Your Guide For The 90 Day Digital Certificate Shift

SSL/TLS certificates are essential for establishing trust and securing internet communications. An SSL/TLS certificate confirms the identity of the website you are visiting. It confirms that you’re actually connecting to the intended website and not a fraudulent one designed to steal your information. 

When a user visits a website secured with a valid certificate, their browser can verify the website’s identity. This verification assures users that they are on a legitimate website, not a fake one designed to steal their information (phishing). These certificates act as a security lock on your website, and just like any other lock, they don’t last forever.

These have an expiry date and require a regular check and monitoring system. Expired certificates trigger browser warnings, harming user trust and potentially impacting SEO rankings, user abandonment, data breaches, and reputational damage. 

In the past, managing SSL/TLS certificates was a very hectic and time-consuming process, which included using spreadsheets and calendar reminders. Lately, there’s been a buzz around reducing the lifespan of these certificates from the usual year (398 days) or so to just 90 days. This blog will help you understand the 90-day certificate, why they’re being considered, and what it means to you and your organization. 

Journey Towards Shorter Validity Period  

The validity period of SSL/TLS certificates has undergone a significant transformation, driven by the evolution of cybersecurity threats and the ongoing quest for stronger web security. 

In the early days of the internet, certificates had lifetimes as long as ten years and obtaining a certificate may have actually required an in-person visit to the Certificate Authority’s premises! Then as internet practices grew, the CA/Browser Forum (CAB Forum) was established to standardize certificate practices and enhance web security.

Their overall mission is to work on the best practices of issuing and managing digital certificates together and one of their key efforts in this regard has been to continuously reduce the maximum validity period for certificates. 

By the year 2016, the maximum validity period was reduced to 3 years, and by 2018, it was reduced to 2 years (730 days). It wasn’t until 2019 that an attempt was made to shorten the validity period to 1 year (398 days) by Apple. Apple’s proposal highlighted the growing concern about the risks associated with longer validity periods of these certificates and pushed the CA/Browser Forum to re-evaluate existing standards of shorter validity periods.

This proposal was not passed by the Forum but in 2020, Apple shifted to 398-day SSL validity certificates in the Safari Browser and in the late 2020, this validity period of 398 days was officially enforced. 

Early in 2023, Google announced plans to potentially require websites to use SSL/TLS certificates valid for only 90 days. While this proposal has not yet been accepted, just like Apple, Google could also mandate the use of 90-day certificates for its Chrome browser, and as it covers 62% of the market share, such implications could lead to set industry standards and regulations in the future. 

Why is 90 days considered the ideal number for SSL/TLS certificates?

There has not been a definite answer to the appropriate validity period for SSL/TLS certificates, but a key advantage of shorter lifespans is the reduced window of vulnerability if a certificate is compromised. If a hacker gains access to a certificate with a 90-day validity, they have a much smaller window to exploit it before it expires and becomes useless. 

The 90-day proposal represents a middle ground between robust security and a manageable workload, as it provides sufficient time for renewal with a perfect validity period for a certificate. While shorter validity periods like 30 days offer even stronger security, 90 days or three months is the sweet spot, as anything less could become a hassle, especially for businesses and people who are not using a certificate lifecycle management solution and managing hundreds of websites.

For instance, during a sales season, if an e-commerce website uses 1-month certificates, they would need to start the renewal process every 30 days or less along with managing huge customer demand, and if they miss or forget the renewal date for any certificate, it will cause them huge losses during peak season. 

In practice though, the actual time of renewal of a certificate will be considered to be 60 days due to the buffer time if 90 days were to be official, meaning replacing your certificate 6 times every 12 months. Hence, 90 days allows for frequent updates without overwhelming website owners, particularly those with smaller setups. 

How can a Shorter Validity Period help your Organisation? 

The industry’s push towards 90-day TLS certificates is driven by a compelling combination of factors, all focused on enhancing online security. Around 60-70% of digital certificates have a validity period of more than 90 days, and automated systems have also supported quick renewal of these certificates.  

1. Reduced Damage from Key Compromise

   Reduction in the validity period of the certificate will help in preventing cyber threats. If a private key is compromised, attackers will have limited time to impersonate your website and intercept your organization’s sensitive data. For instance, an e-commerce website experiences a data breach, potentially compromising its private key.

   With a 90-day certificate validity, the damage from stolen customer information is limited as the attacker only has three months to exploit it before the certificate expires. This allows the website to revoke the compromised certificate and issue a new one much faster, further mitigating the risk.

