Google’s 90-Day TLS Certificates Validity Proposal: A Security Win or a Challenge for Enterprises?

What is Google’s 90-Day TLS Certificate Validity Proposal?

Google is pushing to reduce the maximum lifetime for public TLS certificates from 398 days down to 90 days. The 398-day duration was previously set to balance the need for security with the operational ease of certificate renewals, especially in environments lacking automation. Their rationale is that shorter certificate lifespans promote automation, reduce security risks, and help the digital ecosystem adopt the latest security practices faster, for example, in faster adoption of secure protocols like quantum-resistant cryptography, secure protocols like quantum-resistant cryptography, or, in the future, quantum-resistant cryptography. 

In its public announcements, Google emphasized that reducing certificate lifetimes would require any public TLS certificate used for HTTPS to be renewed every three months instead of annually. This proposed change is part of Google’s ongoing efforts to enhance web security globally. 

For more technical details on TLS certificates, check our blog here.   

What is the reason Google is pushing such a change? 

According to a study by Ema Reports, nearly 80% of TLS certificates are vulnerable to man-in-the-middle attacks, with 25% being expired or self-signed. Additionally, expired certificates contributed to the 2017 Equifax breach. Google, Apple, and Mozilla argue that reducing certificate lifespans to 90 days will mitigate these vulnerabilities and help organizations adopt more secure, updated protocols faster. We regularly observe scenarios where there is a compromised certificate out there that is valid for a year.

Now, such a wide span of time is an open invitation to give attackers plenty of time to exploit vulnerabilities. Reducing the lifespan to just 90 days (about 3 months) narrows that window, meaning any potential breach is mitigated much faster.  The 90-day certificate lifespan is chosen because it provides better security without being too hard for businesses to manage. A 30- or 60-day cycle would require more frequent renewals, creating more work for companies. 90 days is long enough for organizations to handle but short enough to reduce security risks, making it a good middle ground.

• Enhanced Security

  Reducing the certificate validity period limits the exposure time if a private key is compromised. With a 90-day certificate lifespan, any misuse or compromise of the certificate can be identified and mitigated quickly, ensuring that attackers don’t have extended access. However, in the case of a major financial corporation’s web server being compromised, waiting for the next scheduled expiration might still pose a risk. This is why, beyond just relying on expiration periods, organizations should implement real-time monitoring, immediate revocation processes, and automated key rotation to reduce potential damage from such breaches. 

• Improved Agility

  Shorter certificate lifespans, such as 90 days, make it easier for websites and apps to adopt new cryptographic standards and respond to security vulnerabilities quickly. This flexibility helps organizations stay updated with the latest encryption algorithms recommended by NIST, such as transitioning from SHA-1 to SHA-256. By shortening certificate lifespans, systems can more rapidly implement new security measures, improving overall protection against emerging threats like quantum computing. 
  For more on NIST’s cryptographic standards, visit here.

• Encouragement of Automation

  Shorter validity periods drive organizations toward automated certificate renewal processes, which reduces the likelihood of expired certificates causing outages and enhances overall security. 

  The Automated Certificate Management Environment (ACME) protocol helps automate this process by enabling flawless certificate issuance and renewal. It removes the need for manual work, making sure certificates stay valid and do not expire, and also reduces the downtime caused by expired certificates. This prevents outages and keeps systems secure and running smoothly. With automation, IT teams can focus on higher-priority tasks while ensuring continuous encryption and compliance with industry standards like the 90-day renewal mandate. 

• Supporting Compliance and Preparing for Post-Quantum Cryptography

  Google’s push for 90-day TLS certificates isn’t just about improving security for now, but it is also about preparing for the future, especially with Post-Quantum Cryptography (PQC).

  Why does this matter?

  Quantum computers could one day break current encryption methods, putting digital security at risk. So, the benefit that a shorter validity period offers is that it encourages us to keep the security practices up to date.  This allows organizations to test and adopt quantum-resistant algorithms like CRYSTALS-Kyber in a controlled and seamless manner. By renewing certificates more frequently, businesses can integrate and evaluate these advanced algorithms, ensuring their systems are prepared for future advancements in computing technology.

  Take online banking as an example. Right now, certificates secure your personal data. But in the future, quantum computers might be able to break the encryption. Updating certificates every 90 days helps businesses stay ahead by ensuring they can quickly switch to quantum-safe security methods when needed.

