On March 3, Google (via The Chromium Projects, which it controls) proposed a plan to drastically shorten the lifespan of Transport Layer Security (TLS) digital certificates, from 398 days to 90 days. This will spur significant changes in how organizations manage their certificates, particularly regarding automated processes.
The proposal by the open source body behind the Google Chrome browser and Chrome OS, included in a road map called “Moving Forward, Together,” is a positive step toward ensuring more reliable, robust Web operations. But it will require companies and other organizations to significantly transform their certificate processes.
The lifespan of digital certificates has fallen steadily over the past decade, from five years in 2012 to a little more than two years in 2018 to 13 months, or 398 days, in July 2020. The shorter lifespans help ensure the accuracy of digital identities, especially in a cloud-based computing environment where websites and services are constantly being spun up or down to accommodate changing demands and priorities.
Google said the proposed changes would allow for faster adoption of improvements, such as best practices and new security capabilities, and encourage organizations to move away from time-consuming and error-prone manual processes. The resulting move toward automation would also better prepare organizations for the advent of post-quantum cryptography.
A Wake-up Call for Certificate Monitoring
If adopted, the Chromium Projects’ proposal to the CA/Browser Forum — a consortium of certification authorities (CA), browser makers, and others — would most likely take effect by the end of 2024. And although the changes are not set in stone, the prospects of a considerably shorter lifespan should serve as a wake-up call for organizations. They need to get greater control and visibility over their public keys and certificates, because the proposal is a sure sign that the game has changed.
The five-year life of certificates from a decade ago reflected a different time, when teams could get a certificate for, say, a Web server and then pretty much forget about it. They never developed a routine for checking to see if certificates were about to expire or for renewing them, which could lead to certificate-related outages. The eventual shortening of certificate life to 398 days helped put teams on a schedule they could get comfortable with, checking regularly for expirations.
As organizations expand in the cloud, visibility of TLS (also known as Secure Sockets Layer, or SSL) certificates is critical. And the layered, increasingly complex environments in the cloud are beyond the ability of teams to keep track of manually. Now, with the proposed new validity period, it’s about automating the process.
Currently, organizations dedicate their resources to the people and processes necessary for installing certificates. In the near future, they’ll need people and resources for automating the process, which will involve programming and maintaining new software. The focus will shift somewhat from knowledge of public key infrastructure (PKI) — which is at the core of TLS — to internal infrastructure knowledge.
Centralized Monitoring Is Critical
To manage the certificate workload, organizations will need to centralize certificate monitoring in order to easily identify certificates that are about to expire. Without a centralized view, it’s still possible to spin up a server, get a certificate for it, and then forget about it, which can lead to disaster. A 2022 Ponemon Institute study found that half of respondents had suffered at least one certificate-related attack in the previous two years, and that 58% of them described the financial consequences as “severe.”
Centralized monitoring also involves more than checking expiration dates on certificates. Organizations also will need to monitor how certificates are being used on their servers. It’s not uncommon for certificates to be deployed to the wrong servers, leaving some servers without the certificates they need for their workloads. In a small company with a handful of employees, everyone may know what’s running where. But in a 5,000-person enterprise, it can be impossible to keep track of it all without a centralized view.
The interconnected nature of business operations may also require that TLS visibility extend to supply chains, because a compromise of even a small system within a connected environment can have a huge impact on operations. Organizations may want to consider the advantage of outside monitoring services, rather than keeping everything in-house.
The full impact of the Chromium Projects’ proposal has yet to be determined. There seems to be a couple of gray areas, such as whether it might apply to Internet of Things devices such as, for example, security cameras that also use certificates, or if it’s limited to just Web servers.
But no matter what happens with the proposal, it reflects the reality of today’s environment. Shorter certificate lifespans are beneficial, but organizations will certainly need to rethink how they can properly manage them.