Quick and Effective Transition to 90-Day TLS/SSL Certificates
The use of TLS/SSL certificates is essential for establishing trusted encrypted connections and securely transmitting sensitive data over the Internet. However, as cyber threats continue to evolve, there is a growing need to shorten TLS/SSL certificate lifecycles to enhance security and reduce risk.
Google has recently proposed reducing the validity period of newly issued TLS/SSL certificates to a maximum of 90 days, down from the current industry standard of 397 days. This represents a significant change that will require organizations to overhaul their certificate management practices. Proactive planning and automation will be critical to handle the increased operational overhead while aligning with emerging standards.
This comprehensive guide examines the trend towards shorter certificate lifespans, details the steps organizations should take to prepare for the 90-day TLS/SSL certificate transition, and highlights the benefits of embracing automation and crypto-agility.
Key Takeaways
- Shorter certificate lifecycles enhance security but require more frequent renewals and greater automation.
- Organizations need visibility into their existing TLS/SSL certificates to understand the impact of reduced validity periods.
- Certificate lifecycle automation, policy centralization, monitoring, and adaptive practices are key to managing certificates at scale under new standards.
- The transition to 90-day certificates, while operationally challenging, will improve overall security posture and industry alignment.
The Trend Towards Shorter Certificate Lifespans
The current industry standard maximum validity period for TLS/SSL certificates is 397 days. However, there has been a growing push to reduce certificate lifespans to enhance security and align with the modern threat landscape.
Shorter certificate lifecycles provide multiple security advantages:
- They minimize the window of exposure if a certificate is compromised.
- They limit damage from lost or stolen private keys.
- They allow more frequent rotation of cryptographic keys and algorithms.
- They enable faster revocation and replacement of vulnerable certificates.
- They facilitate tighter certificate inspection and controls.
Government agencies and security experts have been advocating for shortened certificate validity periods for years. However, industry adoption has been gradual until now.
In 2021, Google put forth a proposal to establish 90 days as the new maximum lifespan for TLS/SSL certificates. Google Chrome representing 65% of the browser market in February 2024, this proposal could become an enforced requirement for organizations.
While rapidly changing industry standards present challenges, the trend towards shorter lifecycles reflects security best practices. As threats accelerate, certificate validity periods must shrink to keep pace.
Google’s Proposal to Reduce TLS/SSL Certificate Validity To 90 Days
According to the Chromium Project’s “Moving Forward, Together” roadmap, Google proposed that the change to a 90-day certificate lifetime could be implemented in one of two ways: through a future policy update, or as a ballot proposal submitted to the CA/B (Certification Authority/Browser) Forum.
According to Google, short-lived certificates provide multiple security and operational benefits:
- They limit exposure if certificate keys are compromised.
- They encourage more frequent certificate and cryptographic key rotation.
- They enable a faster reaction to vulnerabilities like Log4Shell.
- They remove validation burdens given the infrastructure’s dynamic nature.
- They align better with automated certificate issuance and lifecycle management.
Under Google’s Certificate Lifetimes RFC proposal:
- All newly issued TLS/SSL certificates will have a maximum validity of 90 days.
- Existing 397-day certificates will be allowed to serve out their lifespan.
- Chrome will gradually step down its validity period acceptance over time.
- Other browsers like Firefox, Safari, and Edge may adopt similar measures.
While an official implementation timeline has not been announced, Google aims to establish 90 days as the new industry standard certificate validity period. Organizations relying on longer-lived certificates need to start preparing now.
The Impact on Organizations and The Need For Action
Transitioning to 90-day certificate lifecycles will have far-reaching effects on organizations that use TLS/SSL certificates for securing websites, services, IoT devices, and more.
With certificates needing to be renewed four times more frequently, if existing manual processes remain in place, security teams will experience a massive increase in operational overhead. As the frequency of expired certificates increases exponentially, organizations will face a greater risk of outages and disruptions.