2. Faster Adoption of Stronger Cryptography

   Shorter validity periods necessitate more frequent key generation, which will allow your organizations to adopt new and stronger cryptographic algorithms as they become available, enhancing overall security. Frequent key generation ensures that even if an attacker manages to crack a specific key, they’ll only be able to access a limited amount of data for a shorter period.

   For instance, if a new, more secure cryptographic algorithm is developed, an organization using 1-year certificate validity might wait until the next renewal to adopt the new algorithm. However, shorter validity periods necessitate more frequent renewals, prompting a faster adoption of stronger cryptography as new certificates are issued.

Impact on Businesses when manually managing 90-day certificates 

With the proposed shift towards 90-day certificates, managing security is about to get even more critical. Businesses are increasingly migrating to cloud-based platforms and applications, which necessitates a growing number of certificates for secure communication channels. Now that the internet is rapidly expanding, billions of smart devices connecting to the internet often require their own unique TLS/SSL certificate to ensure secure communication. 

While some organizations may be tempted to stick with traditional, manual methods for certificate lifecycle management (CLM), this approach carries significant risks that can substantially impact businesses when handling 90-day certificates. A manual certificate lifecycle leads to possible outages, leaving your businesses vulnerable and scrambling to recover.

These outrages can cause huge financial losses for your organization and affect your image in the eyes of your users. According to an article published by Pingdom, nearly all businesses (98%) report that even a single hour of website outage can cost them more than $100,000.  

In the IT industry, every minute a system is down translates to a significant financial loss. While the average cost is $5,600 per minute, companies can lose anywhere from $145,000 to $450,000 per hour, depending on their size. For instance, if we consider 3 outrages per year on average and an average downtime of 4 hours with a $5,600 per minute cost, the annual cost to the business can reach around $4 million. 

Impact on Businesses when using Automated Certificate Lifecycle Management Solutions for 90-day certificates 

As traditional and manual practices seem easy, integrating an automated Certificate Lifecycle Management (CLM) solution for the 90-day certificate can offer significant business benefits. To eliminate human error, missing documentation, or any such practices that could result in catastrophic outcomes, organizations require a strong automated solution to administer their SSL/TLS certificates. 

According to a report by Verified Market Research, the Certificate Lifecycle Management (CLM) software industry is experiencing rapid expansion, fuelled by the rising number of TLS/SSL certificates organizations need to manage. The market size in 2023 was estimated at 3.5 billion US dollars. By 2030, this figure is expected to reach a staggering 9.5 billion US dollars, reflecting a compound annual growth rate (CAGR) of 21.58%. 

The exponential growth of certificates due to 90-day lifespans puts a strain on manual methods. A CLM solution such as CertSecure Manager will provide automated renewals to minimize the window of vulnerability where attackers can exploit gaps in encryption while streamlined revocation processes allow businesses to quickly address security threats and minimize potential damage. By automating tedious tasks and centralizing management, businesses gain improved efficiency, allowing IT staff to focus on more strategic initiatives. 

Automating the certificate lifecycle for a 90-day certificate also helps to curb expenses for manual management, including costs due to labor and the possible financial repercussions from outages and security breaches.

These solutions also aid in compliance with industry standards, avoiding liabilities and fines, and can scale to cater to the new demand of hundreds if not thousands more 90-day certificates that could come about from the increasing digitization of more services and devices. The exponential growth volume places a strain on vulnerabilities of manual management systems, making security a lousy technique to fight exposing your organization. 

Best Practices for managing 90-day certificates using Automated CLM

The answer to this time-consuming problem of manual certificate management of 90-day certificates, of course, is a Certificate Lifecycle Management (CLM) solution, which provides an efficient way to automate certificate workflows using powerful machine-driven capabilities, etc.

If you want to get the most from these, then best practices are key to realizing the full potential automation can offer. Consider these strategies to maximize the automation of CLMs to achieve efficiency and security benefits. 

1. Policy

   Ensuring that TLS/SSL certificates have a 90-day lifecycle than the default allows the industry standard to improve security; consequently, lowering the risk of exposure can be leveraged is a good practice. A good policy consists of regulations that describe how to request, approve, or rotate the 90-day certs in different ways (need to keep this automated to reduce human failure).

   It should also define ownership for managing the 90-day certificates and bring accountability as well-regulated adherence. The exception-handling steps and escalation process should also be straightforward for any variances from the norm.

   For instance, an e-commerce website that processes sensitive customer data, such as credit card information, should prioritize strong security. Any exceptions to the 90-day lifecycle, such as a critical certificate for a legacy application, would require documented justification and approval from senior management.

