Table of Content

Key Management Interoperability Protocol

Urgent Actions to Prepare for 90-Day SSL/TLS Certificates 

Urgent Actions to Prepare for 90-Day SSL/TLS Certificates 

The shortening of the duration of SSL/TLS certificates is rapidly becoming the norm in the cyber world, with 90-day certificates becoming the most common for many organizations. This transition aimed to serve security purposes more efficiently, accommodate more of the emerging threats and compel IT teams to remodel their approach to certificate management. Given the advancement of cyber threats with every passing day, the need for shorter certificate validity can be understood within the context of securing the purpose of encrypted communication.

On the other hand, this is also a problem. Companies must properly organize the monitoring processes, obtain new certificates in a timely manner, and control the availability of services to keep the smooth and safe operation of the Internet. 

To facilitate the 90-day SSL/TLS certificate shift, one can refer to this comprehensive blog to get insight. Exploring these best practices will help you overcome critical issues such as automation and efficient management of certificate lifecycles as you work around Google’s recommended reduced constraints concerning the validity periods. 

Timeline of Reduction of Validity Period of Certificates 

The history of SSL/TLS certificate validity periods shows how the industry has worked hard to make cybersecurity stronger. Organizations like the CA/Browser Forum and major browser companies such as Google, Apple, Microsoft, and Mozilla have been key players in driving this change. 

Lifespans of Certificates Timeline
  • Before 2011, certificates were valid for 8–10 years (96 months). This long period created risks because outdated encryption algorithms stayed in use for too long. Many businesses struggled to manage vulnerabilities and faced higher chances of data breaches. 

  • In 2012, the CA/Browser Forum reduced the maximum validity period to 5 years (60 months). This change reflects a clear shift towards enhanced security practices. Although it increased workloads, it also reduced the number of outages caused by expired certificates. 

  • By 2015, the validity period was shortened to 3 years (39 months). Businesses started using automated tools to handle renewals, which reduced manual errors. 

  • In 2018, the validity period was further reduced to 2 years (27 months). This adjustment was backed by major browser vendors like Microsoft and Apple and emphasized the need for more frequent cryptographic updates to counter emerging threats. This change accelerated the adoption of certificate lifecycle management (CLM) solutions, with organizations reporting a rise in investments in automation tools. However, businesses faced challenges in aligning IT workflows to meet the shortened cycle. 

  • The landmark change came in 2020. Apple led the charge by announcing that Safari would no longer trust certificates with validity longer than 1 year (13 months). Google Chrome and Mozilla Firefox implemented similar policies following Apple’s lead. This change had an impact on organizations, compelling many organizations to adopt fully automated CLM systems. 

  • In July 2023, Google proposed the change at the CA/B Forum, which has not yet been accepted. Google’s proposal for a 90-day validity period for certificates represents a significant adjustment. It ensures that certificates remain aligned with evolving security standards. 

  • In the same year, Apple also proposed the change at the CA/B Forum, and it aims to shorten SSL/TLS certificate lifespans in phases. Several changes will be made if the proposal gets accepted. By September 2026, certificates will be limited to 200 days with a 20-day early renewal period and a 200-day DCV (Domain Controller Validity) reuse period. By September 2027, certificate lifespans will be reduced to 100 days with a 10-day early renewal period and 100-day DCV reuse. Finally, by September 2028, certificates will have a 45-day validity, and the DCV reuse period will be just 10 days. It allows organizations to adopt faster and automated certificate management practices easily without sudden strain.

Each adjustment in validity periods has driven organizations to rethink their security workflows, invest in automation, and enhance compliance practices, ultimately strengthening their cybersecurity postures. 

Issues Presented by Reduced Timeframe of Validity of Certificates 

The transition to shorter certificate lifespans represents a significant shift in the management of digital certificates and enhances security by reducing the risk of compromised keys being misused over extended periods. However, this also brings several operational challenges that organizations must tackle efficiently.  

  1. Frequent Certificate Renewals

    There is a need for more frequent renewals, which can go up to at least four times a year. It automatically increases the administrative burden, especially for enterprises managing thousands or even millions of certificates. This increased frequency not only strains resources but also increases the likelihood of human errors, leading to expired certificates.

    Every year, a huge number of organizations experience outages due to expired certificates. A study by DigiCert found that certificate outages cost large corporations an average of $5,600 per minute. A notable example is the 2020 Microsoft Teams outage, where an expired certificate left millions of users without access. It showed the business and reputational risks tied to inadequate certificate management.

  2. Non-Automated Systems

    Relying on manual renewal processes was manageable with longer certificate lifespans, but with shorter certificate validity periods, it would become impractical. These manual methods often result in expired certificates or misconfigurations, causing disruptions or security risks. Legacy systems, which are older and not built for modern demands, face additional difficulties. They typically cannot support automated tools like ACME (Automated Certificate Management Environment), which are crucial for managing certificates efficiently.

    Furthermore, not all Certificate Authorities (CAs) and organizations are fully equipped to handle the accelerated issuance and renewal cycles that can create inconsistencies. Businesses are adopting centralized Certificate Management Systems to mitigate these challenges. Our solution, CertSecure Manager, provides a unified interface for tracking and renewing certificates.