To implement short-lived certificates at scale, organizations will need to:
- Maintain comprehensive visibility into their certificate inventory.
- Implement automated certificate lifecycle management solutions.
- Establish centralized policies and workflows.
- Monitor certificates proactively.
- Foster adaptable practices and crypto-agility.
This will require upfront work and cost but will enable long-term scalability, security, and compliance under emerging industry standards.
Organizations should start assessing their readiness now and implementing solutions to automate certificate renewal workflows. This will mitigate the transition’s impacts and ensure continuity when 90-day certificate requirements take effect.
5 Must-Do Steps for a Quick and Effective Transition to 90-Day SSL/TLS Certificates
Migrating to 90-day certificate lifecycles will be a heavy lift requiring comprehensive planning, updated processes, new solutions, and organizational alignment. Here are the key steps organizations should take to prepare:
- Comprehensive Certificate Inventory
- Automating Certificate Lifecycle Management
- Establishing Centralized Policies and Workflows
- Monitoring and Alerting for Visibility and Control
- Staying Informed and Adaptable
Step 1: Comprehensive Certificate Inventory
The first step is attaining full visibility into the existing TLS/SSL certificate landscape, including:
- All certificates are issued for the organization. This includes public websites, internal systems, appliances, IoT devices, cloud instances, and more.
- Metadata like the certificate’s CN, expiration date, issuer, key type, signature hash, etc.
- Where and how is each certificate deployed and actively used?
- Any dependencies on certificates by other systems and services.
- Ownership for managing each certificate.
This inventory provides a baseline to analyze the changes needed to migrate to 90-day certificate lifecycles, such as:
- How many additional renewals will be required annually?
- What percentage of certificates can be auto-renewed vs requiring manual intervention?
- What infrastructure is in place to support automated certificate issuance at scale?
Some tools and services can automate the process of discovering and cataloging all active TLS/SSL certificates across the enterprise. Automated scanning paired with a centralized certificate inventory system is highly recommended for establishing visibility and enabling management at scale.
Step 2: Automating Certificate Lifecycle Management
The massive increase in renewal work driven by 90-day certificate lifecycles means that automating certificate lifecycle management is an absolute must. Organizations need to implement automated workflows for:
- Requesting, issuing, and deploying new certificates.
- Renewing existing certificates on a scheduled basis.
- Revoking compromised or obsolete certificates.
- Discovering impending certificate expirations and triggering renewals.
- Integrating these lifecycle processes with DevOps and CI/CD pipelines.
This requires integrating with enterprise certificate authority solutions and third-party certificate providers to enable programmatic interactions. It also entails tooling to automatically deploy renewed certificates across heterogeneous environments, such as load balancers, web servers, IoT fleets, and more.
Centralizing and automating certificate lifecycle management is critical for achieving crypto-agility and minimizing operational disruption from ever-shortening certificate lifespans.
Step 3: Establishing Centralized Policies and Workflows
Complex organizations can have hundreds of departments and teams independently managing TLS/SSL certificates. This leads to fragmented visibility and certificate sprawl.
To streamline at scale, organizations need to centralize certificate lifecycle policies, processes, and systems. This enables:
- Consistent certificate issuance and renewal are aligned with standards.
- Improved coordination across business units and technical teams.
- Shared visibility into certificate inventories and metadata.
- Governance and auditing of certificate practices enterprise-wide.
- Automated policy enforcement for security and compliance.
Centralized certificate services should provide self-service workflows that empower teams to securely obtain and renew certificates based on organizational policies and industry best practices. This ensures standards are followed while enabling decentralization of day-to-day operations.
Step 4: Monitoring and Alerting for Visibility and Control
Given the compressed timeframes introduced by 90-day certificates, monitoring certificate status in real-time and getting alerted to potential issues becomes critical. Organizations need awareness of the following:
- Which certificates are expiring soon and require renewal.
- Certificates that have already expired and may disrupt services.