2. Reports

   An automated CLM system for a 90-day certificate should be able to output a report detailing crucial information for your organization’s existing TLS/SSL certificate. Regularly maintaining and updating this report means that you can stay informed and know if any expiration actions are required so that you do not miss out on renewals and, therefore, will stop being exposed to the latest security risks to your organization.

   For instance, an organization’s CLM report on a 90-day certificate might generate information such as Certificate Name, Issued By, Issued Date, Expiry Date, Days Remaining, and respective Domain.

3. Provision

   In order to deal with the more frequent renewals that come with the shorter certificate life, such as 90 days, some automatic provisioning is necessary. Use an automation system wherever possible to manage your 90-day certificates and integrate them with the Certificate Authority (CA) through protocols such as ACME (Automated Certificate Management Environment).

   Reducing the chance of you having an expired certificate is a win, streamlining your deployment process is a win, and making sure that the same practice is in place across all systems wins the prize. This also liberates IT resources to devote energy to more strategic work, increasing the overall efficiency and security of the internet.

4. Find

   To ensure that you have taken the necessary steps, your first step should be to discover and inventory all TLS/SSL certificates throughout the entire organization. Run automated discovery tools across your network and discover every single cert in use.

   This comprehensive inventory should be stored in a central certificate management system to form the single source of truth for every digital certificate throughout an organization. Maintenance allows you to check those certificates often, so none expires without anyone noticing.

   For instance, a hospital network with public-facing web servers for patient portals and internal servers for electronic health records (EHR) systems might require its own TLS/SSL certificate to secure communication. An automated discovery tool can be deployed to scan the network and uncover all active certificates on these domains.

5. Monitor

   Automatically monitor your 90-day TLS/SSL certificates to ensure they remain secure and compliant as part of your continuous monitoring workflows. Use monitoring that generates real-time alerts if any of these issues are detected, for example, impending expiration or revocation of a 90-day certificate and/or an incorrect configuration.

   Also, a dashboard providing an organization-wide overview of certificate health status can give administrators immediate feedback to quickly identify and resolve issues. Scheduled reporting and alerts mean problems can be dealt with before they impact the quality and security of your network.

   For example, a cloud-based e-commerce platform relies on numerous 90-day TLS/SSL certificates to secure communication across various services, such as the customer portal, payment processing systems, and internal APIs. A robust monitoring solution can be configured to provide real-time alerts for critical events, including certificate expirations, revocation, and configuration issues.

6. Control

   The certificate lifecycle is a process ranging from ordering the digital 90-day certificate issuance, installation & activation upon its delivery, and then finally, when it expires, undergoing renewal again.

   Restricting the service that can request, issue, and manage these 90-day certificates protects against mismanagement by limiting changes to those permitted only and authorized personnel performing specific tasks using role-based access. RBAC can be used to enforce separation of duties, where different individuals are responsible for requesting, approving, and issuing certificates.

   Regulations should be reviewed and taken into consideration in case of a change in the organizational structure and/or security policies. Regular audits and feedback in the certificate management process reinforce compliance, leading to ongoing improvement and best practices alignment for these 90-day certificates.

By following these best practices, you can effectively organize a 90-day TLS/SSL certificate, enhancing your security status and reducing the risk of certificate-related incidents. 

What happens if you use Expired Certificates? 

SSL/TLS Certificates protect website integrity and securely transmit information. So, what do you suppose occurs when a certificate slips your mind, or even worse, one falls off the radar with an expiry date well past, especially in the case of 90-day certificates? The results could be annoying users seeing giant block-based error messages to uncountable entry points that can lead to security issues.

In the year 2017, Equifax faced a massive data breach exposing the sensitive information of over 147 million Americans. One contributing factor to the breach was an expired digital certificate that prevented Equifax from inspecting its traffic for suspicious activity. This lapse in security allowed hackers to remain undetected within the network for an extended period, ultimately leading to data theft.

1. Data Breaches

   A Legitimate SSL/TLS authentication provides the safe route to preserve exclusive statistics like your login credentials, credit card information, and a person’s related content from being considered by someone else.

   When this certificate loses its integrity, the tunnel collapses and provides an opening for hackers to step in and intercept your data as it moves on another side. Picture a hacker listening in on your online banking session — an unexpired certificate could allow this, which might end up in huge financial losses and identity theft.

2. Reputation Damage

   An expired SSL certificate says to your users “We don’t care about security”. Negligence like this can often ruin a marketing budget or damage a corporate name. Just imagine how much trust this would break with you users when a website has to admit that it allowed for such an embarrassing security vulnerability to happen.

