As of April 1st, 2015, the lifetime of SSL certificates has now been reduced to 39 months, in accordance with the CA/Browser Forum Baseline Requirements.
The certification authorities (CAs) will probably receive some pushback from customers who like to use 4- or 5-year certificates (where five years was the previous maximum). Back before 2012, there was no maximum, and some subscribers could have received 10-year certificates.
Cryptography control is the reason to limit the validity period. Over the last few years, we have moved from 1024-bit to 2048-bit RSA key size. We are currently moving from SHA-1 to SHA-2 hashing for digital signatures. As the industry finds practices that are out of date, they would also like to know when all of the “bad” certificates will expire.
Certificate policies can be created using the known expiration period. If the policy is done correctly, then certificates can be used throughout their lifetime, and there will be no need to migrate before expiration. Of course, this philosophy may mean that there will even be efforts to reduce the validity period again to maybe 1 or 2 years. I was just reminded of the validity period issue with the Venafi Heartbleed 2015 research report. The research report concludes that 74 percent of Global 2000 organizations with public facing websites are still vulnerable to Heartbleed one year later.
The vulnerability data is somewhat surprising. It would be great to know the average validity period of all SSL certificates. Let’s say we have an even distribution of certificates that have been issued for one, two, three and four years. After one year, 46.9 percent would have been due for renewal. With just validity period alone, the Heartbleed problem should have been reduced to 53.1 percent. A maximum of 3 year validity period certificates would mean that 61.1 percent would have expired, and we would have seen a 38.9 percent reduction in Heartbleed.
So why are 74 percent of organizations still vulnerable to Heartbleed? Well, let’s remember that this is a marketing survey, and I understand that the 74 per cent is based on organizations and not certificates. However, there was also a fundamental issue on how companies mitigated Heartbleed.
A high number of administrators understood that they needed to upgrade OpenSSL. A large percentage of those understood that their certificate should be reissued. The problem is, that many of those that replaced their certificate did so with the same private key; not a good tactic when one of the purposes of mitigating the Heartbleed was to protect the private key. Also, note that, to mitigate Heartbleed fully, the old certificate should also have been revoked.
With certificate expiration and new key generation, the Heartbleed problem should have been reduced by about 50 percent. If you couple this with a mitigation plan, the Heartbleed vulnerability should have been reduced at an even higher level.
Moving forward, consider using shorter life certificates. Even though the maximum validity period is now 39 months, you can drop this validity period to one or two years. Consider the validity period as the backstop to protecting your private key, your website, and your user’s data. But remember one important item, when you renew your certificate, please create a new private key.