Preparation for 90-Day SSL/TLS Certificates by Leading Certificate Authorities: Digicert, Globalsign, and Sectigo

Reduction of the lifespan of SSL/TLS certificates has been an ongoing effort in recent years—moving from 5 years to 3, then 3 years to 2, 2 years to 1, and now targeting a maximum validity of 90 days. This imminent change prompts us to assess how major players will adapt, but first, let's evaluate the change itself.

When can we expect Google to implement this change?

As per what we last heard, Google is discussing these changes with other certificate authorities, but no specific deadlines are set yet.

Google wants to make sure these changes happen, either through discussions with certificate authorities or by updating their Chrome browser requirements. This means websites will need to follow the new rules.

For security teams, managing certificates with shorter lifespans will become important. But some people question whether 90 days is the right amount of time. It's not clear if shorter lifespans will really make things safer. We need to find better ways to encourage websites to update their certificates quickly when needed. Let's talk about how to make the web safer for everyone.

What makes a shorter certificate validity period more secure?

A few years ago, SSL certificates could last up to five years, but now they're shorter. This change makes sense because longer certificates become less reliable over time.

SSL certificates help browsers verify websites. If they're valid for too long, they might not reflect the current state of a website. Companies change, domains get sold, and things evolve *checkout our take on the upcoming Post quantum cryptography certificates from Digicert*. So, it's better to check more often.

Some experts suggest that the certificate should be reliable for only six weeks. But is 90 days enough? Maybe not. Even after this change, certificates might still be compromised. Plus, moving to 90-day certificates might not make the web safer or more flexible.

ACME - the solution to your inquiries. What exactly is it, and how does it ease the challenges of certificate lifecycle management (CLM)?

ACEM is a protocol that was discovered years ago to ease the certificate lifecycle management when the validity was shrunk from 5 years. with the max validity changing to 90 days, this will become more of a necessity rather than a feature.

People would want to move towards a certificate authority that provides automation.

Have you ever wondered why you have to set up let's encrypt certificates only once? because they support ACME, infact they promote automation rather than manual renewals everytime a cert expires. Let's encrypt has been issuing the certificate for 90 days only which gets renewed aumatically.

It is still new for many users to digest that the certificate can only be issued with 1 year max validity currently, it would be dissater for them to know that it's going to be shrunk even more to 90 days, this will make customers change their certificates 4 times more often.

Could we expect further reductions in certificate validity, perhaps down to 30 days or even 7 days?

It is very early to confirm, but the possibility exists. Digicert already offers the option for certificates with a minimum validity of 7 days, so the idea of shorter durations in the future isn't far-fetched.

Users who once encountered 5-year certificates may not have imagined a time when the maximum validity would be reduced to 1 year. Yet, we now face an impending shift to 90-days validity periods. Thus, considering validity periods as short as 30 days or a week may simply be a matter of time.

Now let's look at what major certificate authorities have to say about this change.

1. GlobalSign:

GlobalSign’s ACME service is a simple automation tool that helps your IT team work more efficiently and saves your organization money. It can issue both domain-validated (DV) and organization-validated (OV) SSL/TLS certificates. additionally, GlobalSign has a lot of experience and support to help you. You can buy certificate packs and manage everything using the Atlas portal, making it easy to automate all your SSL/TLS certificates.

2. Sectigo, previously known as ComodoCA.

Sectigo offers the Sectigo Certificate Manager (SCM) to help with the transition to automation. SCM is a reliable tool designed to automate the lifecycle of all digital certificates, no matter where they come from. Here's what SCM provides:

-It supports the Automated Certificate Management Environment (ACME) protocol.

-It works with the Secure Certificate Enrollment Protocol (SCEP).

-It supports Enrollment Over Secure Transport (EST).

-SCM has its own automation tool, allowing for the management of certificates across different systems, such as Apache Tomcat, Windows IIS web servers, and F5 Big-IP load balancers.

-For stronger integration, companies can use Sectigo's REST API.

-SCM integrates with various technology vendors, enabling IT teams to automate the issuance and management of Sectigo digital certificates alongside others from different Certificate Authorities, including Microsoft Active Directory Certificate Services (ADCS), AWS Cloud Services, and Google Cloud Platform (GCP).

-SCM also integrates with popular DevOps platforms like Kubernetes, Docker, HashiCorp, and several others, including leading Load Balancer platforms such as Amazon, Google, F5, A10 Networks, and Kemp, popular CDNs like Akamai and Amazon, and even applications like Microsoft Teams and Slack.

3. DigiCert:

DigiCert offers innovative solutions like Multi-year Plans for automated renewal and the DigiCert® Trust Lifecycle Manager for centralized certificate management and PKI services. Unlike others, it combines CLM and PKI services for comprehensive security and compliance.

The CertCentral platform offered by DigiCert is a robust and future-ready certificate management solution.

⁠

In conclusion, the inevitable shift to 90-day SSL/TLS certificates represents an important transformation in digital security management. With shorter certificate validity becoming the norm, the industry must prioritize adaptability and automation in certificate management practices. The introduction of automation protocols like ACME has streamlined certificate lifecycle management, underlining the need for staying updated with new technologies and standards. Leading Certificate Authorities such as GlobalSign, Sectigo, and DigiCert have proactively developed automation tools to address evolving industry requirements. As organizations prepare for shorter certificate cycles, the digital security landscape continues to evolve. By accepting automation and comprehensive certificate management solutions, businesses can ensure compliance, security, and meet the dynamic demands of the digital era. The move towards 90-day SSL/TLS certificates marks a crucial juncture.