Google’s proposal to reduce the lifespan of Transport Layer Security (TLS) digital certificates from 398 days to 90 days will spur significant changes in how organizations manage their certificates. The proposal by the open-source body behind the Google Chrome browser, The Chromium Projects, is a positive step toward ensuring more reliable, robust web operations. This will require companies and other organizations to significantly transform their certificate processes.
Since the lifespan of digital certificates has fallen steadily over the past decade, a change seems inevitable. It has been reduced from five years in 2012 to a little more than two years in 2018, and ultimately to 13 months in July 2020, or 398 days. The shorter lifespans ensure the accuracy of digital identities, especially in a cloud-based computing environment where websites and services are constantly being spun up or down to accommodate changing demands and priorities.
Google noted that the proposed changes would allow for faster adoption of improvements, such as best practices and new security capabilities, and encourage organizations to abandon time-consuming and error-prone manual processes. The resulting move toward automation would also better prepare organizations for the advent of post-quantum cryptography.
If adopted, the Chromium Projects’ proposal to the CA/Browser Forum, a consortium of certification authorities (CA), browser makers, and others, will most likely take effect by the end of 2024. The prospects of a considerably shorter lifespan should serve as a wake-up call for organizations to get greater control and visibility over their public keys and certificates because the proposal is a sure sign that the game has changed.
The five-year life of certificates from a decade ago reflected a different time when teams could get a certificate for, say, a web server and then pretty much forget about it. They never developed a routine for checking to see if certificates were about to expire or for renewing them, which could lead to certificate-related outages. The eventual shortening of certificate life to 398 days helped put teams on a schedule they could get comfortable with, checking regularly for expirations.
As organizations expand in the cloud, visibility of TLS (also known as Secure Sockets Layer, or SSL) certificates is critical. And the layered, increasingly complex environments in the cloud are beyond the ability of teams to keep track of manually. Now, with the proposed new validity period, it’s about automating the process.
Currently, organizations dedicate their resources to the people and processes necessary for installing certificates. In the near future, they’ll need people and resources for automating the process, which will involve programming and maintaining new software. The focus will shift somewhat from knowledge of public key infrastructure (PKI) — which is at the core of TLS — to internal infrastructure knowledge.
To manage the certificate workload, organizations will need to centralize certificate monitoring in order to easily identify certificates that are about to expire. Without a centralized view, it’s still possible to spin up a server, get a certificate for it, and then forget about it, which can lead to disaster. A 2022 Ponemon Institute study found that half of respondents had suffered at least one certificate-related attack in the previous two years, and that 58% of them described the financial consequences as “severe.”
Centralized monitoring also involves more than checking expiration dates on certificates. Organizations also will need to monitor how certificates are being used on their servers. It’s not uncommon for certificates to be deployed to the wrong servers, leaving some servers without the certificates they need for their workloads. In a small company with a handful of employees, everyone may know what’s running where. But in a 5,000-person enterprise, it can be impossible to keep track of it all without a centralized view.
The interconnected nature of business operations may also require that TLS visibility extend to supply chains because a compromise of even a small system within a connected environment can have a huge impact on operations. Organizations may want to consider the advantage of outside monitoring services, rather than keeping everything in-house.
The full impact of the Chromium Projects’ proposal has yet to be determined. There seems to be a couple of gray areas, such as whether it might apply to Internet of Things devices such as, for example, security cameras that also use certificates or if it’s limited to just web servers. But no matter what happens with the proposal, it reflects the reality of today’s environment. Shorter certificate lifespans are beneficial, but organizations will certainly need to rethink how they can appropriately manage them.