SSL/TLS Certificate lifetime redux

I wrote an article in 2020 about SSL/TLS Certificate lifetimes, the upshot of which was that the certificate/browser industry had just moved to 1yr (398 days to be precise) certificate expiries. I noted the following:

There have been a number of attempts over the years to reduce the lifetime of certificates as they apply to websites. Primarily by Apple (and some of the other browser makers). As a member of the CA/B Forum, and having a fair chunk of the market (around 17% currently) due to Safari, they have an important say in the matter. Most CAs have been hesitant to move to short-lived certificates for a number of reasons including the fact that IT teams already struggle with the complex process of generating or renewing TLS certificates.

You can revisit that article for more information on certificate lifetime issues. But essentially, the certificate and browser industries moved to shorter certificate lifetimes for security reasons, mostly related to invalid certificates floating around on the internet and a certificate revocation system that is horribly broken (Chrome doesn’t even do CRL checks any more). Shorter certificate lifetimes is essentially a replacement for certificate revocation.

As I noted in that article, and listed above again for emphasis, certificate renewal is a nightmare for many IT teams. Product-specific renewal mechanisms and multiple certificate formats, make for difficult certificate renewal and management.

There are tools for certificate management but these have steep learning curves for those not in the know (there’s very few people that specialise in PKI) and they generally cost 2 arms and 3 legs.

Where am I leading to with this? Well if you think things were difficult with 1 yr certificate lifetimes, buckle up, because Google has just proposed 3 month certificate expiries!

News of this effort was initially announced by Sectigo’s Tim Callan on their blog in the middle of March this year. He had the following to say:

On March 3, Google announced in its “Moving Forward, Together” roadmap the intention to reduce the maximum possible validity for public TLS certificates from 398 days to 90 days, in a future policy update or a CA/B Forum Ballot Proposal. This drop to only 90 days maximum validity will mean major changes for the industry.

“Major changes’ is pc lingo for “what could possibly go wrong?” and “we’re fscked!”.

  1. Considering Chrome’s dominance in the browser market, Google’s implementation of this change in Chrome would effectively force the rest of the industry to follow suit. This is almost a direct copy of Apple’s actions with Safari in 2020 as noted in my previous article
  2. A 90-day expiry would absolutely mean a requirement for certificate automation and management

Tim Callan further notes:

While enterprises technically can still manually manage digital certificates with 90-day maximum lifespans, manual renewal and deployment will rapidly become error-prone, unsustainable and may result in serious ramifications.

While Tim’s article is self-serving (Sectigo has a CLM [certificate lifecycle management] tool) and obviously want to be your chosen vendor in this regard), he is still right on the money – orgs with even small no’s of certificates will have no choice but to look at tools to automated certificate management.

And for full disclosure, I’ll mention here that Google also has their own CLM tool as part of Google Cloud/App Engine. Coincidence?

So what options are there for orgs?

Depending on the complexity of your IT systems, and the number of different platforms, you could look at an ACME-compatible tool to do your renewals, and automate these.

The 2nd option is to use configuration management and automation tools (Ansible, Terraform, etc.) to do your certificate renewals using something like certbot.

And the last option is to go for a commercial tool. But buyer beware – these are typically costed on no. of servers and/or certificates, so can end up costing a lot.

Smaller companies have no choice but to look at freely-available automation tools. I’m loath to recommend Lets Encrypt, because they do not offer DV or EV certificates, but for smaller or less important systems, this might be the only choice.

No matter your company size, or the solution you choose, we’re in for one interesting ride.