Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know

Apple, Google, and Mozilla will shorten the life span for TLS certificates in a move poised to aid security but cause operational troubles.

The process of securing a site each year isn't much easier, and there is a risk the administrative process will be off-putting enough that they "simply don't bother." For many, Wilton adds, the certificate renewal comes at a financial cost that makes it even less appealing. The benefits of more frequent replacement depend on a quick, simple, affordable, and repeatable process.

How Your Organization Can Prepare
While this change won't go into effect until Sept. 1, businesses would be wise to start preparing by creating a plan, educating employees, and talking with partners to see how they're affected. 

Netskope has started to prep by reviewing its certificate architecture, how certain types of certificates are used, and ways they can simplify the process. The company has also started rotating certificates to get ahead of the error notifications and documenting throughout. Data is added into the application flow of systems and services to better track it all, Orange explains.

Changes were communicated internally to employees and externally to customers so they know what to expect from the service provider. Orange advises businesses to do the same, and chat with their own providers to learn how they'll be affected and what Netskope should be aware of. If a provider plans to make changes, the client should know what those changes will be. 

Employee education is essential and shouldn't be taken lightly, Orange says. People will see more pop-ups displaying errors; they should know why this is and what they should do. This is tricky, as they've only recently learned to check for certain icons indicating a website is secure. Now they'll need to know how to recognize they're not. The goal is behavioral change and educational awareness, versus giving employees lots of training and occasionally testing them.

"Planning and visibility, they are partners – same coin, just two different sides," he says. "If you don't know your certificate hierarchy and understand all of your digital assets that are leveraging TLS certificates, then you'll have a hard time planning what to do first and how it may ultimately impact your organization." 

In the Long Term, Shorter Life Spans
DigiCert's Coclin says this one-year validity is an "intermediate step" in gradually shrinking the life span of TLS certificates.

"We don't believe this is the final say in where they'll go in certificate lifetimes," he says. "We believe they'd like to see 90 days."

He speculates the CA/Browser Forum may eventually get down to a nine-month maximum, followed by a six-month limit, before getting to the 90-day timeline.

Related Content



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.