Google recently announced on its Moving Forward, Together site its intention to reduce the maximum allowed validity for public TLS certificates to 90 days from the present limit of 398 days.
This is an announcement no organization should ignore - the drop will mean major changes for all companies across every industry, writes Tim Callan, Chief Experience Officer, Sectigo.
This move, anticipated for some time, showcases Google's significant influence in the browser space and is expected to have far-reaching implications for public Certificate Authorities and businesses alike.
Why does this change matter? Digital certificates play a vital role in securing business transactions across countless systems and processes in all walks of our digital lives. They safeguard everything from mobile devices to complex Internet of Things (IoT) deployments in critical national infrastructure and beyond.
SSL certificate terms have contracted steadily...
The maximum validity period for public certificates has steadily decreased. Initially with no hard time limit at all, public SSL certificates have been reduced to a maximum term of three years, and then two years, and then one. Now, Google plans to push it down to a mere 90 days. While the exact implementation date has not been specified, a good estimate is for this change to take effect by the end of the upcoming year.
This change will multiply the number of certificates organizations need to manage by at least five times. That means this reduction creates an urgent need for automation of certificate management across the digital security ecosystem.
Google Chromium's Moving Forward, Together Roadmap details a set of related goals to this change
● Shorter certificates are more secure overall as they reduce the risk window for problematic or misissued certificates or compromised private keys.
● Crypto agility—the widespread deployment of necessary updates to algorithms and cryptographic practices—is enhanced.
● The opportunity for mismatches between domain ownership and issued certificates goes down.
● The transition for post-quantum cryptography—encryption that is resistant to attacks by quantum computers—will occur more readily.
By publishing its intentions in such a visible way, Chrome is putting IT departments on alert. Now is the time to prepare smooth transitions to processes and systems that will remain reliable in a world of reduced validity timeframes.
CISOs and their teams must consider how they will manage digital certificates with shorter lifespans. Today’s enterprise may have thousands of certificates deployed across its IT environment, each requiring timely renewal, or outage will occur. As the number of digital certificates that organizations must manage continues to grow, an automation solution becomes more critical than ever.
It is imperative to recognize the risks associated with manually managing digital certificates. Relying solely on outdated tools like spreadsheets and isolated point solutions is fraught with risk - the risk of outages, business disruption, lost revenue, and security breach. The advent of 90-day maximum term will multiply this risk dramatically.
To mitigate these risks, organizations must automate the entire lifecycle of all digital certificates deployed in their IT ecosystems, including renewal, at scale. An effective option is a Certificate Lifecycle Management (CLM) platform. These platforms provide notifications for impending expirations and automated certificate provisioning, installation, renewal, and replacement. CLM, helps ensure uninterrupted operation and reduces risk associated with misused or expired certificates.
90-day certificate lifespans are coming, and organizations have been given enough time to prepare—if they start now. Automation solutions are readily available, leaving no excuse for businesses to be caught off guard. By leveraging these tools and implementing robust certificate management processes, organizations can navigate the changing landscape of digital certificates and strengthen their long-term security.