Transport layer security (TLS) is one of the most common tools for keeping users safe on the internet. When automated, TLS certification management can help organizations ensure more reliable and consistent use of TLS, reducing the need for human intervention and risk of human error. In fact, over the years, Google has continued to reinforce the need to increase agility and resilience through automated TLS certification management. Most recently, Google announced its intent to limit TLS certificate validity to 90 days, substantially shorter than the current standard set by the Certification Authority Browser (CA/Browser) Forum of 398 days. If your organization has not yet embraced automated TLS certificate management, it’s probably time to do so to use a TLS certificate to shape the future of cybersecurity.
5 Reasons Google Is Limiting TLS Certificate Validity to 90 Days
Limiting TLS certificate validity is not a new notion—Let’s Encrypt has been issuing certificates with 90-day validity for many years. In reality, lengthy validity periods of two and even three years are difficult to manage. We’ve all encountered browser “site not trusted” warnings when visiting web pages where TLS certification has expired. Google and other major players in the web security ecosystem suggest shortening TLS certificate validity periods to 90 days for several key reasons.
1. Improved Security
A shorter TLS certificate validity period limits the window of opportunity for a compromised or mis-issued certificate to be exploited by malicious actors. If a TLS certificate is compromised, the shorter lifespan means it will be active for a shorter period, reducing potential damage.
2. Automated TLS Certificate Management
The push for shorter certificate lifetimes goes hand-in-hand with advancements in automated TLS certificate management tools such as Automatic Certificate Management Environment (ACME) and Certbot. These tools can automatically renew and deploy certificates, significantly reducing the manual workload and the risk of human error, such as forgetting to renew a certificate.
3. Rapid Adaptation to Changes
Technology and security standards evolve quickly. Shorter TLS certificate validity lifetimes ensure that certificate re-issuance happens more frequently, allowing organizations to adapt to new cryptographic standards and practices more swiftly.
4. Reduced Impact of Revocation
Certificate revocation mechanisms (CRL, OCSP) are not always reliable or timely in preventing access to sites with revoked certificates. Shorter TSL certificate lifetimes naturally reduce reliance on these mechanisms, as compromised certificates will expire sooner.
5. Compliance and Web Security Best Practices
Shortening TLS certificate validity encourages organizations to adhere closely to web security best practices, including regular updates and audits of their cryptographic assets. This proactive stance helps in maintaining a more secure and trustworthy web environment.
By advocating for 90-day TLS certificate lifetimes, Google and others aim to create a more secure, agile, and automated web ecosystem where the risks associated with certificate mismanagement and compromise are significantly reduced.
3 Automated TLS Certification Management Options
Option 1: Use an Automation Tool Like ACME
Various free and open-source reference implementations for ACME can be found. ACME facilitates the automated issuance and renewal of TLS certificates. The protocol has been published as an Internet Standard in RFC 8555. You can also use Ansible or Terraform to request TLS certificates, but these options will require more manual work than using ACME directly. The obvious upside of automation tools like ACME is that they are free to use. The downside is that they are not complete management tools and require some manual work.
Option 2: Use Only One Certification Authority (CA) with Their Management System
If you only use one of the many CAs available to issue TLS certificates, you can use their certificate management services to ensure your certificates are renewed before they expire. While this scenario may seem obvious, this centralized certificate issuance scenario can be hard to achieve for larger organizations where each business entity has the autonomy to purchase from different certificate providers. However, mandating only one provider may only be possible in smaller organizations.
Option 3: Registration Authority (RA) Products and Services
You may want to consider investing in RA tools if you want full control over certificate issuance, expiration, and renewal but have multiple use cases in your organization requiring a mix of different public CAs and possibly internal, private certificate issuance. The upside is that these user-friendly tools can manage multiple certificate types and automate issuance and renewal easily. Examples include AppViewX, Venafi, and Sectigo. However, such tools have price tags that generally scale with the number of certificates your organization needs to manage. These tools can be a vital part of a robust cybersecurity solutions strategy, offering comprehensive management capabilities.
As of today, Google has not unilaterally implemented a policy to enforce a 90-day maximum TLS certificate validity period on the web. It’s important to monitor official announcements from Google and the CA/Browser Forum for future policy changes. As technology, security needs, industry consensus, and web security best practices evolve, policies around TLS certificate validity periods may be subject to further review and modification. By pursuing automated TLS certificate management today, you can prepare your organization for upcoming changes while improving web security best practices.