The CA/Browser Forum’s View on Google’s 90-Day TLS Certificate Proposal     

The CA/Browser Forum plays an important role in shaping SSL/TLS standards, and when it comes to Google’s 90-day certificate proposal, they’re actively working to balance security with practicality. CA/B focuses on creating a more secure web ecosystem in which the shorter certificate lifespans help mitigate risks from compromised keys. 

A notable example is the reduction of maximum SSL/TLS certificate validity from 825 days to 398 days in 2020, which reinforces the need for further renewals. More recently, the industry has moved towards 90-day certificate lifetimes, which further emphasizes automation’s role in ensuring compliance. These changes reflect a broader push toward shorter-lived certificates, reducing the window for potential compromise and ensuring cryptographic agility. 

Now, what may be the understanding behind it? For now, the CA/B forum believes that this validity may result in the broader adoption of automated certificate management, and this will ultimately help in keeping pace with the evolving security protocols. They also believe that ACME protocols are going to be the key enabler for this change. This protocol automates the issuance, renewal, and revocation of certificates, helping businesses manage certificates easily.

Tools like Let’s Encrypt simplify SSL/TLS management, ensuring businesses meet shorter lifespans while maintaining strong security. The Forum also suggests some advice for big organizations and businesses, such as that we should be ready and prepared for this shift by adopting some automation tools that can handle the increased volume of certificates.    

This proactive stance from the Forum underscores their belief that automation will be essential to handle the scale and complexity of managing certificates in a 90-day cycle. 

Source: CA/Browser Forum official statement.     

Advantages of 90 Days TLS Lifespan 

Shorter TLS certificate lifespans, like the 90-day proposal, come with some amazing benefits. Let’s break it down with real-life examples.     

Imagine big e-commerce websites like Amazon or Flipkart. These platforms handle vast amounts of sensitive customer data daily. The shorter certificate’s duration is going to ensure that the security is always up to date, and it also helps gain the customer’s trust. With the growing threat of online fraud, managing system vulnerabilities and risks has become increasingly challenging. This is why tech companies like Google are driving this change.

Another reason for this change is that it removes the risk of someone forgetting to renew it manually. You think of it this way: if there are no expired certificates, then it means no downtime or panic. The concept of no certificate expiration also allows companies to adopt the latest security upgrades quickly, staying ahead of cyber threats.   

Shorter certificate lifespans, when combined with automation, help businesses prepare for Post-Quantum Cryptography (PQC), ensuring security and reducing human errors. For example, automated certificate renewal can prevent downtime caused by expired certificates, as seen when Cisco’s expired certificates disrupted services for over 20,000 customers.

Additionally, a report found that 81% of organizations experienced at least two disruptive outages due to expired certificates in the past two years, highlighting the importance of automation in maintaining customer trust. It’s a win-win for everyone!

Disadvantages if we shift to 90 Days Validity for TLS Certificates 

When discussing a new proposal or change, we must consider its best and worst sides. We have already discussed the advantages of the shift to 90 Days validity of the TLS Certificate. 

• Impact of this change on the Small Businesses

  Without automation, keeping certificates updated becomes a constant challenge. Missing a single renewal could lead to downtime, potentially driving customers away. While automation seems like the obvious solution, implementing it requires the right tools and processes.

  For small businesses looking for cost-effective solutions, open-source tools like Certbot (for Let’s Encrypt certificates) can automate renewals at no cost. Other options include Step CA for managing internal certificates and ACME.sh, a lightweight ACME client. These tools reduce manual effort while keeping expenses low. Businesses with more complex needs can explore managed services like Lego or Smallstep, which offer more flexibility without high overhead costs.

• Effect on Government Agencies on Legacy Systems

  Government agencies can move to 90-day certificates step by step. They can use secure gateways like HAProxy or Nginx to manage renewals without changing legacy systems. Automating certificate updates with tools like Certbot or Smallstep can reduce manual work. They can start with public-facing services and then update internal systems. Adding 90-day renewals would mean constant updates, which could slow down essential services if anything goes wrong. It’s tough to implement these frequent changes with limited IT resources, especially when reliability is key. So, in this way, a great security step can also be disadvantageous for some.

  Some critical legacy components can still be used for long-term certificates while automation is introduced where possible. Upgrading web servers and load balancers before older applications can make the process smoother. This approach improves security while keeping essential services running without extra pressure on IT teams.

How should you prepare for certificate-related outages?    

