Google Proposal To Reduce TLS Certificates Validity To 90 Days Puts Focus On Automated Certificate Lifecycle Management

Originally published by AppViewX.

On March 3, in a move that’s meant to reinforce better Internet security, Google announced a proposal called “Moving Forward, Together,” outlining some of the key policy changes it plans to introduce in future versions of its Chrome Root Program.

One of the significant policy changes Google intends to make to promote modern infrastructures and agility is to reduce the maximum validity period for public TLS certificates from 398 days to 90 days.

Google suggested that the reduction in certificate lifespan could either be introduced in a future policy update or a CA/B Forum Ballot Proposal. This implies that if the CA/B forum chooses not to move forward with the change, Google might enforce the change by adding it as a requirement for its Chrome Root Program. Given Google’s market dominance, all public certificate authorities (CAs) will need to standardize on 90-day certificates.

This is not the first-time certificate lifespans have been reduced. In the past decade, the lifespans have consistently shrunk from five to two years and then to the current thirteen months maximum validity.

Defining its objective behind further reducing the certificate validity period, Google stated:

“Reducing certificate lifetime encourages automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. These changes will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly.”

Along with imposing a 90-day lifespan, Google also proposed to limit the domain validation reuse period to 90 days. That means organizations not only have to renew certificates every 90 days but also re-verify their domains every 90 days.

What This Change Could Mean to Your Organization

The answer is simple – more frequent certificate renewals. With a validity period of a mere three months, public TLS certificates will require renewals not once but four times a year!

While a renewal in itself isn’t necessarily a challenge, manual processes at scale are. Remarkably, many organizations today are still trying to manage TLS certificates with manual processes. This manual certificate lifecycle management (CLM) process also includes the certificate renewal process to:

• identify the expiring certificates
• request the renewal (often involving multiple internal approvals)
• re-validate the domain
• issue and provision the new certificate to the end point, and
• revoke the prior certificate as needed

With so many steps, manual renewals often result in inadvertent delays, provisioning errors, application outages, security weakness, and serious business disruptions.

With increasing digital transformation projects and a massive shift to hybrid and multi-cloud environments, organizations today operate with an enormous inventory of TLS certificates. As the digital ecosystem expands, the number of certificates to manage continues to grow.

Imagine having to manually carry out renewals and provisioning for tens and thousands of certificates spread across your complex enterprise environment? Now, add the mundane labor-intensive process of repeating renewals four times a year. Considering the massive amount of effort it takes, the whole process turns into a nerve-racking affair of delays and provisioning errors, amplifying the risk of outages, data breaches, and compliance violations.

The problem with manual certificate management is not limited to renewals. Manual processes fail to provide full visibility of the certificate ecosystem, making it difficult to identify issues and remediate them on time. According to a 2022 Ponemon Report sponsored by AppViewX, 64% of surveyed organizations mentioned that they were unaware of the exact number of certificates in their organization due to a lack of a centralized inventory.

Tracking certificates for expiry is also a grueling task as most organizations still use spreadsheets or home-grown tools, causing certificates to expire without notice resulting in frequent outages. Manual processes also make enforcing policies around certificate use and management difficult, leading to variations in crypto standards, vulnerabilities, and compliance violations.

Why Is It Imperative to Automate Your Certificate Lifecycle Management?

PKI-based digital certificates are key enablers of Internet security and digital transformation. Managing them efficiently is critical to ensure your infrastructure and applications remain protected while your business thrives in the digital realm.

Manual processes are neither easy nor efficient. Taking the manual route to certificate lifecycle management impacts your employee productivity, your customer experiences, and your enterprise security posture.

As the number of digital certificates grows, identity-based threats will grow more prevalent. Becoming crypto-agile is essential to protecting the enterprise against these threats, including post-quantum cryptography. How scalable and efficient your certificate lifecycle management system is will determine how easy, fast, and agile you will be able to carry out renewals and provisioning.

This is where automation plays a critical role. Automating certificate lifecycle management can greatly help simplify all the processes involved, such as discovery, enrollment, provisioning, renewals, and revocations. Automation removes the need for human intervention, improving employee productivity and significantly reducing the risk of outages and data breaches.

When it comes to frequent renewals, automating the entire process, from tracking certificates impending expiry to notifying the right people, getting the certificate issued, and provisioning it to the right end point is the only solution. Automation dramatically reduces the amount of time and manual effort otherwise required to complete the task.