Google’s announcement to reduce the lifespan of Transport Layer Security (TLS) certificates from 398 days to 90 days continues to be a hot topic of discussion among information security professionals. Especially those directly involved in replacing and updating certificates. It’s particularly frustrating because, although proposed in April 2023, there is still no confirmed date for its implementation. However, Chrome browsers account for just over 50% of all UK web traffic (Statista), so there is no avoiding the impact that this will have.
The longer an SSL/TLS certificate is valid, the less reliable it becomes. Until recently, a certificate could remain valid for up to 5 years. However, companies are bought and sold, website ownership or management is transferred, and directors change.
Google’s 90-day TLS Certificate validity is part of a broader effort to enhance internet security and protect online reputations. Websites must be trustworthy to retain consumer confidence in e-commerce and data protection. Shorter certificate lifespans significantly reduce the risk of compromised certificates and ensure that cryptographic standards are updated more frequently.
There’s no doubt it’s a positive move and will protect your cyber posture. However, as with all major enforced changes, Google’s 90-day TLS Certificate limit should be prepared for as a fundamental change in the way you manage your certificates in the future.
No one outside of Google seems to know. It was originally scheduled to take effect in April 2024 but this seems to have been pushed back to September 2024 at least. Google is strongly committed to its 90-day cybersecurity response window and has already implemented a 90-day disclosure deadline for vulnerability disclosures. Therefore, it is highly likely that the certificate lifespan reduction will occur soon.
In our opinion, the answer is Automated Certificate Management. Once that is in place, the renewal window becomes irrelevant.
We might not know when this will happen, but preparing in advance offers immediate benefits for your cyber posture and process management that go beyond what Google is planning. Here are some critical actions to consider:
Automating the management of certificate renewals is crucial due to their increased frequency. It’s important to invest in automated certificate management solutions that can handle the entire lifecycle of your certificates, from discovery and issuance to renewal and revocation. Automated systems can significantly reduce the risk of human error and ensure timely renewals, minimising the chances of unexpected expirations and outages.
Perform a thorough audit of all certificates across your organisation. Identify legacy wildcard certificates and assess their necessity and security implications. This audit will provide a clear picture of your certificate landscape and help you prioritise renewal efforts.
Implement tools that offer real-time visibility and monitoring of your certificate estate. Continuous monitoring can alert you to impending expirations and potential vulnerabilities, allowing you to address issues before they escalate into significant problems.
Ensure that your security and IT teams are well-informed about the upcoming changes and their implications. Provide training on the use of automated management tools and the importance of maintaining robust certificate practices. A well-prepared team is essential for a smooth transition to the new 90-day certificate regime.
Certificate management is a specialised and relatively new area of expertise. Partnering with a cybersecurity specialist to implement certificate automation or to review your processes before the 90-day limit arrives can streamline the implementation process and ensure that the change is seamlessly integrated into your team’s existing processes.
FullProxy’s cyber specialists partner with AppViewX to implement a full suite of certificate management automation solutions. Ask for a no-obligation demo today.
Minimise your security risk.
Maximise your return on investment.