See, certificates are particularly important for a business. They are like a passport for your website. If you have issues related to certificates, it can result in security-related issues. If they expire or are not managed well, it can lead to downtime, security risks, and a loss of customer trust. Let us look at some ways to avoid outages related to certificates. 

• Centralize Your Certificate Management using CertSecure Manager

  CertSecure Manager keeps all certificates in one place, making it easy to track expirations, renew on time, and enforce security policies consistently. With a clear dashboard featuring 12 new KPIs (Key Performance Indicators) and automated workflows, organizations can simplify certificate management and reduce security risks.

• Enhancing Security Beyond Automation

  While automation ensures timely renewals, it is also important to conduct regular penetration testing to identify vulnerabilities caused by expired or misconfigured certificates. Organizations should also set up automated alerts for unusual certificate behavior and perform compliance audits to detect gaps in security enforcement.

• Educate Your Team

  Ensure your IT staff understand the importance of certificate management. Proper training can prevent human errors and promote best practices in handling certificates.

• Monitor the Market and Adapt to Changes like Google’s 90-Day Proposal

  We have the tech world that is always going to change, and so we have the regulations that monitor and check for a smoother transition. We must stay informed about industry updates and adapt quickly. Shorter certificate lifespans mean faster renewals, but they also push you to rely on automation and efficient management practices. So, what helps here is being proactive. It keeps your business ahead of the curve, and you may lead the changes in the industry.

What Does This Mean for DevOps? 

If ever I must put it in a word, it will be automation. Think of renewing every certificate manually, and that too every 90 days; that sounds exhausting, right? That’s why automation has now become a necessity and not just another option. This is where ACME comes into play.  

ACME automates certificate issuance, renewal, and revocation, making it a key component in CI/CD pipelines for secure deployments. ACME clients like Certbot or acme.sh can request and renew certificates, which are then validated using DNS-01 or HTTP-01 challenges. Once issued, certificates are deployed to web servers, load balancers, or reverse proxies like Nginx and HAProxy using automation scripts. Tools like Ansible, Terraform, or Kubernetes Secrets help distribute and reload certificates across environments.

CertSecure Manager enhances this process by providing centralized tracking, policy enforcement, and seamless integration, ensuring secure and automated certificate management without manual intervention. 

Example: Manual vs. Automated Certificate Renewal

Manually renewing 500 certificates every 90 days could take a team around 250 hours annually, which, at an average cost of $50 per hour, equals $12,500 in labor costs. This doesn’t include the risks of human error or missed renewals, which could lead to costly downtime or security breaches.

With CertSecure Manager, the entire process is automated, from issuance to renewal, eliminating the need for manual intervention. This not only saves 250 hours of labor annually but also reduces the associated costs to near zero. By automating certificate management, your team can focus on delivering new features and improving the product while also ensuring consistent security with no risk of errors or missed deadlines. 

The Role of Security Teams in Policies, Training, and Audits 

There should be an established clear workflow to meet the 90-day TLS certificate validity requirement successfully. First, they should develop policies that define how certificates will be monitored and renewed, including clear roles and responsibilities. This includes steps like the ACME client requesting the certificate, the CA validating domain ownership, issuing the certificate, and automating renewals when the certificate nears expiration.

Alongside this, security teams must establish certificate management policies that align with frameworks like ISO 27001, defining roles, responsibilities, and processes for monitoring and renewing certificates.

The IT staff should be trained to understand the importance of timely renewals and the potential risks of non-compliance. Regular audits must be conducted to check for expired certificates and to ensure the renewal process is followed properly. These audits should identify gaps and vulnerabilities. Following each audit, policies and processes should be refined to ensure continuous improvement in certificate management.

How are the changes going to be rolled out? 

As of now, we do not have a confirmed date for Google’s proposal. However, it was announced way back in 2023. Google plans to introduce this change either in their Chrome Root Program update or as a ballot proposal through the CA/Browser Forum. This would allow industry experts and certificate authorities (CAs) to weigh in on the decision and prepare for the transition. However, we can imagine that the transition to 90-day certificates will start with major browsers and Certificate Authorities (CAs) adopting the standard and setting it as a requirement.

It might begin with a phase-in period, where organizations get time to prepare and adjust. Historically, changes in certificate validity periods have taken several months to a few years to implement. For example, the reduction of certificate lifespans from 825 days to 398 days was proposed in 2019 and became effective in September 2020. Given this precedent, if the 90-day validity proposal is approved, the transition might take approximately one to two years. 

