In 2020, Google enforced a maximum certificate lifetime of 398 days (13 months) for Transport Layer Security (TLS) certificates. However, this time span leaves a lengthy window for an attacker to potentially compromise a certificate and exploit it.
In April 2024, Google shortened the maximum lifetime of the certificate validity period it was willing to accept to 90 days to mitigate this threat.
The impact on all website owners is considerable. This now means that for your public TLS certificates to be trusted, you must implement automated processes to ensure that your certificates are renewed far more frequently. Finally, in August 2023, the Certification Authority (CA) Browser Forum approved using short-lived certificates for TLS use cases.
Short-lived certificates sound bad. They add an additional burden to the application owner if they do not elect to use automation, but there are benefits to short-lived certificates.
New vulnerabilities are being discovered all the time, and post-quantum cryptography (PQC) is on the horizon. Replacing your end point certificates frequently provides you with the option to change the cryptographic scheme you use for applications. This ensures new certificates can use the very latest cryptographic schemes as they become available to Transmission Control Protocol (TCP) and CA products.
Similar to crypto-agility, if certificates need to be renewed more frequently, this can help with CA and TSP agility. Application owners and crypto centres of excellence can easily switch between various providers to suit needs from a crypto standpoint, pricing and the technology offering from the CA or TSP.
The need to revoke a certificate, whether from operation cessation or key compromise, is a primary aspect of good certificate management. CAs have the obligation to retain revocation events on a certification revocation list (CRL) until the certificate is no longer valid.
With long-life certificates, CRLs can often be lengthy. This has knock-on impacts of increasing CRL download times and slowing the page load speed for a web server. Shorter-life certificates help keep CRL sizes low, increasing the speed at which a revocation check can take place and the load time for web servers.
Given the shorter lifetime for certain certificates in specific use cases, adopting robust practices around certificate reporting, scanning and renewals is essential.
Clients aware of Public Key Infrastructure (PKI) can use tools to fully automate certificate renewal, rekey and provisioning without deploying third-party proprietary software. These include:
All good security practitioners endorse regular key rotation and management to avoid private key compromise. Short lived certificates aid with the rotation and renewal of private keys used by clients. This should be coupled with CAs checking to ensure clients cannot reuse private keys.
Certificates with shorter lifetimes increase security for the web and document and transaction signing. It relies on organisations adopting the right tools to help manage renewals for PKI-enabled end points, providing good visibility to certificate owners and ensuring that the right signature type is used.
Ascertia Certificate Locator
Average business have a variety of IT asset suppliers. They will include:
The same is also true for IT security and security services. Now, some might automatically assume that digital security and digital certificates would all follow the same procurement process as the rest of the organisation. Unfortunately, that is not always the case.
Shadow IT plagues the most vigilant of organisations. This is where a department or team procures or sets up a system without the involvement of the IT team. This often happens in IT security, where organisations only discover that an application has gone down because of an expired certificate—one that no one in the IT team was aware of. Why? Because it wasn’t purchased from a corporate-approved supplier, on a credit card by the team lead or developer.
This may sound perfectly acceptable to some. If you take a step back and think of how many times can potentially happens and then think of the consequences.
Corporate suppliers are selected for several reasons, including:
ADSS Web RA Server’s latest product feature, 'Certificate Locator', provides organisations with the essential tools needed to provide full visibility of certificates that have been issued to:
Simply use the Certificate Locator scanner to scan an endpoint or a selection of end points to get an instant view of all installed and in-use certificates.
Certificate Locator provides a central administrative console for certificates, organising them by a variety of advanced filters, grouping certificates by:
After operators assign certificates to owners, they will receive email notifications about expiry events, as well as automated reporting on non-compliance issues, such as weak key sizes and algorithms.
Certificate Locator also supports certificate linting. It gives certificate owners the ability to check the certificates they are managing. This ensures the certificate issuing CA maintains support for the latest standards and templates that govern certificate issuance and management for specific use cases. For example, compliance with:
By combining ADSS Web RA Server with ADSS Server, you unlock the power of automated certificate management. ADSS Server provides external CA connectors for the market’s leading PKI products.
After Certificate Locator finds a certificate and an operator assigns it to a user, there is also the option to fully automate the management of any certificate on a client machine or server with a PKI-enabled client.
Full, automated certificate lifecycle management is supported for any PKI-enabled client that supports:
Web RA and Web RA Certificate Locator give organisations a centralised tool for managing, reporting on and notifying certificate owners about all digital certificate statuses.