At the most recent CA/B conference in early March, Google announced its intention to "Move Forward, Together" by reducing the maximum certificate validity period for all publicly trusted SSL/TLS certificates to 90 days. Although the exact timing is still unknown, this change, as many believe, is likely to take effect by the end of 2024. However, as of yet, CA/B has not discussed, proposed, or voted on Google's plan, and the vote on shortening certificate validity is estimated to take six months to a year to conclude. It is worth mentioning that even if this proposal is not passed, Google can still unilaterally enforce this change. By communicating its intent, Google aims to give the industry and certificate consumers time to prepare for the inevitable transition and the potential consequences that may follow.

Why A Short Certificate Validity?

All right. It is not an unforeseen thing that the validity period of certificates is getting shorter and shorter. Over the years, as has often been the trend, the maximum validity period for certificates has been shortened from three years to two years, and now to one year (technically 13 months). So, why does Google adopt a shorter certificate validity period?

A shorter expiration date improves security.
Shortening the validity period of SSL/TLS certificates can enhance security and enable vendors to update the certificate ecosystem more efficiently, leading to improved overall security. According to Google, “Reducing certificate lifetime encourages automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes.” By implementing these changes, there’s no doubt we’ll see a faster adoption of emerging security capabilities and better practices, as well as q quicker transition towards quantum-resistant algorithms with higher agility requirements. A shorter validity period will also mitigate reliance on flawed revocation checking solutions that cannot fail-closed when “broken” conditions are found.

What to Expect If 90-day Certificates Go into Effect?

While a shorter validity period can enhance security, it poses a significant challenge for enterprises and their IT security teams. Although organizations can still manually manage certificates valid for up to 90 days using spreadsheets and notification, any resulting harm must also be borne by the enterprise. Compared to updating and deploying SSL certificates once a year, certificates with a 90-day validity period will increase the management difficulty for enterprises fourfold, requiring hundreds or thousands of certificates to be manually processed four times a year. This is a daunting task that is almost impossible to accomplish manually.

In addition, manual certificate management is prone to errors and downtime. The significant increase in workload caused by the shorter certificate validity period is likely to raise the risk of human error, leading to certificate outages. According to DigiCert's 2021 global study, the average enterprise manages 50,000 known certificates, and yet almost every enterprise discovers malicious certificates that are not being managed, often during outages. In the 2022 State of the Digital Newcomer report, 47% of consumers said they switched providers because of a lack of trust.

Therefore, Google's behavior is actually explaining to people: automation has changed from a want to a must.

Automation is Urgent

Managing SSL/TLS certificates has always been a tedious task. However, automating the lifecycle management process can help track and renew certificates automatically, reducing the risk of human error and certificate expiration. Regular monitoring of certificates also ensures smooth operation and maintenance of SSL/TLS infrastructure.

Unified Certificate Manager (UCM) is a user-friendly digital certificate lifecycle management system developed by NicSRS. It supports cloud, on-premises, and hybrid deployment models, and provides a range of operations such as applications, deployments, monitoring, alerts, and renewals. UCM also supports API automatic application and download of certificates, automatic SSL certificate monitoring, recycling, re-update, and other operations for full life cycle management services. This helps enterprises avoid outages and breaches caused by incorrect usage or renewal of certificates. With Google's latest announcement, the launch of UCM by NicSRS couldn't be more timely.

If you are concerned about the upcoming shorter SSL certificate life cycle, NicSRS can help you implement a comprehensive SSL certificate management strategy to better cope with this change. Feel free to contact us for professional help.