As part of its ongoing effort to enhance web security, Google is leading a movement to reduce the maximum validity period of TLS/SSL certificates to just 90 days. Expected to come into full effect by the end of 2024, this change aims to increase security but also poses significant challenges for organisations. To navigate this shift, UK businesses need to understand the implications and prepare accordingly.
Why Are TLS/SSL Certificates Becoming Shorter?
TLS/SSL certificates are crucial for securing online communications, ensuring that data transferred between a server and a user is encrypted and authenticated. Historically, certificates were valid for several years. However, over time, these validity periods have been reduced, with the latest move bringing certificates down to 90 days.
This shift is primarily driven by security concerns. The longer a certificate is valid, the greater the risk of it being compromised or becoming outdated as companies change, merge, or their domains evolve. Shorter lifespans ensure that certificates are revalidated more frequently, reducing the window of opportunity for attackers.
Google’s push for shorter certificate lifespans is also intended to promote automation, encouraging organisations to move away from manual certificate management, which is prone to human error and can lead to costly outages.
The Challenges of 90-Day Certificates.
While the security benefits are clear, the move to 90-day certificates presents significant operational challenges. Managing certificates on such a short cycle will require organisations to renew certificates four times a year, rather than once, significantly increasing the workload for IT teams.
1. Increased Workload.
Organisations will need to renew certificates more frequently, which could overwhelm teams relying on manual processes. Tracking expiration dates, renewing certificates, and deploying them across multiple systems and environments will become much more difficult without automation.
2. Risk of Expired Certificates.
Expired certificates can cause major disruptions. Websites can become inaccessible, displaying security warnings that drive customers away. In the UK, where online business and e-commerce are thriving, an expired certificate could result in substantial financial loss and damage to an organisation’s reputation.
3. Impact on Operations and DevOps.
DevOps teams, responsible for maintaining secure containerised environments, will need to integrate certificate management more deeply into their workflows. Failure to renew certificates in a timely manner could result in downtime, impacting critical online services and applications.
Why Manual Management is No Longer Sustainable.
In the past, organisations often relied on manual methods such as spreadsheets to track certificate expiration dates. However, with the move to 90-day certificates, manual management is no longer feasible for most businesses, particularly those operating in complex digital environments with multiple certificates. Managing this process manually increases the risk of human error, which can lead to outages, security breaches, and compliance failures.
The Role of Automation.
The solution to these challenges is automation. Automated Certificate Lifecycle Management (CLM) systems can handle the issuance, renewal, and revocation of certificates without the need for human intervention. This not only reduces the risk of errors but also ensures that certificates are renewed on time, providing real-time visibility into the status of all certificates across the organisation.
The ACME (Automated Certificate Management Environment) protocol plays a key role in this process. Originally developed by the Internet Security Research Group (ISRG), ACME simplifies the process of managing certificates, allowing organisations to automate key tasks such as issuing, validating, and renewing certificates.
Benefits of Automation:
- Reduced Risk of Outages: Automated systems can monitor certificates in real time and issue alerts when certificates are about to expire. This proactive approach helps prevent service outages caused by expired certificates.
- Improved Security: Automation ensures that all certificates are renewed in a timely manner, reducing the risk of security breaches and ensuring compliance with industry regulations. This is especially important in sectors such as finance and healthcare, where data protection is paramount.
- Scalability: As businesses grow and deploy more certificates across their digital infrastructure, automation provides the scalability needed to manage large volumes of certificates efficiently. This is crucial for organisations that operate across multiple domains, cloud environments, and applications.
- Cost Efficiency: By reducing the reliance on manual processes, automation frees up IT resources to focus on more strategic tasks, while minimising the costs associated with outages and breaches.
Preparing for the Future: Beyond 90-Day Certificates.
The transition to 90-day certificates is just one part of a broader trend towards more frequent revalidation and the use of more secure cryptographic algorithms. With the growing threat of quantum computing, which could break current encryption methods, the need for automation and advanced cryptography will become even more pressing.
Organisations that invest in automated CLM systems now will not only be prepared for the 90-day shift but also better equipped to handle future security challenges. This includes the transition to quantum-resistant encryption.
The move to 90-day TLS/SSL certificates marks a significant change in digital security. While it enhances security, it also increases the complexity of certificate management. To successfully navigate this shift, UK organisations must embrace automation. Automated CLM systems will reduce the risk of outages, improve security, and allow businesses to scale their operations efficiently.
As the industry moves towards more frequent certificate renewals and the adoption of quantum-resistant algorithms, now is the time for organisations to modernise their certificate management processes and future-proof their security infrastructure.
Avoid costly outages and strengthen your security posture with a CA-agnostic solution built for scalability and compliance. Get in touch with Secon today.