If you haven’t already automated certificate lifecycle management (CLM) – you’re running out of time
ACME or the Automated Certificate Management Environment, is a protocol that was designed several years ago to automate certificate lifecycle management. It was originally created by the Internet Security Research Group (ISRG) for use by the open-source certificate authority, Let’s Encrypt.
At the time, it was a necessary innovation owing to the fact Let’s Encrypt SSL/TLS certificates were valid for just 90 days, and would need to be replaced at least four times per year. That was different from other commercial CAs who – in abidance with the CA/Browser Forum Baseline Requirements – were issuing certificates with a maximum validity of 13 months (397 days).
Well, that’s all about to change. Following the CA/B Forum face-to-face meetings held in early March 2023, Google announced its intention to reduce maximum certificate validity to just 90 days for all publicly-trusted SSL/TLS certificates.
While there is not yet an effective date or deadline for this change – now is the time to begin planning automation of your certificate lifecycle management for SSL/TLS.
Why a Shorter Certificate Validity?
Shortening certificate lifespans has been an ongoing initiative over the past decade. Whereas 10 years ago you could purchase a 5-year SSL certificate, that number has been reduced steadily from three to two, and then down to its current one year (technically 13 months) maximum validity.
The idea behind this is sound, even if a bit unwieldy at scale; the longer a certificate stays valid the less reliable it is. Think about it this way, an SSL/TLS certificate is what browsers use to verify the identity of a web server. The longer the duration between verifying that information, the less reliable that validation becomes. Think about how much can change over the course of just a year - companies fold, transactions and mergers occur, companies evolve – to maintain the most reliable level of authentication that information needs to be verified regularly.
Just how regularly is debatable. Google’s previous rep on the CA/B Forum – which determines the industry’s regulatory requirements – stated the view that domain validation information should remain reliable for only six weeks. Three months is about double that (12 and a half).
As of now, Google has released a survey to the certificate authorities at the CA/B Forum and is requesting feedback on its stated plans by the end of March. After that, it will likely announce enforcement dates for all its proposed changes. We will keep you posted as that situation develops.
But for now, it’s time to kick off an earnest discussion around certificate lifecycle management in your organization. And GlobalSign has a turn-key solution with its ACME.
Automation Just Went From a Want to a Need
Managing SSL/TLS Certificates has always been a tedious drag. Anything more than just a handful requires deliberate planning, handling multiple validations, getting the certificates issued, getting them on the right servers, installing them, configuring them, making sure you’ve got reminders set for when they’re expiring – it is, in no uncertain terms, a huge pain in the ass.
And that was just worrying about it once per year. Now try multiplying that by four. Ouch. If your IT team resides on the second floor or higher in your building, you may need to nail shut their windows.
But there is an easier way to keep them from jumping (ship): GlobalSign’s ACME service. As mentioned before, ACME was designed specifically with these timeframes in mind, and since its initial specification it’s been refined to facilitate more than just open-sourced domain-validated (DV) certificates. GlobalSign’s ACME service can issue both domain- and organization-validated (OV) SSL/TLS certificates. Plus it’s backed by all the experience, support and Service Level Agreements (SLAs) that make GlobalSign one of the most highly-respected Certificate Authorities and Qualified Trust Service Providers in the world.
ACME is a protocol that facilitates communication between a CA (GlobalSign) and an agent installed on a web server. The agent manages the entire certificate lifecycle for all the websites on the server that it is authorized to act for. Customers can purchase certificate packs and manage everything through the Atlas portal, allowing for full automation of all the SSL/TLS certificates on your network.
No more slogging through validations. The agent does that for you. No more installations and configurations. The agent does that, too. And when a certificate is about to expire and needs replacing – you guessed it, the agent is on top of things.
GlobalSign’s ACME service is an agent-agnostic, low-leverage automation solution that eliminates tedious work for your IT team and saves your organization money. And frankly, it couldn’t be available at a better time in light of Google’s recent announcement.