Certificate lifespan is getting shorter

Over the years the cybersecurity industry has undergone notable transformations requiring organizations to implement new best-practice standards, often at a short notice.

In 2020, Apple unilaterally opted for shorter TLS certificate durations, reducing them from three years to 398 days, thereby increasing the burden on certificate management. Subsequently, Apple introduced shorter lifespans for S/MIME certificates at the start of 2022. In the past year, both code signing and S/MIME users faced additional alterations, while Google proposed transitioning to 90-day certificates, a subject we have explored in our latest webinar. Anticipating further changes, particularly with the rise of artificial intelligence (AI) and the looming risk of post-quantum (PQ) computing, organizations must enhance their agility.

Today, TLS/SSL certificates are typically valid for about a year, according to the Certification Authority Browser (CA/B) Forum requirements. This yearly renewal cycle is convenient for organizations to manage and schedule. However, transitioning to shorter-lived certificates, like the proposed 90-day validity period, will require more frequent renewal efforts. With 90-day validity, organizations will need to renew certificates four times every 12 months within that timeframe. In practice, due to the need for buffer time, certificates may need to be renewed every 60 days. Ultimately, this change could lead to replacing certificates more than six times every 12 months, depending on the renewal window chosen.

Enterprises will be required to handle both the management of digital certificates within their systems and the reverification of their domains every 90 days. According to Google’s Moving Forward, Together initiative “more timely domain validation will better protect domain owners while also reducing the potential for a CA to mistakenly rely on stale, outdated, or otherwise invalid information resulting in certificate mis-issuance and potential abuse.”

Shorter certificate lifecycles will drive automation

Shorter-lived certificates offer numerous advantages, with automation being the foremost benefit. Google and other root programs advocate for automation to streamline certificate lifecycle management. Additionally, shorter certificate validity aligns with the upcoming adoption of post-quantum cryptography (PQC). PQC algorithms lack a proven track record as they are still relatively new. Consequently, there’s a necessity to potentially switch algorithms more frequently, with an unpredictable timeframe, including the vulnerability window of existing algorithms to quantum computer attacks. Automation plays a crucial role in supporting this increased renewal frequency.

Industry calls for automation to reduce security risks

While the 90-day proposal from Google has not officially been discussed in the CA/Browser Forum, both certification authorities and certificate consumers agree that automation is a necessity for a smooth transition to certificates with a shorter validity period. We can see a similar recommendation in NIST Special Publication 1800-16:

“Automation should be used wherever possible for the enrollment, installation, monitoring, and replacement of certificates, or justification should be provided for continuing to use manual methods that may cause operational security risks.”

Challenges of a 90-day certificate validity period for organizations

The need for TLS certificate workflows to be done multiple times a year means an increased workload for certificate operations, server owners, infrastructure, and webmaster teams. The inability to renew the domain verification and replace certificates at a rapid pace may increase the risk of outages. Additionally, the automated solutions do not guarantee a one-size-fits-all approach, as each context and organization has unique requirements and constraints.

Next steps

We strongly recommend that you consider your next steps and plan your strategy with these key points in mind:

  • Spend the time to prepare for a 90-day or shorter maximum certificate lifetime future so that you can seamlessly handle the change
  • Start thinking about your security model(s) and post-quantum readiness
  • Consider how you pay for your certificates and evaluate how subscriptions can provide more deterministic costs
  • Invest in robust certificate management capabilities
  • Focus on standards-based APIs and integrations
  • Plan a path to support 100% automation, even if it means applying a hybrid approach for different parts of your organization

If you would like to learn more how Entrust can assist you in achieving automation, watch our most recent webinar or contact our security experts today for further information.