- Certificates that have been revoked or are no longer trusted.
- Overall trends around certificate health, issuance, rotation, and more.
- Anomalous activity that could indicate misconfigurations or compromise.
Robust monitoring and alerting provide the visibility required to identify and respond to certificate problems proactively before they lead to outages. Integrating this with automated remediation workflows maximizes efficiency.
Step 5: Staying Informed and Adaptable
Given frequent changes in best practices and standards, security teams need to stay informed through industry groups like the CA/Browser Forum.
Organizations also need to build internal skills around crypto-agility and foster an adaptable culture that embraces change. With TLS/SSL certificates likely to undergo further accelerated lifecycle reductions, organizations must prepare now to remain secure and resilient.
Investing in automation, centralized infrastructure, and updated skills enables organizations to evolve smoothly as certificate standards rapidly mature.
The Benefits of Embracing Automation and Crypto Agility
- While the transition to 90-day certificate lifecycles introduces challenges, organizations stand to realize significant benefits by embracing this change.
- Shorter-lived certificates provide stronger security, especially against growing threats of compromised certificate authority trust and private key exposures. Certificate validity measured in days rather than years shrinks the window for such threats.
- Automating certificate lifecycle management also boosts overall efficiency. Machine-based workflows minimize overhead at a scale far better than manual processes, freeing up security teams to focus on higher-value tasks.
- Centralizing certificate services establishes consistency in certificate issuance and management while enabling decentralized handling of day-to-day certificate operations. This improves security and compliance while empowering innovation across the enterprise.
- Regular certificate rotation facilitated by shorter lifecycles allows organizations to modernize their cryptographic practices. This improves resilience against emerging crypto-attacks using techniques like quantum computing.
Final Thoughts
The upcoming change to 90-day SSL/TLS certificates from Google will require website owners to be proactive in their preparation. By automating certificate renewals, enabling ACME protocol support, leveraging cloud-based SSL/TLS management, implementing monitoring and alerts, and exploring alternative certificate authorities, website owners can ensure a smooth transition and avoid potential service disruptions.
While the shorter certificate lifespans add an extra layer of complexity, following these steps will help organizations stay compliant and maintain a secure online presence. Staying ahead of this change is crucial to avoid the consequences of non-compliance and maintain user trust in an era of heightened cybersecurity concerns.
Frequently Asked Questions
What is driving the Shift to 90-day TLS/SSL certificates?
The Shift is being driven by security experts and major industry players like Google to limit the window for exposure in case certificates are compromised. Shorter lifecycles provide greater protection against emerging threats.
When will 90-day certificates become a requirement?
Google aims to establish 90-day validity periods as the new industry standard but has not announced an official timeline. Organizations should begin preparations now to ensure a smooth transition.
What happens if I don’t renew my certificates within 90 days?
Any certificates not renewed within 90 days of issuance will expire and cause outages for websites, services, and systems relying on those certificates for TLS encryption.
How will 90-day certificates impact my organization?
You will need to renew certificates 4X more frequently, requiring investments in certificate lifecycle automation to manage operational overhead. Costs may also increase.
What is certificate lifecycle automation?
This refers to using machine-based workflows for automated discovery, issuance, renewal, deployment, and revocation of TLS/SSL certificates.
How do I inventory all TLS/SSL certificates in my organization?
Automated scanning tools can discover and catalog all active certificates across web environments, infrastructure, appliances, IoT fleets, and more.
What skills should my team develop for the transition?
Focus on automation, monitoring, crypto-agility, and adaptable security practices to adapt smoothly as certificate standards rapidly evolve.
How can my organization monitor certificates in real time?
Real-time certificate health monitoring provides alerts on expirations, anomalies, and trust issues so you can respond proactively.
How soon should I start preparing for the 90-day certificate adoption?
Now. Given the operational impacts, organizations should start assessing readiness and implementing automated solutions well in advance of enforcement.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
