Short-Lived Digital Certificates Are Taking Over

One reason organizations like yours have benefitted from using digital certificates is because of the longevity of the technology itself. Since certificates have been in use for decades, they’re widely supported and easy to integrate with business systems and applications—without the compatibility woes you may face with newer technologies. Even at their relatively distinguished age, certificates provide strong security thanks to PKI’s cryptographically mighty algorithms.

cyber blue checkmark image

Just because certificates have been around for a while, however, doesn’t mean that the way we use them has stayed exactly the same. In fact, we’re right in the middle of a major transition that may have implications for how you use and manage certificates in your organization. Lifespans for certificates are getting shorter—way shorter—and that’s a good thing.

The transition to short-lived certificates is backed by industry authorities and major corporations who recognize their security advantages. They’re edging out the certificates of the past, whose multi-year lifespans allowed administrators to tick off their renewal box once every few years (or forget about them entirely, leading to outages).

The momentum behind shortening certificate lifespans has increased in recent years:

Mozilla begins to support short-lived certificates,citing improvements inspeed and securityadvantagesThe CA/Browser Forum’s baseline requirementsprohibit the issuance ofsubscriber certificateslonger than 39 months,“regardless ofcircumstance”The CA/Browser Forum’s baseline requirementsprohibit the issuance ofnew certificates withlonger than 825-daycertificate lifetimesGoogle proposes to limit the lifespan ofTLS certificates to onlyone yearApple will be limiting the lifespan of TLS certificatesissued on or afterSeptember 1, 2020 to nolonger than 398 days[2015][2016][2017][2018][2019]

Longer lifespans are getting shorter, while very short lifespans of 24-72 hours are becoming increasingly common. Longer-lived certificates transmit more data with every handshake, which can slow load times or impact service performance. This (relatively) long handshake period also creates an opportunity for cybercrooks. When compromised, longer-lived certificates can also stay valid for months, opening the door to breaches. Conversely, a compromised short-lived certificate is likely to expire before criminals do damage.

Forcing the obsolescence of long-lived certificates makes sense from a variety of perspectives, but it also makes some behaviors obsolete, too. When certificates need to be renewed in much smaller intervals, the workload associated with renewal in an old-style, home-grown renewal management system (complete with manually updated databases), is massive. Expirations are inevitable, and the damage control needed after a service outage due to expiration may be extensive. Plus, IT resources can’t spend all day just tracking spreadsheets to update and manage certificates.

That’s why automation really is the only way to implement short-lived certificates. The sophistication of an automated certificate lifecycle management system can be done with a combination of Automated Certificate Management Environment (ACME) protocol and tools available within enterprise environment without the complexity of hosting PKI infrastructure.

Check out our white paper and on-demand webinar for more information on the transition to short-lived certificates and how updating and automating your approach to certificate lifecycle management can protect you from costly outages.

Get the latest blogs on identity and access management delivered straight to your inbox.

Mrugesh Chandarana is a Senior Product Manager, Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than 10 years of cybersecurity industry experience in areas such as Risk Management, Threat and Vulnerability Management, Application Security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).