Recently, at a CA/B Forum meeting, Google’s Chrome team shared their vision for a new policy related to SSL/TLS certificates. They proposed a 90-day validity period for these certificates, which means certificates would need to be renewed every 90 days. This proposal is not an immediate change, but it starts a conversation about making certificate life even shorter in the future.
Shortening certificate lifetimes has been a growing trend, and it’s not just Google driving it. Over the years, the SSL certificate validity period has changed from three to two years, and now most certificates are valid for one year.
Stay tuned to this blog as we delve into the conversation surrounding the 90-day validity periods and their potential implications on your SSL management.
In the past, companies (OEMs) preferred shorter certificate lifetimes because they make things more secure and help them update faster. To do this, they allowed customers to have flexible certificate lifetimes through their APIs.
We also noticed that Chrome encourages shorter certificate lifetimes in their root policy notice. It’s great because it promotes automation and the adoption of practices that speed up certificate issuance and enhance security. When we reduce certificate lifetimes, we can swiftly adopt new security measures and best practices, including preparing for future changes, such as quantum-resistant algorithms.
Another advantage we observed is that shorter-lived certificates reduce our reliance on less effective revocation checking methods, providing us with better protection. Additionally, they help minimize the impact of any unexpected issues with Certificate Transparency Logs.
In the end, we strongly believe that shorter certificate lifetimes offer significant benefits to both our security and the overall efficiency of the certificate ecosystem.
Reducing the certificate validity period to 90 days may not address the problem of compromised certificates effectively. This is because the process of improving security policies in the industry usually takes six to 12 months, making certificate lifetimes less of a delay factor.
Moreover, domain registrations are typically for a year, not every 90 days. So, moving to 90-day certificates might not be the best solution for making the web PKI more agile.
Instead, let’s explore alternative methods to promote automation and quickly replace certificates when needed, which is the ultimate goal here. We’re excited to discuss ways to incentivize and encourage such practices for better security.
Shorter certificate validity periods might raise security concerns, but they also bring significant challenges. Switching to 90-day certificates would be a big adjustment for companies, and managing certificate lifecycles would become more complex. The traditional method of tracking certificates with spreadsheets and notifications becomes impractical as certificate lifetimes shrink. Manual tracking is labor-intensive and prone to mistakes, especially at scale.
Mismanaged certificates can lead to outages, which can be very costly. Studies show that certificate outages or failed audits can result in economic losses exceeding $10 million, and data breaches cost an average of $9.4 million. Such incidents also erode customer trust, leading to potential loss of customers. To avoid these risks, managed solutions and automation are expected to become the industry norm, whether or not certificate validity periods are reduced to 90 days. Automation can help handle the increasing workload and minimize the possibility of human errors causing outages.
We are always working on innovative solutions to keep our customers ahead of the game. As certificate lifetimes get shorter and threats evolve, we are ready with answers.
For instance, when the industry shifted to one-year certificates, we introduced Multi-year Plans to our website. This automated renewal for up to six years, saving the hassle of annual renewals and locking in pricing discounts.
Our latest offering, DigiCert® Trust Lifecycle Manager, is a comprehensive solution. It integrates CA-agnostic certificate management for both public and private trust, along with PKI services. This means centralized visibility, enhanced security, and compliance with industry standards.
Unlike other solutions, DigiCert® Trust Lifecycle Manager covers not only certificate lifecycle management (CLM) but also PKI services. This includes managing private PKI issuance, certificates for users, devices, and servers, and seamless integrations for end entities and third-party applications. We’ve got it all covered!
For more detailed insights into DigiCert®Trust Lifecycle Manager, please watch the below video.
The industry is dedicated to enhancing online security by focusing on shorter certificate validity periods. While discussions about 90-day validity periods continue, the main goal is to strike a balance between security and practicality.
To prevent costly outages and breaches due to mismanaged certificates, efficient certificate lifecycle management is crucial. We provide Multi-year Plans and DigiCert® Trust Lifecycle Manager, enabling businesses to confidently manage changing certificate lifecycles and ensure security in the ever-evolving digital landscape.