Google recently announced that it wants to cut the maximum length of time that public TLS (SSL) certificates can be used from 398 days to 90 days.
Under its “Moving Forward, Together” plan, Google planned to limit the maximum public TLS certificate validity to 90 days through “future policy updates or a CA/B Forum Ballot Proposal.” This is a small but important point that should be noted.
The maximum time a public SSL certificate can be used has gone from three years to two years to one year, and now Google says it wants to cut this time even more to 90 days.
This 90-day limit will probably be in place by the end of 2024, though the exact date is unknown.
EHA
The ecosystem will avoid complicated, time-consuming, and error-prone ways of issuing certificates by encouraging automation and using methods that shorten the time a certificate is valid for.
“Reducing certificate lifetime encourages automation and adopting practises that move the ecosystem away from complicated, time-consuming, and error-prone issuance processes,” says Google.
Google says that these changes will speed up the adoption of new security features and best practises and make it easier for the ecosystem to quickly switch to algorithms that can’t be broken by quantum computers.
Shorter certificate lifetimes will also make it less likely that people will use “broken” revocation checking solutions that can’t fail-close and don’t offer enough protection.
Also, unexpected disqualifications from the Certificate Transparency Log will have less of an effect on shorter-lived certificates.
Google also planned to cut the time between domain validation reuse periods to 90 days.
“More timely domain validation will better protect domain owners and reduce the chance that a CA will mistakenly rely on old, outdated, or otherwise invalid information, which could lead to certificate mis-issuance and possible abuse,” says Google.
Risk must be reduced through automation.
It will be very hard to manually manage the renewal and deployment of each server certificate more than four times a year. This means that IT security staff will have to work more than four times as hard on a task that is already hard.
This is a big increase, since most businesses don’t have a small number of certificates. It involves hundreds or thousands of certificates instead of just a few dozen that must be handled four times a year.
In this situation, automation is even more important, especially since the time that TLS/SSL certificates and domain validation reuse can be used is getting shorter.
So, IT managers should look into options for automating certificates, such as Certificate Lifecycle Management (CLM) platforms that don’t depend on a specific CA. These solutions can help automatically provision and install renewal and replacement certificates and find certificates in enterprise environments, even if they were issued by a different Certificate Authority.
In the end, businesses need a way to speed up the process of automating the lifecycles of digital certificates. Getting rid of risks requires automation.