documents related to previously completed domain validations for up to 398 days. Google has also stated its intention to reduce domain validation reuse periods to 90 days, saying “more timely domain validation will better protect domain owners while also reducing the potential for a CA to mistakenly rely on stale, outdated, or otherwise invalid information resulting in certificate mis-issuance and potential abuse.” This is an important detail to note because enterprises must not only manage what certificates are in their systems but also re-verify their domains every 90 days.
Now is the time for IT managers to look into options for certificate automation, including CA agnostic Certificate Lifecycle Management (CLM) platforms. These solutions can help with discovery of certificates in enterprise environments regardless of the issuing Certificate Authority, notification of impending expirations, and automatic provisioning and installation of renewal and replacement certificates. In so doing, they help avoid outages and breaches due to incorrect use or renewal of certificates.