Digital certificates are not like fine wine — they don’t get better with age. They’re more like medication, losing their potency the longer they sit.
So when Google said that it would adopt a 90-day lifespan for Transport Layer Security (TLS) certificates, it made sense. The certificates, also commonly known as Secure Sockets Layer (SSL) certificates, are traditionally effective for more than a year. Even that is an improvement on the validity of up to 10 years that existed a decade ago.
These certificates provide more than a little padlock-shaped icon in the address bar of Web browsers and an “https” URL for websites. The certificate attests that the site is a valid domain, safe from spoofing, and encrypted to ensure secure browsing and transactions. In these days of rampant phishing and online fraud, they are a strong sign to users that a site protects its data.
The logic behind Google’s move is clear: With bad guys frequently upping their game, security can’t leave these protections to a once-a-year upgrade. The operators of the most popular browsers in use today — Apple, Microsoft, Mozilla and, yes, Google — have been working toward reducing certificate lifespans, prodded along by their working group, the CA/Browser Forum. Apple reduced its Safari browser certificates to one year in 2020, putting pressure on others to shorten the span. Google’s action is likely to spur similar action.
Expired TLS certificates are more than a cybercrime opportunity, they are also a cause of service outages, rendering connections as not private and communications as not secure — keeping users from completing their business. This issue continues to impact a number of major enterprises, including big names such as Shopify, Cisco, Starlink, and Microsoft.
The 90-Day Certificate Challenge
Certificate life-cycle management (CLM) is an ongoing challenge for admins, especially those large organizations that may have hundreds or thousands of certificates to manage. One survey found the average was more than 50,000, and the number went up more than 43% annually. Today’s enterprises, which rely heavily on cloud-based assets and automation, can’t skimp on certificate management if they want to keep operating smoothly. A number of best practices to achieve crypto-agility are imperative to face this challenge:
The challenge of protecting users, applications, and devices while ensuring availability and continuity is not likely to relent any time soon. Google’s proposal just compounds the challenge as TLS certificates will soon need to be renewed every three months rather than the current 13-month time frame. Automating CLM is the only path forward for PKI and information security admins that already have a difficult time with certificate management today.
As more certificate authorities and browser vendors embrace Google’s new TLS validity recommendation — as they did Apple’s before — CLM will keep its place in the admin’s list of concerns. Implementing an efficient, scalable, and agile process to automate CLM processes offers a path forward that not only reduces the manual labor associated with certificate management, but also the risk of costly business outages.