3. Search Engine Penalties

   Search engines such as Google are sensitive to protecting users and reward higher rankings for using SSL/TLS certificates. Sites using outdated certificates get marked as unsafe, which can see their ranking on search go way down. This reduced visibility means less traffic, leading to lower web visits and, eventually lesser brand reach.

4. Service Interruption

   Since the certificate has expired, browsers recognize this and display warning messages, preventing your users from having access to your website.

   For e-commerce businesses, that can be a loss of sales; for your users, it can lead to an unsatisfying experience; and for anyone who tries to access your site, this just adds frustration. Therefore, downtime due to Service Interruption can be a real problem and have a significant impact, especially for businesses that rely on online traffic and audience.

How can the CertSecure Manager solution help in managing these certificates?

If you only had a few SSL/TLS certificates in the past, it didn’t seem too difficult to manage using spreadsheets and manual renewals with calendar alerts. However, in the changing phases of the virtual world, websites are rapidly replaced with a large set of certificates, especially for different applications and subdomains. 

Trying to negotiate our way through countless dead certificates, lost renewals, and mistakes by humans is a nerve-jangling act. And that is when modern Certificate Lifecycle Management (CLM) solutions come to the rescue.

CertSecure Manager solution adheres to the required industry standards and regulations, which provides you certificate visibility & discovery in one centralized system, manages large-scale certificates, and helps your organization to save time & resources.

1. Automated Renewal

   CertSecure Manager automates the whole renewal process -from generating renewal requests to ordering it from the Certificate Authority (CA) and installing the renewed certificate. It removes manual work, saving the IT team a lot of time and resources.

   All the time-consuming procedures that cause headaches have been eliminated, thereby facilitating your organization’s multiple renewals in short intervals, like 90 days. Studies note that 83% have had issues with certificates at least once in the past 12 months, and more than half (50%) reported incidents of compromised SSL/TLS certs.

   The system allows automatic replacement of certificates for applications such as IIS, Apache, and Tomcat webservers, as well as load balancers like F5, to make the turnover process quick and smooth.

2. Discovery and Inventory Management

   CertSecure Manager performs a full scan of your IT infrastructure and handles all SSL/TLS, which removes the blind spots that can result in renewals being overlooked and perhaps enabling security vulnerabilities.

   You have a central place to manage all your SSL/TLS certificates and see the status, dates of validity, and ownership behind it all. This central point of knowledge allows for an educated route to be taken with regard to certificate management strategies.

3. Alerts and Reporting

   CertSecure Manager doesn’t wait for certificates to expire before taking action. It generates proactive alerts notifying IT teams of upcoming renewals, allowing them to plan and prioritize tasks effectively. This allows it to generate detailed certificate health reports, upcoming renewals, and potential security risks, especially with 90-day certificates.

   These reports provide IT professionals with the information needed to improve certificate management practices and drive decisions based on data. It has an alerting system that sends notifications when a certificate is getting close to expiring or any other need-to-know update.

4. Integration with DevOps

   It works with popular Certificate Authorities, DevOps tools, and automation frameworks and can be easily integrated into any deployment pipeline. This simplifies not only the certificate lifecycle management process for your existing IT ecosystem but also reduces the effort to transfer data between different systems.

   It simplifies operations, reduces errors, and supports an optimized management flow of certificates. CertSecure Manager integrates with your DevOps tools of choice within your organization, enabling certificate deployments during your CI/CD pipeline. This will automate the process of provisioning certificates on new environments.

With CertSecure Manager, you can effortlessly manage and secure your digital certificates, ensuring that your organization’s sensitive information remains protected while complying with regulatory standards. 

Conclusion 

The proposed move by Google towards shorter 90-day validity periods for SSL/TLS certificates presents a unique opportunity. While the proposal has not yet been accepted but it may necessitate adjustments, which underscores the importance of robust certificate management practices.

This includes adopting best practices for automation using a CLM solution such as Encryption Consulting’s CertSecure Manager to help organizations not only manage this shift comfortably but, in turn, capitalize on the many advantages that are going to come because of this change in shorter validity periods. 

CertSecure Manager provides full automation of the certificate lifecycle from discovery and inventory through issuance, renewal, and revocation. This simplifies the workflow, reduces mistakes, and ensures that always all available certificates are renewed, even with shorter validity periods.

While shortening certificate lifespans can be tricky and requires careful handling to avoid issues, the benefits, like stronger security, better compliance, and increased adaptability, outweigh the challenges. Therefore, given the need for automated certificate management, CertSecure Manager allows you to confidently lead the future of online security and can thus deliver real business benefits from a secure, centralized certificate management system.