  3. Burden on the IT Team

    The shift to shorter certificate lifespans places a significant burden on IT teams. With certificates needing to be renewed more frequently, IT teams must handle a higher volume of renewals. It increases the likelihood of errors like expired certificates. This can lead to system outages, affecting services and productivity. Without automation, IT teams can spend a lot of time managing their certificates, taking time away from other important work. Automation can save time and keep teams focused on critical tasks.

    A major European mobile company named O2 faced an outage that lasted nearly a whole day due to an expired certificate from Ericsson. Millions of customers were affected by this certificate outage. As a result, O2 was compensated around $132.8 million by Ericsson.

  4. Training and Upskilling Needs

    Workforce upskilling is another critical component, as IT and DevOps teams need training to manage modern certificate lifecycles efficiently. These strategies require investment, but they are essential for minimizing service interruptions, reducing resource strain, and ensuring compliance in an era of shorter certificate lifespans. Organizations that successfully take care of these measures not only mitigate the risks associated with frequent renewals but also position themselves for improved operational resilience and enhanced trust in their digital services.

Organizations need to use automation tools and certificate management platforms to ensure proper certificate lifecycle management. These tools make the renewal process easier by automating tasks like issuing, deploying, and tracking certificates. These tools are designed to integrate smoothly with diverse environments, including legacy systems.  

Immediate Actions for Efficient Certificate Management 

Several actions are mentioned below that will help you manage certificates effectively. 

  1. Extensive Audit of Certificates

    It is essential to comprehend the existing certificate scenario for the successful completion of this task. Therefore, write down all the known attributes of each and every certificate in an easy-to-understand manner and make the inventory. It can include the owner’s name, location of installation, and expiration details. This inventory provides necessary insights to assess the risks posed by any expiring or expired certificates. Hence, it will be helpful to avoid any disruptions in the services provided as well as possible security threats.

    A worldwide organization like Google uses advanced certificate lifecycle management tools to conduct scans on their various websites, retrieve a report on all certificates in use, and underline the ones due for renewal. This way, the IT team gets a chance to mobilize and affect service renewal beforehand.

    CertSecure Manager automates the discovery and auditing of TLS/SSL certificates across the organization. It provides real time insights into certificate attributes, expiration details, and their locations. This ensures proactive risk assessment and minimizes service interruptions.

  2. Set up Discovery and Monitoring stages

    The ongoing discovery of TLS/SSL certificates is of utmost importance for the proper management of inventory. Organizations require a platform that integrates the finding of new certificates while keeping their status in check to ensure that no certificate is left out and even those nearing expiry are dealt with accordingly.

    A global corporation such as Microsoft adopts the use of such tools to enable the constant monitoring of its entire global footprint. In this regard, such automated systems improve visibility and reduce the risk of gaps in certificate coverage by discovering all the active certificates.

    CertSecure Manager provides continuous discovery and monitoring of certificates across global infrastructures. You have a centralized dashboard to oversee all your SSL/TLS certificates. It allows you to track their status, validity dates, and the ownership details associated with each one.

  3. Incorporate Risk Assessment Approaches

    It is very important to evaluate the potential risks of your certificate management practice on a regular basis. This will help you detect any weaknesses that can be exploited or edge cases that may cause downtime in services.

    For certificate management systems, new technology-oriented organizations may decide to do risk assessments concerning the project every six months. Focusing on those high-risk areas and devoting finances to them helps avoid such disruptions and retain the customers’ faith.

    CertSecure Manager includes risk assessment that evaluates vulnerabilities in certificate management practices. It generates detailed certificate health reports that highlight critical areas. It enables organizations to allocate resources effectively and maintain service reliability.

  4. Create Policies and Workflows that are Centralized

    Encourage control policies for certificate management in your organization. There must be viable processes in place for any requests and approvals of new certificates to protect against teams breaking the new 90-day limit. Centralized policies ensure that all certificates within the organization follow the same process for issuance, renewal, and revocation. It also leads to consistency and reduces the risk of human error.

    Organizational workflows are impacted by the implementation of custom policies in Certificate Lifecycle Management by automating and streamlining key processes, reducing manual effort, and enhancing security. Companies with centralized CLM policies experience faster certificate deployment time, improving service uptime and compliance.

    CertSecure Manager offers centralized policy management and allows organizations to define and enforce certificate usage policies. It streamlines approval workflows for new certificate requests, ensuring compliance with organizational standards.

  5. Automate Renewal Procedures

    Manually renewing thousands of certificates is a tedious task, but automation can simplify the renewal process and improve security posture. Organizations using automated certificate management solutions experience reductions in the time spent on certificate-related tasks. This translates to significant cost savings and allows IT teams to focus on more strategic initiatives.

    A 2022 study by VentureBeat showed that 81% of companies had experienced a certificate-related outage. This occurred within two years. It shows the significant risks associated with inadequate certificate management. These outages can result in substantial financial losses, and it is estimated by the Ponemon Institute that the average cost of IT downtime can be nearly $9,000 per minute.

