Businesses Must Prepare For 90-Day Certificates

Google Chromium recently sent a shockwave among already-pressed IT professionals with its announcement that it would reduce TLS certificate lifespans from 398 to 90 days.

This move had long been on the horizon, and those of us who were conscious of Google Chromium’s influence already predicted it would show up in a future policy update or a Certificate Authority/Browser Forum Ballot Proposal.

This drop in maximum validity will mean major changes for the industry and businesses. 

In recent years the maximum term for a public TLS (or SSL) certificate has shrunk from three years to two, to one. Google Chromium intends to further shorten this lifespan to 90 days, a measure which will potentially come into effect by the end of 2024, though no date has been specified currently.

The reason for the proposed reduction in certificate lifetime is to encourage automation across the ecosystem.

These changes will lead to faster adoption of upcoming security capabilities and best practices, promoting the ecosystem to adapt and transition to quantum-resistant algorithms more quickly, while also reducing the reliance on ‘broken’ revocation-checking solutions that can not fail-closed and therefore, offers incomplete protection. Also, shorter-lived certificates will reduce the impact of unexpected certificate transparency log disqualifications. 

What is hidden in the subtext of Google Chromium’s ‘Moving Forward, Together’ roadmap is how it will go about the process. If the CA/B Forum chooses to align with Google Chromium and make this change through a balloting process, that’s one way to make this a requirement. However, if not, Google Chromium hints that it is prepared to unilaterally force this change through. The way it would do so is by making this change a requirement for the Chrome root program, meaning it would immediately become a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements independently of CA/B Forum mandates, this change can take place whether the CA/B Forum endorses it or not.

Google is alerting the industry that they need to prepare for radically shorter digital certificate lifespans. This early announcement of its intended aims to give users time to deploy the transition to systems that can seamlessly support the reduction in validity timeframes, and the implications that come with it, and organisations are well advised to take advantage of this early warning.

The first and most obvious question CISOs will ask is how they are going to approach the management of digital certificates with shorter lifespans.

Already in enterprises, we see tens or hundreds of thousands of certificates deployed across any one IT environment, each with disparate renewal dates. For almost all organisations, the number of digital certificates they need to manage continues to climb rapidly. This alone has acutely increased risk levels and has become a pressing issue that demands automated solutions. 

Digital certificates enable enterprises to securely transact business within their own ecosystems and further afield. Digital certificates secure almost limitless systems and processes, from mobile phones to sophisticated IoT devices deployed in critical national infrastructure, and everything in between. 

Manual methods no longer an option as management becomes 4x harder
Organisations must understand the dangers that a manual approach to digital certificate management presents. No longer can or should one confidently work only with basic tools such as spreadsheets and siloed point-solutions. It hampers the visibility of all digital identities and leads to things being missed, which can lead to outages or worse create an opportunity for bad actors to exploit. The introduction of 90-day certifications will only serve to compound the issue, and continuing to manage these manually will only make a breach or outage a more likely reality. 

With the new lifespan change, work will increase for IT, they will need to handle the renewal and deployment of these server certificates more than four times per year. The increase in workload will greatly increase the potential for error. 

CISOs must already deal with existing hurdles such as rogue certificates, visibility over cryptographic decisions, and individual deployment, and this only compounds the problem. Manual management simply becomes unworkable and anyone still taking this approach will almost certainly pay the price.

Automate Or Risk Breaches & Outages

Threat actors have become increasingly sophisticated and efficient in their attacks. While businesses generally have become more sophisticated in identifying and stopping potential attacks, Google’s announced change means bad actors will be readying to take advantage of this. The organisations that will suffer most will be those that fail to best manage human and machine identities once digital certificate lifespans shrink to 90 days.

Organisations must automate the entire lifecycles of digital certificates, from renewal to revocation, at scale.

The most advanced option for automating their certificate management process is CA agnostic Certificate Lifecycle Management (CLM) platforms. These solutions can help with the discovery of certificates in enterprise environments, independently of which Certificate Authority originally issued them. These platforms make the task easier with notifications of impending expirations, and automatic provisioning and installation of renewal and replacement certificates. This way, enterprises can shield themselves from outages stemming from incorrect use or renewal of certificates and remain in control of their security.

Google’s 90-day certs are coming. With enough time to prepare and automation readily at their disposal, there is no excuse for businesses to be caught out. 

Tim Callan is Chief Experience Officer at Sectigo

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Which Sectors Are Top Targets For Cyber Crime?
How Cybercriminals Profit From Your Personal Information »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Digital Shadows

Digital Shadows

Digital Shadows is a cyber threat intelligence company that helps clients discover sensitive data exposed through social media, cloud services and mobile devices

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

CompliancePoint

CompliancePoint

We design and implement strategies, processes & procedures to mitigate risk, reach compliance goals, protect data assets, and meet industry standards.

SecureNinja

SecureNinja

SecureNinja provides professional training, certifications & professional services related to all facets of Information Technology and Cyber Security.

National Security Authority (NBU) - Slovakia

National Security Authority (NBU) - Slovakia

The National Security Authority (NBU) is the central government body in Slovakia for the Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

Awake Security

Awake Security

Awake Security offer a security solution built on an AI platform that acts like the human brain to sense, detect, and respond to threats you may not even know exist.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

Startups.be

Startups.be

Startups.be helps tech entrepreneurs to be successful by providing quality access to service providers, business partners, customers and investors.

Carve Systems

Carve Systems

Carve Systems was founded to bring enterprise level information security, training, and risk management services to organizations of any size and industry.

ADL Consulting

ADL Consulting

ADL Consulting provide information security-related consultancy and training support to businesses across the UK. Our services include ISO27001, GDPR, Cyber Essentials and training.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.

ACL Digital

ACL Digital

ACL Digital, an ALTEN Group company, is a leader in design-led digital experience, innovation, enterprise modernization, and product engineering services converging to Technology, Media & Telecom.

Valeo Nertworks

Valeo Nertworks

Valeo Nertworks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.

Custodia Continuity

Custodia Continuity

Custodia Continuity manage your Security, Backup, Continuity and Compliance. You get on with your business.

Keepit

Keepit

Keepit offer all-inclusive, secure, and reliable backup and recovery services for your data.