eMudhra's Digital Security Blog: Insights and Innovations

Navigating SSL/TLS Certificate Validity with emSign

Written by eMudhra Limited | Jul 4, 2023 3:40:00 AM

If you haven’t yet incorporated automated SSL certificate lifecycle management (CLM) into your operations – time may be running out. The ongoing trend of decreasing SSL/TLS certificate lifespans has taken a new turn with Google's announcement to further shrink SSL/TLS certificate validity terms to 90 days. You may find yourself questioning how this could affect your organization, and the larger industry, and what steps you can take to adapt. Let's unravel this mystery as we discuss why automating SSL/TLS certificate management has morphed from being a choice to a necessity.

  • ACME's Role in the Future of SSL/TLS Certificate Validity
  • Why is Shrinking Certificate Validity Beneficial?
  • Automation: From Luxury to Necessity

ACME's Role in the Future of SSL/TLS Certificate Validity

ACME, or the Automated Certificate Management Environment, is a protocol designed to automate certificate lifecycle management, an initiative birthed by the Internet Security Research Group (ISRG). It was brought into existence when a certain SSL/TLS certificate provider had only a 90-day certificate validity period, a stark contrast to other commercial Certificate Authorities (CAs) who adhered to the CA/Browser Forum.

What is the Present Maximum Validity Period of an SSL/TLS certificate?

The present maximum validity period for an SSL/TLS certificate is 398 days, approximately 13 months, according to the CA/B Forum’s Baseline Requirements.

However, a shift is on the horizon. Google announced in early March 2023, after the CA/B Forum's meetings, its plans to limit maximum certificate validity to 90 days for all publicly trusted SSL/TLS certificates.

When will Google Implement the 90-Day Certificate Validity?

The implementation date or deadline for this change has not been declared yet. Google is currently soliciting feedback from the Certificate Authorities at the CA/B Forum. After this, Google is expected to announce the enforcement dates for these changes. We will continue to keep you updated as these developments progress.

Why is Shrinking Certificate Validity Beneficial?

In the past, one could obtain a 5-year SSL certificate. However, this period has gradually been reduced to three years, then two, and now its current maximum validity. The reasoning behind this is straightforward. The longer a certificate is valid, the less reliable it becomes.

SSL/TLS certificates are tools for browsers to verify the identity of a web server. The longer the period between these verifications, the less reliable the validation becomes. Many factors can change over the span of a year - companies may dissolve, merge or evolve, and domains might be sold – to maintain reliable authentication, this information needs to be checked frequently.

Google’s previous representative on the CA/B Forum suggested that domain validation information should only be reliable for about six weeks.

Could Certificates Possibly be further crunched to 30 Days in the Near Future?

While it's premature to predict this, it's also not out of the question, given the past trend of SSL/TLS certificate validity periods.

Right now, it's crucial to initiate serious discussions about certificate lifecycle management within your organization, emphasizing why ACME is an ideal solution.

Automation: From Luxury to Necessity

Managing SSL/TLS Certificates has always been laborious. Dealing with more than a few requires meticulous planning, handling multiple validations, ensuring certificates are issued and installed on the correct servers, configuring them, and setting reminders for their expiry – it’s an enormous undertaking.

Imagine doing all these tasks four times a year instead of once. The workload quadruples. Here’s a more straightforward solution to stop your IT team from throwing in the towel: ACME.

ACME is a protocol that enables communication between a CA and an agent on a web server. The agent takes care of the certificate request, domain validation, installation, and renewal for the websites on the server. ACME was precisely designed for these timelines and has been refined since its introduction to accommodate more than just open-sourced domain-validated (DV) certificates.

No more manual domain validations. The agent handles that. No more installations and configurations. The agent takes care of that as well. And when a certificate is nearing its expiry and needs replacing – you guessed it, the agent has it under control.

How Can emSign’s ACME Service Facilitate the Automation of My SSL/TLS Certificates?

emSign’s ACME service is an agent-independent, high-efficiency automation solution that removes labor-intensive tasks from your IT team's plate and saves your organization money. emSign’s ACME service can issue both domain-validated (DV) and organization-validated (OV) SSL/TLS certificates. Additionally, it is backed by the experience, support, and Service Level Agreements (SLAs) that have earned emSign it's standing as one of the world's most esteemed Certificate Authorities and Qualified Trust Service Providers. Clients can purchase certificate packs and manage all through the emPower portal, enabling complete automation of all the SSL/TLS certificates on your network.

Contact us Today for ACME Automation with emSign