Businesses Must Prepare For 90-Day Certificates

Google Chromium recently sent a shockwave among already-pressed IT professionals with its announcement that it would reduce TLS certificate lifespans from 398 to 90 days.

This move had long been on the horizon, and those of us who were conscious of Google Chromium’s influence already predicted it would show up in a future policy update or a Certificate Authority/Browser Forum Ballot Proposal.

This drop in maximum validity will mean major changes for the industry and businesses. 

In recent years the maximum term for a public TLS (or SSL) certificate has shrunk from three years to two, to one. Google Chromium intends to further shorten this lifespan to 90 days, a measure which will potentially come into effect by the end of 2024, though no date has been specified currently.

The reason for the proposed reduction in certificate lifetime is to encourage automation across the ecosystem.

These changes will lead to faster adoption of upcoming security capabilities and best practices, promoting the ecosystem to adapt and transition to quantum-resistant algorithms more quickly, while also reducing the reliance on ‘broken’ revocation-checking solutions that can not fail-closed and therefore, offers incomplete protection. Also, shorter-lived certificates will reduce the impact of unexpected certificate transparency log disqualifications. 

What is hidden in the subtext of Google Chromium’s ‘Moving Forward, Together’ roadmap is how it will go about the process. If the CA/B Forum chooses to align with Google Chromium and make this change through a balloting process, that’s one way to make this a requirement. However, if not, Google Chromium hints that it is prepared to unilaterally force this change through. The way it would do so is by making this change a requirement for the Chrome root program, meaning it would immediately become a de facto standard that every commercial public CA will need to follow. As browsers control their own root program requirements independently of CA/B Forum mandates, this change can take place whether the CA/B Forum endorses it or not.

Google is alerting the industry that they need to prepare for radically shorter digital certificate lifespans. This early announcement of its intended aims to give users time to deploy the transition to systems that can seamlessly support the reduction in validity timeframes, and the implications that come with it, and organisations are well advised to take advantage of this early warning.

The first and most obvious question CISOs will ask is how they are going to approach the management of digital certificates with shorter lifespans.

Already in enterprises, we see tens or hundreds of thousands of certificates deployed across any one IT environment, each with disparate renewal dates. For almost all organisations, the number of digital certificates they need to manage continues to climb rapidly. This alone has acutely increased risk levels and has become a pressing issue that demands automated solutions. 

Digital certificates enable enterprises to securely transact business within their own ecosystems and further afield. Digital certificates secure almost limitless systems and processes, from mobile phones to sophisticated IoT devices deployed in critical national infrastructure, and everything in between. 

Manual methods no longer an option as management becomes 4x harder
Organisations must understand the dangers that a manual approach to digital certificate management presents. No longer can or should one confidently work only with basic tools such as spreadsheets and siloed point-solutions. It hampers the visibility of all digital identities and leads to things being missed, which can lead to outages or worse create an opportunity for bad actors to exploit. The introduction of 90-day certifications will only serve to compound the issue, and continuing to manage these manually will only make a breach or outage a more likely reality. 

With the new lifespan change, work will increase for IT, they will need to handle the renewal and deployment of these server certificates more than four times per year. The increase in workload will greatly increase the potential for error. 

CISOs must already deal with existing hurdles such as rogue certificates, visibility over cryptographic decisions, and individual deployment, and this only compounds the problem. Manual management simply becomes unworkable and anyone still taking this approach will almost certainly pay the price.

Automate Or Risk Breaches & Outages

Threat actors have become increasingly sophisticated and efficient in their attacks. While businesses generally have become more sophisticated in identifying and stopping potential attacks, Google’s announced change means bad actors will be readying to take advantage of this. The organisations that will suffer most will be those that fail to best manage human and machine identities once digital certificate lifespans shrink to 90 days.

Organisations must automate the entire lifecycles of digital certificates, from renewal to revocation, at scale.

The most advanced option for automating their certificate management process is CA agnostic Certificate Lifecycle Management (CLM) platforms. These solutions can help with the discovery of certificates in enterprise environments, independently of which Certificate Authority originally issued them. These platforms make the task easier with notifications of impending expirations, and automatic provisioning and installation of renewal and replacement certificates. This way, enterprises can shield themselves from outages stemming from incorrect use or renewal of certificates and remain in control of their security.

Google’s 90-day certs are coming. With enough time to prepare and automation readily at their disposal, there is no excuse for businesses to be caught out. 

Tim Callan is Chief Experience Officer at Sectigo

You Might Also Read: 

Cybersecurity: Prepare For The Year Ahead:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Which Sectors Are Top Targets For Cyber Crime?
How Cybercriminals Profit From Your Personal Information »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

RU-CERT

RU-CERT

RU-CERT is the CSIRT / CERT team of the Russian Federation.

Security Research Labs (SRLabs)

Security Research Labs (SRLabs)

Security Research Labs is a Berlin-based hacking research collective and consulting think tank.

Securitybulls

Securitybulls

Securitybulls is an information security firm offering an encyclopedic penetration testing & IT security assessment service for your organization.

SMESEC

SMESEC

SMESEC is a lightweight Cybersecurity framework for protecting small and medium-sized enterprises (SME) against Cyber threats.

Malleum

Malleum

MALLEUM are specialists in penetration testing and security assessments. We think like hackers – and act like them – to disclose discreet dangers to your organization.

Crosser

Crosser

The Crosser Platform enables real-time processing of streaming or batch data for Industrial IoT, Data Transformation, Analytics, Automation and Integration.

Paladin Capital Group

Paladin Capital Group

Paladin is a leading global investor that supports and grows the world’s most innovative cyber companies.

Octo

Octo

Octo, an IBM company, is a technology firm dedicated to solving the Federal Government’s most complex challenges, enabling agencies to jump the technology curve.

Cloud Seguro

Cloud Seguro

Cloud Seguro are leaders in the development of cloud solutions, Ethical Hacking, Privacy and Information Security.

ClearShark

ClearShark

Since 2001, ClearShark has been a go-to adviser in the U.S. Public Sector for creating customized and integrated solutions for the most secure of networks.

Capgemini

Capgemini

Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. Areas of expertise include Cybersecurity.

B2Bcert

B2Bcert

B2BCERT one of the top companies offering ISO 9001, ISO 14001, ISO 45001, ISO 22000, ISO 27001, ISO 20000,CE Marking, HACCP, and other globally accepted standards and Management solutions.

Cognna

Cognna

Cognna's innovative platform is designed to empower you and your team, providing the tools you need to detect, prevent, and resolve threats with ease.

National Cyber Force (NCF) - UK

National Cyber Force (NCF) - UK

The National Cyber Force (NCF) is a partnership between defence and intelligence.

ALSO Group

ALSO Group

ALSO is one of the leading technology providers for the ICT industry currently active in 31 countries in Europe and in many countries worldwide via PaaS (Platform as a Service) partners.