Certificate Lifespans Shrinking - Organizations Unprepared
Basically, organizations need to renew their security certificates more often now, and many aren't ready.
TLS certificate lifespans are being reduced significantly, pushing organizations to adapt quickly. Many are unprepared for the upcoming changes, risking operational disruptions. Immediate action is crucial to avoid potential issues and ensure compliance.
What Happened
The push for shorter TLS certificate lifespans has gained momentum over recent years. It began with Google advocating for 90-day certificates, which started to reshape industry standards. However, resistance from enterprise customers slowed this transition. Recently, Apple proposed even shorter 47-day certificates, reigniting discussions and prompting the CA/Browser Forum to establish a formal timeline. This new schedule reduces certificate validity from one year to 200 days, then to 100 days, and eventually to 47 days over a few years.
This shift places significant pressure on organizations to revamp their purchasing models and operational processes for managing certificates. John Murray from GlobalSign emphasizes that browsers want organizations to be able to revoke and replace certificates quickly. Unfortunately, many organizations lack the necessary processes and tools to manage these changes effectively, especially smaller businesses that may be caught off guard.
Who's Affected
Larger enterprises are somewhat ahead in adapting to these changes due to dedicated PKI teams and budgets for certificate lifecycle management tools. However, mid-market and smaller organizations, which represent a large portion of GlobalSign's customer base, are at risk. These organizations often do not have the resources to handle the upcoming changes effectively, leaving them vulnerable to operational disruptions.
The urgency to adapt is compounded by the fact that the first deadline for the new 200-day certificate validity is approaching. Organizations need to take immediate action to avoid potential outages and compliance issues.
What Data Was Exposed
While the article does not specifically mention exposed data, the implications of failing to manage certificates properly can lead to significant operational disruptions. An expired certificate can cause websites and services to become inaccessible, impacting customer trust and business operations. The shift to shorter lifespans also means that organizations will need to be more vigilant about tracking and renewing certificates to avoid lapses.
Organizations must also prepare for the eventual transition to post-quantum cryptography, which will require updating their certificate infrastructure. This means that the work they do now to adapt to shorter lifespans will also lay the groundwork for future cryptographic standards.
What You Should Do
To start addressing these challenges, organizations must prioritize discovery. Murray advises that the first step is to catalog all existing certificates. This inventory is crucial for understanding what certificates are in use, where they are located, and what platforms they operate on. Without this knowledge, automation and migration efforts will be severely hampered.
Organizations should consider adopting the Automated Certificate Management Environment (ACME) protocol, which can streamline the renewal process without requiring extensive resources. For larger environments, a comprehensive Certificate Lifecycle Management (CLM) solution may be necessary. Additionally, engaging with a trusted Certificate Authority (CA) that specializes in PKI can provide valuable insights and support. The time to act is now, as the window for preparation is narrowing rapidly.
Help Net Security