For more information, you can refer to Google’s Chrome Root Program and the CA/Browser Forum’s announcements: 

• Google Chrome Root Program
• CA/Browser Forum

Best Practices for a Smooth Transition     

To easily handle the 90-day TLS certificate rule, start by planning ahead and automating certificate renewals. Train your team to keep track of deadlines, ensuring certificates are always current. By having a simple system in place, you can prevent issues. Below are the best steps to ensure a smooth transition to this new certificate requirement. 

• Organized Certificate Management for Better Security

  Maintaining a centralized inventory of certificates is essential for tracking renewals and preventing expirations. Categorizing certificates by priority as critical, high, medium, and low ensures that the most important ones are renewed first. This approach reduces downtime, minimizes security risks, and makes certificate management more efficient.

• Automate Certificate Management

  Automation would be key here. Tools like CertSecure Manager by Encryption Consulting help seamlessly handle your certificates; it enhances security by identifying and removing certificates that are expired or unused and staying compliant with regulations. For small teams or anyone without dedicated IT resources, there is automation as it helps and works on the fact that no renewals are missed.

• Set Up Alerts and Monitoring

  We should keep the alerts and monitoring up all the time; even with automation, having alerts for renewal status helps catch any unexpected issues. Monitoring tools like Nagios or SolarWinds provide real-time alerts for certificate renewals, notify administrators of impending expirations or issues, and ensure proactive management even with automation in place.

• Educate Teams Early

  This change will likely require training, especially in organizations where there is not a dedicated security team. If someone is aware of how automation and renewal work, what errors can arise, and how to work on them, then the transition becomes smoother.

• Consider Outsourced Solutions

  A lot of times, small teams find the automation of certificates tricky. In such cases, these certificate management service providers are there to help make the transition process smoother.

Getting Started with CertSecure Manager   

Evaluating your current certificate management strategy and adopting an automated solution like CertSecure Manager can improve efficiency and security. With features like ACME integration for automated certificate management and real-time reporting, CertSecure Manager ensures timely renewals and proactive monitoring, giving you better control over your certificates and reducing the risk of expirations.

Step 1: Conduct a Certificate Audit     

You can use the CertSecure Manager to scan your entire network and discover all existing SSL/TLS certificates. This audit will help you identify certificates nearing expiration and those that need immediate attention.   

Step 2: Implement ACME for Automated Renewals of Certificate    

You can deploy ACME agents across your web servers and integrate them with CertSecure Manager. This setup automates the entire renewal process and ensures compliance with the 90-day mandate without any manual effort. ACME integration automates certificate issuance and renewal, while real-time monitoring sends alerts for expirations, ensuring proactive management and minimizing risks. 

Step 3: Monitor and Optimize     

When you are using the CertSecure Manager, you can enable real-time monitoring and set up alerts to receive notifications of upcoming expirations or potential vulnerabilities. With CertSecure Manager’s intuitive interface, you can quickly address any issues before they impact your services.     

Step 4: Scale as You Grow 

As your organization expands, so does your need for secure certificates. CertSecure Manager scales effortlessly, managing certificates across all your critical endpoints, from load balancers and API gateways to IoT devices and cloud services. I think it’s time you had a look at the product itself.

How Encryption Consulting Can Help?   

Navigating this shift to 90-day TLS certificates doesn’t have to be a headache. Encryption Consulting is here to support organizations with expert insights and solutions that are custom-made for certificate management, automation, and crypto agility. Whether you are managing a few certificates or overseeing a large-scale digital infrastructure, Encryption Consulting offers solutions to make sure your certificate management process is both seamless and secure. So, if you are worried about the transition or have any cryptography-related queries, visit our education center or contact us.     

Conclusion

Google’s proposal for a 90-day SSL/TLS certificate lifespan is a great move to enhance web security by reducing the risk window for certificates that have been compromised. Shorter validity periods demand automated Certificate Lifecycle Management (CLM), leveraging protocols like ACME that help with the seamless issuance, renewal, and revocation. This approach minimizes human error and reduces the risk of expired certificates. They also match the modern DevOps practices by integrating automation into CI/CD pipelines. Enforcing more frequent domain validation also reduces the potential for CA mis-issuance and stale certificates, effectively tightening the security of enterprise networks and digital communications.