Detailed Guide on Rolling of 90-Day SSL/TLS Validity

3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5, rated)
Google's 90 Days SSL Validity

Shortening of SSL/TLS certificate lifespans has been a persistent trend over the past decade. Google has announced its plans to reduce SSL/TLS certificate validity terms to 90 days.

As an organization grappling with this significant shift, you may ponder the potential impact on your business. Or you can consider the industry and steps you can take.

Fear not; we are here to provide comprehensive insights, unraveling the implications and exploring how SSL/TLS certificate management automation has transformed from a mere desire to an absolute necessity.

What are SSL/TLS Certificates, and How is it Important?

SSL/TLS certificates guarantee connection security and authenticate web servers. These cryptographic files are installed on web servers to enable secure connections via HTTPS and establish trust between the server and the website’s visitors.

When you visit a website, your browser automatically downloads the SSL/TLS certificate and verifies its trustworthiness through a certificate authority (CA). This validation process is vital for browsers to make accurate trust decisions and ensure user safety during online interactions.

The reliability of a certificate is at the core of web security. The longer duration between verifications, the higher risk of outdated information. Consider the significant changes within five years; businesses may undergo transformations, change names, merge, or cease operations. Trusting information from several years ago becomes questionable.

Required Updates on SSL/TLS Certificates

To address these concerns, browser companies have consistently advocated for shorter certificate validity periods, requiring more frequent validation of identity information.

Over the past decade, the maximum validity period has been reduced from five years to one year. In line with this trend, Google intends to further shrink the validity period to 90 days after collecting feedback from Certificate Authorities (CAs) and their customers and finalizing its plan.

By promoting shorter validity periods, the industry aims to enhance the accuracy and reliability of SSL/TLS certificates, ensuring that web security measures stay aligned with the evolving digital landscape. Regular validation of certificate information contributes to a more secure online environment and protects users from potential risks.

As these changes unfold, organizations must stay informed and adapt their certificate management practices accordingly. By prioritizing the implementation of shorter validity periods and actively participating in the feedback process, businesses can maintain the highest levels of trust and security for their online platforms.

Transitioning to 90-Day SSL/TLS Certificates for Enhanced Security

In the coming months, Google is expected to announce a deadline for adopting 90-day SSL/TLS certificates within the public Internet, with implementation likely to occur in 2024. Undoubtedly, this change may face some resistance and challenges.

A decade ago, SSL/TLS certificates had a validity period of up to five years. However, this extended duration exposed an inconvenient truth: the longer a certificate remains valid, the greater the potential for compromised security and reliability. Each passing day presents an opportunity for misuse or unauthorized access, undermining the very purpose of SSL/TLS certificates.

The industry is moving towards shorter certificate lifespans by recognizing the need for enhanced security. By reducing the validity period to 90 days, organizations can ensure more frequent verification and renewal, mitigating potential risks and maintaining trust and authenticity.

While this transition may initially face some resistance due to the adjustments it demands, it ultimately serves as a necessary step forward in online security. Embracing shorter certificate validity periods will create a safer and more reliable digital environment, protecting businesses and individuals from potential threats.

As the industry adapts to this evolving landscape, organizations must prioritize staying informed and implementing appropriate measures to effectively manage SSL/TLS certificates. By embracing the change and proactively addressing the challenges it presents, businesses can reinforce their security posture and maintain the trust of their online users.

ACME’s Role in Framing SSL/TLS Certificate Validity

ACME, also known as the Automated Certificate Management Environment, has emerged as a pivotal protocol to revolutionize certificate lifecycle management.

Developed by the Internet Security Research Group (ISRG) a few years ago, ACME aimed to automate the cumbersome process of managing SSL/TLS certificates.

During that time, SSL/TLS certificates provided by a single provider were only valid for 90 days, necessitating replacement four times a year. It contradicts other commercial Certificate Authorities (CAs) who adhered to the guidelines set by the CA/Browser Forum.

Currently, the CA/B Forum’s Baseline Requirements establish a maximum validity period of 398 days, equivalent to approximately 13 months, for SSL/TLS certificates. However, this is all about to change as Google, following the CA/B Forum’s face-to-face meetings in early March 2023, recently unveiled its plans to reduce the maximum validity period to just 90 days for all publicly trusted SSL/TLS certificates.

While an effective date for this change has yet to be announced, Google has initiated a survey for Certificate Authorities, seeking feedback on their proposed plans. Once the feedback is collected, Google will disclose enforcement dates for the upcoming modifications. We will keep you informed.

The shift towards 90-day SSL/TLS certificates brings about new considerations and challenges in the realm of verification. While replacing certificates on every website every 90 days may appear daunting, it is essential to understand the rationale behind this change.

Verification plays a crucial role in SSL/TLS certificates, encompassing domain validation and organization verification. Domain validation is the fundamental verification level, confirming that the entity controls the web domain. This type of validation is standard across all SSL/TLS certificates.

On the other hand, organization verification comes into play with Organization Validation (OV) and Extended Validation (EV) certificates. This verification entails a vetting process by a Certificate Authority’s (CA) team to confirm the legitimacy of an organization as a valid and legal entity. Since 2021, organization verification has only needed to occur once per year.

Under the new 90-day certificate validity period, organizations must demonstrate domain control every 90 days and issue a new certificate accordingly. It means the workload for managing SSL/TLS certificates will quadruple.

