Certificate Lifespans Are Shrinking: Preparing Organizations for a Changing Digital Landscape
The Shift to Shorter Certificate Lifespans: A Challenge for Organizations
The push for shorter TLS certificate lifespans has been gaining momentum over the years, driven by the need for improved security and flexibility. Google’s initial proposal for 90-day certificates sparked industry-wide discussions, which eventually led to the CA/Browser Forum establishing a formal schedule to reduce certificate validity periods. The new timeline, which will be implemented over the next three years, will see certificate lifespans decrease from one year to 200 days, then 100 days, and ultimately 47 days.
This change poses significant challenges for organizations, particularly those in the mid-market segment, which make up a substantial portion of the customer base for certificate authorities like GlobalSign.
The primary concern is that most organizations lack the necessary processes and tooling to manage certificates effectively, especially when it comes to revocation, replacement, and rotation.
According to John Murray, Senior Vice President of Sales at GlobalSign, the underlying goal of shorter certificate lifespans is to enable organizations to move cryptographic key material quickly, revoke certificates on short notice, and replace them within tight windows. This requires a high degree of discipline around certificate hierarchies, including the use of single-purpose root certificates.
However, many organizations have not yet built the necessary infrastructure to support these requirements.
Larger enterprises are ahead of the curve, with dedicated public key infrastructure (PKI) teams and budget for certificate lifecycle management tools. In contrast, mid-market and smaller organizations often lack the resources and expertise to manage certificates effectively.
The Importance of Discovery and Automation
For organizations starting to get serious about certificate management, discovery is the first step. This involves using tools to catalog all certificates and identify where they live and what type of platform they run on. Without this inventory, automation is difficult to deploy, and the scope of any migration project is essentially unknown.
GlobalSign’s Atlas platform and LifeCycle X by GMO tool offer certificate discovery capabilities, which also feed into automation planning. The platforms and infrastructure types an organization runs on determine which automation approaches are available.
Post-Quantum Cryptography Preparation
The transition to shorter certificate lifespans shares a common foundation with post-quantum cryptography preparation. The automation infrastructure built to handle certificate rotation will also be the delivery mechanism for post-quantum certificates once they are ready to deploy. Organizations that have done the inventory work and built out automated renewal pipelines will be able to push new certificate types to endpoints without starting from scratch.
Purchasing Model Changes
Shorter certificate lifespans create a problem that extends beyond operations into procurement. The traditional model for buying certificates, purchasing a pack of certificates and renewing them once a year, breaks down quickly when certificates need to be replaced every 47 days. GlobalSign has developed a licensing approach built around subject alternative names (SANs) rather than individual certificate issuances. Under this model, organizations are licensed by the number of unique fully qualified domain names (FQDNs) they need to cover, measured in real-time.
The Future of Certificate Management
As certificate lifespans continue to shrink, automation will become increasingly essential. Organizations that are still managing certificates through spreadsheets or manual renewal processes will not be able to sustain that as validity periods compress. Small IT teams that treat certificate management as one item on a long list of responsibilities will run into outages.
The Automated Certificate Management Environment (ACME) protocol offers a low-cost entry point for automation, and GlobalSign supports ACME across its certificate types. For more complex environments, organizations may need a comprehensive certificate lifecycle management (CLM) solution.
PKI Expertise Matters
One factor that often gets overlooked in discussions of certificate management is the knowledge gap. PKI is specialized, and most organizations, particularly in the mid-market, do not have staff with deep expertise in it. GlobalSign focuses on PKI, which means its sales and solutions engineering teams can work through specific customer environments in depth.
The window to prepare for the shift to shorter certificate lifespans is narrowing. Organizations that start with discovery, identify automation opportunities, and address edge cases over time will be better equipped to handle the challenges ahead. Those that treat this as a future problem are running out of runway.
About Author
English