Do I need to automate the management of my digital certificates today?

On March 3, Google announced its plan to shorten the validation time of TLS certificates from 398 days to 90 days. This change will mean major changes for all companies’ management of digital certificates.

Not too long ago, it was possible to issue digital certificates with a validity period of two or three years. The most recent reduction in the validity period occurred in 2020, when it was lowered from two years to 398 days.

Google is now first with submitting a proposal to the CA/B forum (The Certification Authority Browser Forum) to reduce the validity period from the current maximum of 398 days down to 90 days.

It is worth noting that if Google’s proposal for shorter certificate lifespans fails to be approved at the CA/B forum, Google could still implement the change independently. This change would of course impact Google Chrome as well as other browsers based on “Chromium,” including Opera, Vivaldi, and Microsoft Edge. The reason for this is that Google and other browsers set the requirements themselves for their own root programs. In conclusion, if Google chooses to proceed with the change despite the proposal being voted down, all CAs would have to comply with the new guidelines, and businesses would have to adjust accordingly.

An example of a similar event is when Apple sought to cut the lifespan of certificates from two years to 398 days, they never formally proposed the change. Instead, they simply announced that, as of a certain date, only certificates lasting up to 398 days would be deemed “trusted” (Source).
This change caused the entire industry to follow suit, resulting in one-year certificates becoming the new standard in nearly all web browsers.

Why do they want to reduce the lifespan even further?

Shorter certificate lifespans encourage the automation of certificate management which drives the ecosystem away from time-consuming and error-prone manual issuance processes. These changes will enable faster adoption of new security features and best practices required to rapidly transition to quantum-resistant algorithms.

So, is now the time to automate?

Reducing certificate lifespans will pose a significant challenge for companies that still rely on manual certificate renewal and installation processes. A task that was previously performed once a year will now have to be completed more than four times a year, resulting in a four-fold increase in workload for the teams involved.

To ensure that your organization is prepared and can maintain security while avoiding interruptions in critical systems, it is necessary to take proactive measures such as implementing a comprehensive Certificate Lifecycle Management system. It’s best to do this before the 90-day change comes into effect!

We at Dotkeeper are happy to help with this, contact us and we will be happy to tell you more.