1-Year Certificates are Here: What Now?

With shrinking lifetimes, using spreadsheets and notifications to manage certificate expirations is not viable. As the leader in the industry, DigiCert is continuing to develop innovative solutions to help customers do this more simply, through DigiCert CertCentral® and automation.

Shorter certificate lifetimes are here, whether you’re ready or not. After Apple announced they would enforce shorter lifetimes on certificates, both Chrome and Mozilla followed suit and adopted similar policies. Starting today, certificates have a max validity of 398 days — just over one year. This shorter certificate lifetime can lead to management challenges unless administrators incorporate automation. Fortunately, DigiCert has innovative solutions to simplify certificate management in CertCentral and through Multi-year Plan options.

Certificates are becoming increasingly more difficult to manage manually

Even without shorter certificate lifetimes, tracking manually on a spreadsheet is a burdensome job. Plus, it’s prone to human error. Certificate management requires close attention to remain compliant with industry standards and stay up to date with hardware and software updates. You essentially have to do all of the following:

  • Inventory your certificates
  • Keep up with industry changes
  • Create a spreadsheet to manage your inventory
  • Create alerts to remind you about expiring certificates
  • Designate an alternative admin when you are away
  • Hope you don’t miss a certificate expiration

While this process may work for small organizations, it certainly struggles to hold up at scale. And certificate outages can have serious consequences.

Consequences of lack of visibility

Lack of visibility is a top challenge many organizations face in managing their certificates. It is why many organizations operate without knowing if all their certificates are valid and is one of the largest contributors to the certificate-related outages that are damaging brands. One expired TLS certificate can shut down a website for hours or days, costing a company potentially millions in revenue.

DigiCert’s position on 1-year certificates

DigiCert supports shortening certificate lifetimes because it allows us to make updates to the certificate ecosystem faster (transition from SHA1 to SHA2 and longer keys). In fact, DigiCert has supported short-term certificates for a long time, even certificates that only last hours. And we have the ability to issue flexible certificate lifetimes as short as hours through our APIs. Most organizations do not have the certificate agility to do that. See more details in our Position on 1 Year Certificates blog.

DigiCert encourages best practices in automated management to prevent certificate outages. As the industry trends towards shorter certificate lifetimes, we continue to innovate to help our customers simplify certificate management.

DigiCert’s CertCentral is the industry leader

A managed discovery and certificate management solution like CertCentral does all the thinking for you. Using our ACME solution, you can even set automated renewals to save time and reduce costs. ACME protocol is enabled in DigiCert’s CertCentral management platform for OV and EV certificates, with DV coming soon.

CertCentral is an award-winning, globally leading TLS/SSL certificate manager that simplifies digital certificate management at any scale, allowing organizations to purchase and install, monitor, renew and remediate certificates with automated discovery and other automation tools. CertCentral helps organizations know where all their certificates reside, ensure compliance with the latest industry standards and avoid the costly damages of downtime related to expired certificates. From small businesses to large enterprises, CertCentral is the perfect solution to manage your certificate inventory and lifecycle.

Multi-Year Plan simplifies management

And now you have the option to purchase a Multi-year Plan of up to six-years of coverage for TLS certificates in CertCentral. The Multi-year Plan simplifies certificate purchasing and renewal processes for customers and partners.

A Multi-year Plan eliminates the need for annual per-certificate purchases and provides a service period of up to six years, during which time you may reissue and renew certificates as often as needed. You can also lock in pricing discounts for succeeding years. Simply purchase an OV or EV certificate and then set up automated renewal using ACME. You can purchase a Multi-year Plan from DigiCert authorized partners and in CertCentral.

Stay tuned for more announcements about DigiCert’s automation strategies.

Posted in Automation, CertCentral, Certificate Management, SSL, TLS