GlobalSign Advises Businesses to Be Prepared for Major PKI Changes Beginning This Autumn Through 2024
A leading Certificate Authority alerts industries about upcoming multiple cyber security developments in a market relied upon by millions of organizations worldwide
Boston and London, June 20, 2023 – Later this year, and into 2024, there will be significant changes within the Public Key Infrastructure (PKI) marketplace and organizations of all types should be aware of these changes according to GMO GlobalSign, Inc., a global Certificate Authority (CA) and leading provider of identity security, digital signing and IoT solutions. These significant changes involve several critical areas: Google’s move to reduce the lifespan of SSL/TLS certificates, new CA/Browser Forum Baseline Requirements for email security, and mandatory Root changes issued by Mozilla. The upcoming changes will create significant impact on industries who are using PKI – relied on millions of businesses worldwide. These shifts will require companies to adapt their PKI to ensure continued security compliance.
Transition to 90-Day SSL/TLS Certificates
Organizations relying on PKI need to be informed of Google’s announcement on March 3, proposing a mandatory maximum validity limit of 90 days on SSL/TLS certificates. The current lifecycle of SSL/TLS certificates is 398 days. Companies are strongly advised to evaluate their certificate lifecycle processes now and be prepared for these changes to remain secure. These developments may force businesses to restructure their IT Infrastructure and have new technologies in place, specifically automation to ensure continued certificate lifecycle management.
“Website admins will need to move towards automation if/when the Google proposed 90-day maximum certificate validity and domain re-use goes into effect. It’s going to become increasingly difficult to replace certificates using manually generated CSRs and subsequent certificate installations as the validity period and domain revalidation periods shorten,” said Doug Beattie, Vice President, Product Management, GlobalSign. “Technologies such as GlobalSign’s ACME offering helps automate certificate lifecycle functions and reassures certificates are being automatically replaced using fully automated processes before they expire. This keeps companies secure and prevents their websites from using expired certificates which results in loss of business.”
S/MIME Baseline Requirements Changes
In January, the CA/B Forum, a consortium of browser makers, certificate authorities, and other organizations in the digital certificate ecosystem, agreed on a new set of standards called the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” to provide the detailed industry requirements for S/MIME certificates. The new standards result in a change that will be effective on September 1. This will mean standardized certificate profiles which will require additional organizational or individual validation and, in some cases, CAs will need to replace their current S/MIME CAs with new, compliant ones. Having an industry standard for S/MIME certificates improve interoperability and security and parallels what’s been done for TLS and Code Signing certificates.
Mozilla Plans to Distrust Old Root Certificates
Mozilla has announced plans to remove the SSL/TLS and S/MIME trust bits in Roots when they are 15 and 18 years old respectively. The step is being taken because some of the older Roots do not meet current Root requirements and to promote cryptographic agility. The GlobalSign Root R1 and R3 will have their SSL/TLS trust bits removed in April 2025 and April 2027 respectively. As a result, we will stop issuing SSL/TLS certificates under these Roots in 2024 and 2026. Further details about GlobalSign’s plans will be available later this year.
Experience, Knowledge and Reliability
With 27 years of expertise GlobalSign is your reliable source for recommendations, regardless of an organization’s size, on how best to navigate these significant industry changes. Given that companies using PKI do not have any choice in the changes being made to public certificates, it is a critical for businesses to adjust their PKI security and automation posture as soon as possible to remain resilient.
Beattie added: “We understand the worries these changes create, especially with smaller companies. But there is a silver lining: At GlobalSign, we are prepared to take every customer step-by-step on this journey and they can be assured we will equipe them with the methods and services it requires whether they are an enterprise, SMB or Service Provider. That way it allows every business to operate in a similar way in the future, to how they do business today without the impact of these changes being so dramatic.”
About GMO GlobalSign
As one of the world’s most deeply-rooted certificate authorities, GMO GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud-based service providers, and IoT innovators worldwide to conduct secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale Public Key Infrastructure (PKI) and identity solutions support the billions of services, devices, people, and things comprising the IoT. GMO GlobalSign is a subsidiary of GMO GlobalSign Holdings, Inc, a member of the Japan-based GMO Internet Group, and has offices in the Americas, Europe and Asia. For more information, visit https://www.globalsign.com.
Media Relations Contact
Amy Krigman,
Director of Public Relations, West Region
amy.krigman@globalsign.com
978-835-5393