Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Shorter Lifespans, Wider Risk Gaps: Preparing for the Shift to 90-Day TLS Certificates

SSL/TLS Certificates

Here we go again. On March 3, Google announced a proposal to reduce public TLS certificate lifespans from the current 398 days to just 90 days. It’s like déjà vu for IT and security teams who have witnessed an ever-shortening lifespan over the last several years.

Cutting back the lifespan of digital certificates means that enterprises really need to level up their certificate management game. That means ensuring optimal visibility to quickly catch expiring certificates before they become problematic and cause costly outages and downtime.  

Here we share the implications of Google’s “Moving Forward, Together” project and how you can best prepare for the changes ahead.

Shorter lifecycles require more frequent certificate management

Enterprises are issuing certificates at a large scale, and according to Keyfactor’s annual State of Machine Identity report, the average volume of certificates issued within an organization is 256,000. But more certificates can lead to more problems if a company can’t manage them. 

Almost two-thirds (62%) of respondents said they don’t actually know how many certificates they have. Without visibility, they can’t easily determine who owns these certificates, who issued them, or what applications or servers they are installed on. The problem will only be compounded with shorter certificate lifespans because 72% say the growing use of keys and certificates is putting increased pressure on their teams.

It’s not certificates that are the problem. It’s just human nature. People are forgetful and can only focus their attention on so many things. That’s important to remember in the context of the lifespan of certificates decreasing and the workload to renew certificates increasing by 4-5 times.

Security gain versus operational pain

Google’s “Moving Forward, Together” project includes several proposed changes, and the most impactful may be the 90-day maximum certificate validity period. The intent of this change is to improve security by having the certificate available for a shorter period of time. It’s a similar concept to frequently changing your password. 

But there has been some debate around whether the security gain is worth the operational pain. That’s why there is a push to alleviate the operational burden by automating certificate-related tasks, like enrollment, renewal, and provisioning. 

While ACME can help organizations begin to embrace automation, it isn’t a catch-all solution. IT and security teams need a multi-faceted approach to automation, including the use of industry-standard enrollment protocols like ACME, SCEP, and EST, as well as certificate lifecycle automation tools, to ensure that they’re well-equipped to handle the breadth of use cases across their business. 

They also need to ensure that not only renewal is automated but the provisioning and installation of certificates too. That’s where we often see problems arise. An application owner will renew a certificate, but forget to install it, install it incorrectly, or simply waste hours of their time that could otherwise be spent on their priorities. Automating the end-to-end lifecycle of a certificate helps reduce these human errors and cut down, or even completely eliminate, time spent on repetitive, tedious tasks like this.

Stop panicking and start preparing

There is uncertainty around when – and if – the shift to 90-day certificates will happen. The change requires a vote which could take six to 12 months, followed by a transition window. Plus, the change is already facing pushback from EU antitrust laws.

The only constant is change when it comes to security, and it’s just a matter of how and when that change will play out. Preparing for a change like this doesn’t happen overnight, and it takes time and careful planning. 

So, what steps can enterprises take to ensure preparedness? It’s the exact same actions you should already be doing for your 398-day certificates and includes:

  • Visibility: Develop an understanding of where all the certificates live across your network.
  • Accountability: Define certificate ownership and delegate responsibility for the lifecycle of the certificate. 
  • Policy and process: Simplify certificate requests and approvals with self-service enrollment.
  • Automation: Automate the entire lifecycle with alerts, renewals, and provisioning. 

Remember, automation is more than just getting the certificate to the asset. It’s configuring the asset to use the certificate and then reporting back that the certificate has been updated and is now being used by the device. Then, if something has not gone according to plan, you’ll have time to be able to react and take remediation actions.

To learn more about the impact of Google’s “Moving Forward, Together” project and how Keyfactor can help you prepare for shortened certificate lifespans, watch the on-demand webinar The Shift to 90-Day TLS Certificates: How to Prepare.