If you haven’t already automated certificate lifecycle management (CLM) – you’re running out of time
Shortening SSL/TLS certificate lifespans has been an ongoing initiative over the past decade, so we shouldn’t be surprised to hear of Google’s plans to decrease SSL/TLS certificate validity terms to 90 days. But here you are, wondering how this shift is going to impact your organization, the industry as a whole and well quite frankly what you can be doing about it. Sit tight, we’ve got you covered as we break down what it all means and how automation of SSL/TLS certificate management went from a want to a need.
- How is ACME Shaping the Future of SSL/TLS Certificate Validity?
- Why is a Shorter Certificate Validity a Good Idea?
- Automation Just Went From a Want to a Need
How is ACME Shaping the Future of SSL/TLS Certificate Validity?
ACME or the Automated Certificate Management Environment, is a protocol that was designed several years ago to automate certificate lifecycle management. It was originally created by the Internet Security Research Group (ISRG).
At the time, it was a necessary innovation owing to the fact that one provider of SSL/TLS certificates was valid for just 90 days (about 3 months) and would need to be replaced at least four times per year. That was different from other commercial CAs who were issuing certificates in compliance with the CA/Browser Forum.
What is the Current Maximum Validity Period of an SSL/TLS certificate?
The current maximum validity period of an SSL/TLS certificate is 398 days, or about 13 months, as set out in the CA/B Forum’s Baseline Requirements.
Well, that’s all about to change. Following the CA/B Forum face-to-face meetings held in early March 2023, Google announced its intention to reduce maximum certificate validity to just 90 days for all publicly trusted SSL/TLS certificates.
When is Google Putting the 90 Day Certificate Validity into Place?
While there is not yet an effective date or deadline for this change, Google has released a survey to the Certificate Authorities at the CA/B Forum and is requesting feedback on its stated plans. After that, it will likely announce enforcement dates for all its proposed changes. We will keep you posted as that situation develops.
Why is a Shorter Certificate Validity a Good Idea?
Ten years ago, you could purchase a 5-year SSL certificate, that number has been reduced steadily from three to two, and then down to its current maximum validity. The idea behind this is sound, even if a bit unwieldy at scale; the longer a certificate stays valid the less reliable it is.
Think about it this way, an SSL/TLS certificate is what browsers use to verify the identity of a web server. The longer the duration between verifying that information, the less reliable that validation becomes. Think about how much can change over the course of just a year - companies fold, transactions and mergers occur, domains get sold, companies evolve – to maintain the most reliable level of authentication that information needs to be verified regularly.
Just how regularly is debatable. Google’s previous rep on the CA/B Forum stated the view that domain validation information should remain reliable for only six weeks.
Can We Expect Certificates to Go Down to, Say 30 Days, in the Foreseeable Future?
It’s too early to say at this stage, but if the history of SSL/TLS certificate validity periods are anything to go by, it’s not something we would rule out.
But for now, it’s time to kick off an earnest discussion around certificate lifecycle management in your organization and why ACME is a suitable solution.
Automation Just Went From a Want to a Need
Managing SSL/TLS Certificates has always been a tedious drag. Anything more than just a handful requires deliberate planning, handling multiple validations, getting the certificates issued, getting them on the right servers, installing them, configuring them, making sure you’ve got reminders set for when they’re expiring – it is, in no uncertain terms, a huge pain in the ass.
And that was just worrying about it once per year. Now try multiplying that by four. Ouch. If your IT team resides on the second floor or higher in your building, you may need to nail shut their windows.
But there is an easier way to keep them from jumping (ship): ACME.
ACME is a protocol that facilitates communication between a CA and an agent installed on a web server. The agent manages the certificate request, domain validation, installation, and renewal for the websites on the server. As mentioned before, ACME was designed specifically with these timeframes in mind, and since its initial specification it’s been refined to facilitate more than just open-sourced domain-validated (DV) certificates.
No more manual domain validations. The agent does that for you. No more installations and configurations. The agent does that, too. And when a certificate is about to expire and needs replacing – you guessed it, the agent is on top of things.
How Can GlobalSign’s ACME Service Help Automate My SSL/TLS Certificates?
GlobalSign’s ACME service is an agent-agnostic, low-leverage automation solution that eliminates tedious work for your IT team and saves your organization money. GlobalSign’s ACME service can issue both domain-validated (DV) and organization-validated (OV) SSL/TLS certificates. Plus, it’s backed by all the experience, support and Service Level Agreements (SLAs) that make GlobalSign one of the most highly respected Certificate Authorities and Qualified Trust Service Providers in the world. Customers can purchase certificate packs and manage everything through the Atlas portal, allowing for full automation of all the SSL/TLS certificates on your network.
Learn more about ACME Certificate Automation
Editor's Note - this blog was originally published in March 2023 and was updated in May 2023.