Google is proposing to reduce the life span of digital certificates used to secure websites and other online communications to just 90 days. Currently, public Transport Layer Security (TLS) certificates have a maximum validity of 13 months, or 398 days.
Certificate authorities issue TLS certificates (also called Secure Socket Layer, or SSL, certificates) with an expiration date. The life span of these certificates has been shrinking over the past few years, since frequently cycling them makes it harder for attackers to use fraudulent certificates.
In the Chromium Project's “Moving Forward, Together” roadmap, Google suggested the change to 90 days could be made either in the form of a future policy update or as a CA/B Forum Ballot Proposal. If the CA/B Forum — a consortium of browser makers, certificate authorities, and other stakeholders in the digital certificate ecosystem — doesn't formally make 90 days the industry standard, Google can unilaterally force this change on the industry by making the shorter validity period a requirement for the Chrome root program. Browsers control their own root program requirements, so browser makers don't have to wait for formal rule changes from the CA/B Forum. By virtue of Chrome's market share, if Google makes this change for Chrome, that makes it a de facto standard that every commercial public certificate authority would have to follow.
The impact goes beyond browser makers and certificate authorities because organizations will need to renew their digital certificates more often. The process, if handled manually, can be brittle because it involves identifying certificates about to expire, getting new ones issued, revoking the old ones, and deploying the new certificates. With the new validity period, IT security teams will have to handle renewals four times a year for each certificate — an arduous task considering most enterprises have many certificates and that number is growing rapidly.
Google did not provide a specific timeline in its roadmap, but based on how the changes have unfolded in the past, the new validity period will likely take effect by the end of 2024, which gives organizations time to gain visibility and control over their keys and certificates.