While smaller organizations with limited public-facing websites may perceive this increase as manageable, larger enterprises may need help to overcome significant challenges. More than just relying on traditional methods, such as managing certificates in spreadsheets, will be required.

Organizations must embrace automation and adopt robust certificate management solutions to manage the increased workload effectively. Automated systems can streamline the verification and renewal processes, ensuring timely updates and minimizing the administrative burden.

Implementing centralized management platforms or utilizing specialized tools designed explicitly for SSL/TLS certificate management will be crucial for maintaining efficiency and security.

While the transition to 90-day certificates presents its share of complexities, organizations that proactively adapt to the evolving landscape of certificate management will be better equipped to navigate the challenges and maintain the highest levels of security and trust for their online platforms.

The Benefits of Shorter Certificate Validity Periods

Over the past decade, there has been a noticeable reduction in the maximum validity period of SSL certificates. Once allowing for 5-year validity, the duration has gradually decreased to the current standard. While this may seem inconvenient on a larger scale, the rationale behind shorter certificate validity is solid: the longer a certificate remains valid, the less reliable it becomes.

Consider the purpose of an SSL/TLS certificate – browsers rely on it to verify the authenticity of a web server. As time passes between verification, the reliability of this validation diminishes. Within just one year, numerous changes can occur, such as company closures, mergers, domain transfers, and evolving business landscapes. Regular verification of information becomes essential to maintain a consistently reliable level of authentication.

The frequency of this verification is subject to debate. Previously, a representative from Google, participating in the CA/B Forum, expressed the belief that domain validation information should remain reliable for up to six weeks.

While it remains uncertain whether certificates will eventually shrink to 30-day validity periods, history suggests that such a possibility cannot be ruled out.

It is crucial to initiate meaningful discussions within your organization regarding certificate lifecycle management and consider the suitability of ACME as a potential solution. By embracing automated certificate management protocols like ACME, organizations can navigate the evolving landscape of SSL/TLS certificates more effectively.

Impending Shift to 90-Day Certificates for Automation

The proposal to transition to 90-day SSL/TLS certificates, put forth by Google, carries significant weight considering Google Chrome’s dominant position, commanding a market share of 65.74% in the browser market.

History has shown that when market leaders make groundbreaking moves, the rest of the industry often follows suit. While Google may be the first to propose this change, Apple, Mozilla, and Microsoft are likely engaged in similar internal discussions.

This impending shift towards shorter certificate validity periods has the potential to create a demand for more SSL/TLS certificates than many IT teams can currently handle. Organizations should consider embracing automation to adapt to this change and future developments in the browser industry.

The call for automation in SSL/TLS certificate management has been a recurring topic within the CA/Browser Forum, the entity responsible for establishing industry standards.

Google, in particular, has consistently advocated for automation, emphasizing its benefits during forum discussions. In a recent Chromium blog post in March 2023, Google reiterated the need for automation in this domain.

What are the Current year’s Advancements in the 90-day Mandate?

While the 90-day mandate may seem sudden, it catalyzes organizations to embrace automation fully. Fortunately, automation solutions have made significant advancements in recent years.

The Automated Certificate Management Environment (ACME) protocol, initially developed by the Internet Security Research Group (ISRG) for their free 90-day Certificate Authority (CA), has been standardized by the Internet Engineering Task Force (IETF).

ACME, now in its second version, is widely supported by most CAs, commercial and non-commercial. It leverages cross-platform agents installed on web servers to streamline the domain validation process, issue certificates, and facilitate installation.

Understandably, some organizations may approach the idea of automation with caution. However, at its core, automation improves security by minimizing human error and eliminating the reliance on manual processes, including spreadsheets. It frees up valuable time for IT teams, enhancing overall efficiency.

Organizations have sufficient time to prepare for these changes before they take effect. Based on past validity reductions, a reasonable estimate would be an enforcement date sometime in mid-to-late 2024.

By proactively embracing automation, organizations can ensure a seamless transition to 90-day SSL/TLS certificates, strengthen their security posture, and optimize their operations for greater efficiency and effectiveness.

The Rise of Automation: Streamlining SSL/TLS Certificate Management

For far too long, managing SSL/TLS certificates has been an arduous task, one that demands meticulous planning and execution. The process involves handling multiple validations, obtaining and deploying certificates, configuring servers, and setting reminders for expiration dates.

It’s an undeniable headache, especially when multiplied by the need to perform these tasks four times a year. The mere thought of this ordeal might drive your IT team to consider drastic measures, like nailing their windows shut if they work on higher floors.

Fortunately, there is a solution that can prevent such extreme measures: ACME.

ACME facilitates seamless communication between a Certificate Authority (CA) and an agent installed on a web server. This agent handles the entire certificate lifecycle process, including request management, domain validation, installation, and renewal.

ACME was explicitly designed to address these challenges and has evolved since its initial specification, now supporting more than open-source domain-validated (DV) certificates.

Gone are the days of manual domain validations and painstaking installations and configurations. ACME’s agent handles these tasks effortlessly. Moreover, when a certificate is on the verge of expiration, the agent takes prompt action to ensure a seamless replacement.

Embrace automation with CME service, freeing your organization from the burdensome tasks of SSL/TLS certificate management while enjoying the benefits of enhanced efficiency and cost savings.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.