Digital certificates are not like fine wine — they don't get better with age. They're more like medication, losing their potency the longer they sit.
So when Google said that it would adopt a 90-day lifespan for Transport Layer Security (TLS) certificates, it made sense. The certificates, also commonly known as Secure Sockets Layer (SSL) certificates, are traditionally effective for more than a year. Even that is an improvement on the validity of up to 10 years that existed a decade ago.
These certificates provide more than a little padlock-shaped icon in the address bar of Web browsers and an "https" URL for websites. The certificate attests that the site is a valid domain, safe from spoofing, and encrypted to ensure secure browsing and transactions. In these days of rampant phishing and online fraud, they are a strong sign to users that a site protects its data.
The logic behind Google's move is clear: With bad guys frequently upping their game, security can't leave these protections to a once-a-year upgrade. The operators of the most popular browsers in use today — Apple, Microsoft, Mozilla and, yes, Google — have been working toward reducing certificate lifespans, prodded along by their working group, the CA/Browser Forum. Apple reduced its Safari browser certificates to one year in 2020, putting pressure on others to shorten the span. Google's action is likely to spur similar action.
Expired TLS certificates are more than a cybercrime opportunity, they are also a cause of service outages, rendering connections as not private and communications as not secure — keeping users from completing their business. This issue continues to impact a number of major enterprises, including big names such as Shopify, Cisco, Starlink, and Microsoft.
The 90-Day Certificate Challenge
Certificate life-cycle management (CLM) is an ongoing challenge for admins, especially those large organizations that may have hundreds or thousands of certificates to manage. One survey found the average was more than 50,000, and the number went up more than 43% annually. Today's enterprises, which rely heavily on cloud-based assets and automation, can't skimp on certificate management if they want to keep operating smoothly. A number of best practices to achieve crypto-agility are imperative to face this challenge:
- Gain visibility: Having a clear view of certificates is key to managing renewals and removals. Regular scanning helps identify existing certificates and discover new ones that must be accounted for; one survey noted 15% of the certificates found were self-signed — not managed by any trusted authority, but by the developers themselves — and one-fifth of them were expired. This discovery process should generate a central inventory to track all the details of certificates, such as their location and expiration date, the certificate authority that validated them, and other relevant metadata.
- Track use-by dates: Automation can help track and maintain certificate renewals by sending alerts to relevant staff in a timely manner. Once there is an inventory of certificates, renewing them in advance of expiration or arranging an automatic renewal can keep those from falling through the cracks. Automation can also make sure certificates are provisioned and configured correctly and have the right binding to an endpoint.
- Enforce encryption standards: Encryption is the secret sauce of certificates, so determining the right level of encryption is in play ensures the security of the infrastructure. Analyzing certificates for indicators such as key size and strength or signing algorithms can detect those that are using insecure or obsolete crypto standards. Adopting tools that can quickly upgrade those standards at scale with a minimum of disruption will help avoid any outages, breaches, or compliance issues.
- Establish governance: Automation can help manage certificates, but it requires an underlying policy for enforcing public key infrastructure (PKI) governance that oversees the protection of data, provisioning of user identities, and securing of end-to-end communications. A stable policy across all units in the organization will standardize issuing and managing certificates, regulate right-sizing permissions to each business use case with role-based access control (RBAC) and simplify auditing by establishing procedures to create audit trails and periodic reports to spot anomalies, weaknesses, and compliance issues.
- Lock down keys: Private keys are the master lock that protects sensitive information, but the practice of saving them in unprotected text files leaves them open to exploitation. Saving them in an encrypted software vault or certified hardware security module (HSM) offers better protection, especially if it enables automated key rotation to replace them regularly. This minimizes the chance of human error (those reused credentials that result in so much compromise). Additionally, using password vaults to protect device-based credentials offers an additional layer of security.
The challenge of protecting users, applications, and devices while ensuring availability and continuity is not likely to relent any time soon. Google's proposal just compounds the challenge as TLS certificates will soon need to be renewed every three months rather than the current 13-month time frame. Automating CLM is the only path forward for PKI and information security admins that already have a difficult time with certificate management today.
As more certificate authorities and browser vendors embrace Google's new TLS validity recommendation — as they did Apple's before — CLM will keep its place in the admin's list of concerns. Implementing an efficient, scalable, and agile process to automate CLM processes offers a path forward that not only reduces the manual labor associated with certificate management, but also the risk of costly business outages.