On March 3, Google announced in its “Moving Forward, Together[1]” roadmap the intention to reduce the maximum possible validity for public TLS certificates[2] from 398 days to 90 days, in a future policy update or a CA/B Forum Ballot Proposal. This drop to only 90 days maximum validity will mean major changes for the industry.
The trend of shrinking certificate lifespans is one Sectigo predicted[3] as far back as 2019. In recent years the maximum term for a public TLS (also called SSL) certificate has dropped from three years to two to one, and now Google has stated that it intends to further reduce this lifespan to 90 days. Though the specific timing is unknown, it’s likely this 90-day maximum is in effect by the end of 2024.
Google’s statement that it will enforce this via “a future policy update or CA/B Forum Ballot proposal” is a subtle but important detail worth noting. Google appears to be saying that if the CA/B Forum chooses to make this industry change through a balloting process, that’s great. However, Google is prepared to unilaterally force this change by making it a requirement for the Chrome root program, which would make it a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements, this change can occur even in the absence of a CA/B Forum mandate.
Google is deliberately telegraphing its intentions to give industry and certificate consumers time to prepare for the inevitable transition and the implications that come with it, and organizations are well advised to take advantage of this early warning.
Why You Should Act Now
For CISOs and their teams, the most obvious implication is how they will approach the management of digital certificates, with shorter lifespans. While enterprises technically can still manually manage digital certificates with 90-day maximum lifespans, manual renewal and deployment will rapidly become error-prone, unsustainable and may result in serious ramifications. For almost all organizations, the number of digital certificates they are required to manage continues to grow rapidly – this alone has caused drastically increased levels of risk. Adding shorter digital certificate lifespans into the mix will only serve to compound this issue, bringing the likelihood of outage or breach much closer to the day-to-day reality of hard-working IT teams.
The traditional approach of manually handling the renewal and deployment of each server certificate more than four times per year will be incredibly difficult, requiring more than four times the work IT security teams currently spend on this already arduous task. This is a significant increase, and most enterprises do not have a small number of digital certificates. This isn’t about one certificate that must be dealt with four times per year, it’s about dozens, hundreds, or thousands of digital certificates. Add in existing difficulties like rogue certificates, visibility on cryptographic decisions, and individual deployment, and manual management becomes unworkable. This is not a job that can be easily done manually today and, in the future, organizations still taking a manual approach will almost certainly pay the price.
It’s Time to Automate
Bad actors are often one step ahead and they will be poised to take advantage of organizations that fail to rethink their approach to human and machine identity management in the wake of shortening digital certificate lifespans. Now is the time to act. Ultimately, organizations must have a solution to automate the lifecycles of digital certificates, at scale.
To reduce risk, automation is crucial. It’s not just the lifespan of certificates going down but also the length of domain validation reuse. Today, the Baseline Requirements allow for the reuse of data or documents related to previously completed domain validations for up to 398 days. Google has also stated its intention to reduce domain validation reuse periods to 90 days, saying “more timely domain validation will better protect domain owners while also reducing the potential for a CA to mistakenly rely on stale, outdated, or otherwise invalid information resulting in certificate mis-issuance and potential abuse.” This is an important detail to note, because enterprises must not only manage the digital certificates in their systems but also re-verify their domains every 90 days.
Now is the time to look into options for CA agnostic Certificate Lifecycle Management (CLM). These solutions help with discovery of digital certificates across vast enterprise environments, regardless of the issuing Certificate Authority, notifying you of impending expirations, and automatically provisioning and installing renewal and replacement certificates. In so doing, they help avoid outages and breaches due to the incorrect use or renewal of digital certificates.
Worried About Shorter Certificate Lifespans?
Sectigo can help. Sectigo Certificate Manager (SCM) is the most robust CA agnostic CLM on the market. SCM is built to automate the lifecycles of all digital certificates, regardless of their origin. SCM offers:
- Support for Automated Certificate Management Environment (ACME) protocol.
- Secure Certificate Enrollment Protocol (SCEP) support.
- Support for Enrollment Over Secure Transport (EST).
- A proprietary automation tool which enables the management of certificates for a variety of systems, including Apache Tomcat, Windows IIS web servers, and F5 Big-IP load balancers.
- REST API: In some instances, companies prefer to integrate applications more tightly with Sectigo, which is possible using Sectigo’s REST API.
SCM also integrates with a broad set of technology vendors. IT teams can automate the issuance and management of Sectigo digital certificates, alongside those from other public CAs and private CAs such as Microsoft Active Directory Certificate Services (ADCS), AWS Cloud Services, and Google Cloud Platform (GCP).
This is in addition to integrations with popular DevOps platforms like Kubernetes, Docker, HashiCorp, and more than a dozen leading technologies including leading Load Balancer platforms such as Amazon, Google, F5, A10 Networks and Kemp, popular CDNs like Akamai and Amazon, and even notification applications like Microsoft Teams and Slack.
Learn why Sectigo Certificate Manager is the first and most comprehensive CA agnostic CLM on the market at https://sectigo.com/lps/ca-agnostic-clm[4].
Plus, register for Sectigo’s upcoming March 30 webinar, 90 Day Certificate Validity, here[5].
*** This is a Security Bloggers Network syndicated blog from Sectigo[6] authored by Tim Callan[7]. Read the original post at: https://sectigo.com/resource-library/google-announces-intentions-to-limit-tls-certificates-to-90-days-why-automated-clm-is-crucial[8]
References
- ^ Moving Forward, Together (www.chromium.org)
- ^ TLS certificates (sectigo.com)
- ^ Sectigo predicted (sectigo.com)
- ^ https://sectigo.com/lps/ca-agnostic-clm (sectigo.com)
- ^ here (sectigo.com)
- ^ Sectigo (sectigo.com)
- ^ Read other posts by Tim Callan (securityboulevard.com)
- ^ https://sectigo.com/resource-library/google-announces-intentions-to-limit-tls-certificates-to-90-days-why-automated-clm-is-crucial (sectigo.com)