    A huge banking institution has implemented CertSecure Manager, which automated the renewal of certificates intended for their online banking portal. Automating the renewal of digital certificates worked efficiently and has reduced the chances of downtime a lot. The access for the customers is always maintained without manual actions from the institution.

  6. Incorporate Certificate Management into DevOps Processes

    Certificate management integration into the Continuous Integration/Continuous Deployment (CI/CD) framework increases efficiency and security. This integration makes it possible to ensure that the latest certificates are always used to deploy new applications or updates, hence minimizing the risks associated with using expired certificates in production.

    Incorporating certificate management into DevOps processes enhances security compliance with standards like PCI DSS (for secure payment processing), HIPAA (ensuring patient data protection in healthcare), GDPR (maintaining privacy and data protection in the EU), SOX (ensuring financial data integrity), and ISO 27001 (promoting information security management). Improvement in deployment speed can be seen by automating certificate management within DevOps pipelines. This is because manual interventions are minimized, which allows for more reliable and faster software releases.

    CertSecure Manager integrates seamlessly with CI/CD pipelines, such as Jenkins, GitHub Actions, and Azure DevOps, and automates certificate issuance and deployment during the build process. This ensures that only valid and secure certificates are used in production.

  7. Maintain a Watch over Security Compliance

    Due to the rapid rotation of certificates, it is important to have a tool that monitors security and compliance on a regular basis. Certificates should be managed by their management system in accordance with the best practices.

    Big health insurance companies use certificate management software to find all the certificates in the organization on a quarterly basis and check which ones are HIPAA compliant. This is important to protect the patients’ private information and to keep the clients’ faith.

    CertSecure Manager helps organizations stay compliant with industry standards and regulations. Features like compliance monitoring and reporting are also functional for the users. It highlights certificates that fail to meet specific requirements, such as HIPAA or PCI-DSS, and provides actionable insights for remediation.

  8. Support Rising Machine Identities

    With the progress of digital space, it is estimated by Cyberark that the number of machine identities will grow more than 2.4 times in the upcoming 12 months. As the demand for certificate management grows, the certificate authority market is expected to expand significantly. Research shows that the global certificate authority market size is going to increase from $81.7 million in 2019 to $285.7 million by 2030. This growth presents a compound annual growth rate (CAGR) of 12.3% from 2020 to 2030.

    This means that organizations must ensure that the certificate management strategies they have in place are able to cope with the changing demands without worrying about security issues.

    CertSecure Manager is built to handle the scalability demands of increasing machine identities. Its automated certificate provisioning and lifecycle management ensures seamless operations even as the number of machine identities grows exponentially.

  9. Educate and Train Staff

    It is very important to ensure that your team is aware of why SSL/TLS certificates are important and that they are properly maintained. Training sessions can also explain how to manage certificates with shorter lifespans and why it is dangerous to forget about the handling of such certificates.

    Tech organizations arrange to hold training sessions on effective certificate management for their developers. This approach supports security culture practices and encourages team members to take part in protecting applications as part of their work.

    CertSecure Manager provides intuitive interfaces and detailed guides, which reduces the learning curve for IT teams. Additionally, its centralized platform simplifies certificate management and makes it easier for staff to adopt best practices with minimal training.

These measures will help in the smooth transition of organizations to 90-day TLS/SSL certificates without any compromise to security and compliance. The potential dangers related to shorter validity periods for certificates will be mitigated with the help of automation and strong certificate lifecycle management, and operations efficiency will be improved. As the requirements for digital security change, these efforts will enable organizations to carry out operations even in a turbulent environment without any interruptions of security. 

How can Encryption Consulting help? 

The recent announcement by Google to limit SSL/TLS certificates to 90 days presents a significant window for companies to enhance their security controls. Though this recommendation is yet to be confirmed, it underlines the importance of managing the issuance and expiration of certificates. This gap is filled by Encryption Consulting’s CertSecure Manager, which manages the entire certificate lifecycle, starting from discovery and inventory, then on to issuance, renewal, and revocation once the certificates have been created to enforce timely renewals and minimize human intervention. 

There are no worries about expired certificates as CertSecure Manager makes certificate management easy, allowing businesses to concentrate on their core values. Centralized management increases security compliance with regulations and flexibility in machine identities. 

Challenges are always expected when changing to shorter operational lifecycles, but the advantages are more significant. Encryption Consulting is committed to giving the best advice and strategies throughout the transition period. CertSecure Manager places any organization at the forefront of technological advancement in cybersecurity, with significant profits garnered in the process of protecting sensitive information. Request a demo today.

Conclusion 

The shift to 90-day certificate validity is a big change in digital security. It helps businesses to improve how they handle certificates. Shorter certificate lifespans reduce the risk of misuse, making systems safer from cyber threats. However, they also mean businesses must renew certificates more often, which can be challenging. To manage this, companies should regularly check all their certificates to avoid expired ones. Automating the renewal process saves time and prevents manual errors. Certificate lifecycle management tools should also be integrated with CI/CD pipelines to streamline updates during development. Managing everything from a single platform makes it easier to stay organized. By following these steps, businesses can improve security, avoid downtime, and ensure their services remain reliable and trusted. 

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo