Businesses Must Prepare For 90-Day Certificates

Google Chromium recently sent a shockwave among already-pressed IT professionals with its announcement that it would reduce TLS certificate lifespans from 398 to 90 days.

This move had long been on the horizon, and those of us who were conscious of Google Chromium’s influence already predicted it would show up in a future policy update or a Certificate Authority/Browser Forum Ballot Proposal.

This drop in maximum validity will mean major changes for the industry and businesses. 

In recent years the maximum term for a public TLS (or SSL) certificate has shrunk from three years to two, to one. Google Chromium intends to further shorten this lifespan to 90 days, a measure which will potentially come into effect by the end of 2024, though no date has been specified currently.

The reason for the proposed reduction in certificate lifetime is to encourage automation across the ecosystem.

These changes will lead to faster adoption of upcoming security capabilities and best practices, promoting the ecosystem to adapt and transition to quantum-resistant algorithms more quickly, while also reducing the reliance on ‘broken’ revocation-checking solutions that can not fail-closed and therefore, offers incomplete protection. Also, shorter-lived certificates will reduce the impact of unexpected certificate transparency log disqualifications. 

What is hidden in the subtext of Google Chromium’s ‘Moving Forward, Together’ roadmap is how it will go about the process. If the CA/B Forum chooses to align with Google Chromium and make this change through a balloting process, that’s one way to make this a requirement. However, if not, Google Chromium hints that it is prepared to unilaterally force this change through. The way it would do so is by making this change a requirement for the Chrome root program, meaning it would immediately become a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements independently of CA/B Forum mandates, this change can take place whether the CA/B Forum endorses it or not.

Google is alerting the industry that they need to prepare for radically shorter digital certificate lifespans. This early announcement of its intended aims to give users time to deploy the transition to systems that can seamlessly support the reduction in validity timeframes, and the implications that come with it, and organisations are well advised to take advantage of this early warning.

The first and most obvious question CISOs will ask is how they are going to approach the management of digital certificates with shorter lifespans.

Already in enterprises, we see tens or hundreds of thousands of certificates deployed across any one IT environment, each with disparate renewal dates. For almost all organisations, the number of digital certificates they need to manage continues to climb rapidly. This alone has acutely increased risk levels and has become a pressing issue that demands automated solutions. 

Digital certificates enable enterprises to securely transact business within their own ecosystems and further afield. Digital certificates secure almost limitless systems and processes, from mobile phones to sophisticated IoT devices deployed in critical national infrastructure, and everything in between. 

Manual methods no longer an option as management becomes 4x harder
Organisations must understand the dangers that a manual approach to digital certificate management presents. No longer can or should one confidently work only with basic tools such as spreadsheets and siloed point-solutions. It hampers the visibility of all digital identities and leads to things being missed, which can lead to outages or worse create an opportunity for bad actors to exploit. The introduction of 90-day certifications will only serve to compound the issue, and continuing to manage these manually will only make a breach or outage a more likely reality. 

With the new lifespan change, work will increase for IT, they will need to handle the renewal and deployment of these server certificates more than four times per year. The increase in workload will greatly increase the potential for error. 

CISOs must already deal with existing hurdles such as rogue certificates, visibility over cryptographic decisions, and individual deployment, and this only compounds the problem. Manual management simply becomes unworkable and anyone still taking this approach will almost certainly pay the price.

Automate Or Risk Breaches & Outages

Threat actors have become increasingly sophisticated and efficient in their attacks. While businesses generally have become more sophisticated in identifying and stopping potential attacks, Google’s announced change means bad actors will be readying to take advantage of this. The organisations that will suffer most will be those that fail to best manage human and machine identities once digital certificate lifespans shrink to 90 days.

Organisations must automate the entire lifecycles of digital certificates, from renewal to revocation, at scale.

The most advanced option for automating their certificate management process is CA agnostic Certificate Lifecycle Management (CLM) platforms. These solutions can help with the discovery of certificates in enterprise environments, independently of which Certificate Authority originally issued them. These platforms make the task easier with notifications of impending expirations, and automatic provisioning and installation of renewal and replacement certificates. This way, enterprises can shield themselves from outages stemming from incorrect use or renewal of certificates and remain in control of their security.

Google’s 90-day certs are coming. With enough time to prepare and automation readily at their disposal, there is no excuse for businesses to be caught out. 

Tim Callan is Chief Experience Officer at Sectigo

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Which Sectors Are Top Targets For Cyber Crime?
How Cybercriminals Profit From Your Personal Information »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

AdNovum Informatik

AdNovum Informatik

AdNovum Informatik provides a full set of IT services, ranging from consulting, the conception and implementation of customized business and security solutions to maintenance and support.

TCN

TCN

TCN is an advanced System Integrator and Infrastructure Company in Albania.

EUROCONTROL

EUROCONTROL

EUROCONTROL is a pan-European, civil-military organisation dedicated to supporting European aviation. We help our stakeholders protect themselves against cyber threats.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

FraudScope

FraudScope

FraudScope is an AI-assisted platform that accelerates the identification of fraud, waste, and abuse.

VIQU Recruitment

VIQU Recruitment

VIQU Recruitment was formed with the primary focus of providing 'Smarter People Solutions' to the UK’s professional IT & Cyber Security markets.

Founder Shield

Founder Shield

Founder Shield is a data driven insurance brokerage focused excusively on rapidly evolving high-growth companies.

BlackCloak

BlackCloak

BlackCloak provides Concierge Cyber Security for high-net-worth individuals and corporate executives to protect them from cybercrime, reputational risks, hacking and identity theft.

ProWriters

ProWriters

As a leading cyber insurance company, ProWriters offers flexible Cyber Liability Insurance coverage designed to cover privacy, data, and network exposures.

Neovera

Neovera

Neovera is a trusted provider of managed services including cyber security and enterprise cloud solutions, committed to delivering results through the innovative use of scalable enterprise-grade tech.

Stone Forest IT (SFIT)

Stone Forest IT (SFIT)

Stone Forest IT specialises in providing advisory, implementation and managed services for IT infrastructure, IT security solutions, business applications (ERP and CRM) and business analytical tools.

Jamf

Jamf

Jamf is the only Apple Enterprise Management solution of scale that remotely connects, manages and protects Apple users, devices and services.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

Extreme Networks

Extreme Networks

Since 1996, Extreme has been pushing the boundaries of networking technology, driven by a vision of making it simpler and faster as well as more agile and secure.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.