At the recent CA/B Forum meeting, Chrome released their vision for their root policy that included 90-day certificate validity periods. This does not mean that 90-day certificates will become a reality right away, but it does start the conversation towards further shrinking certificate lifetimes.
The trend towards shorter certificate lifecycles is not new. Nor is it singularly led by Google. We’ve seen this trend emerge over several years, as certificate lifetimes have shrunk from three-years to two-years, to the current one-year period. As we stated in 2020 in our position on one-year certificates; there is “a long history of the CA/B Forum community working to reduce certificate lifetimes and improve security, while balancing the needs of business owners in transitioning to shorter validity certificates.” So, why the continual push for shorter validity periods and what does that mean for our customers? Read on to find out.
We previously supported shorter certificate lifetimes for a long time as one and two year certificates improve security and enable us to make updates to the certificate ecosystem faster. To facilitate shorter validity periods, DigiCert allows customers to issue flexible certificate lifetimes through our APIs.
As Chrome outlines in their root policy notice, “Reducing certificate lifetime encourages automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. These changes will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly. Decreasing certificate lifetime will also reduce ecosystem reliance on “broken” revocation checking solutions that cannot fail-closed and, in turn, offer incomplete protection. Additionally, shorter-lived certificates will decrease the impact of unexpected Certificate Transparency Log disqualifications."
Is 90 days the correct period? 90 days is still too long for a compromised certificate to exist, so moving to 90 days does nothing to improve revocation. Furthermore, industry transitions typically take six to 12 months anyway, so after the move to one year certificates, certificate lifetimes are no longer the long pole that delays policy upgrades. Plus, domain registrations are on an annual basis, and not every 90 days. It is not clear that moving to 90 days is the best next step for improving the agility of the web PKI. We look forward to discussing alternative methods that can be used to incentivize and encourage the adoption of automation and the rapid replacement of certificates, when necessary, which is really the goal here.
While shorter validity periods may questionably improve security, the change certainly would come with significant burdens. 90-day certificates would be a huge change for enterprises and we recognize the challenges this would pose to customers in managing certificate lifecycles. With shrinking certificate lifetimes, managing certificate expirations through spreadsheets and notifications is no longer a practical approach. Even absent shrinking certificate lifetimes, manually tracking them on a spreadsheet is a laborious task that is susceptible to human error. To comply with industry standards and keep pace with hardware and software advancements, certificate management necessitates careful attention that struggles to hold up at scale.
Furthermore, the consequences of mismanaged certificates and outages can be detrimental and an increasing workload for certificate lifecycle management could increase the possibility of human error leading to outages. Studies show that the economic loss of a certificate outage or failed audit amounts to over $10M, and each data breach costs on average $9.4M. That lost trust also has real consequences for customer retention. In the DigiCert 2022 State of Digital Trust report, 47% of consumers reported that they have switched vendors due to breaks in trust. That’s why we predict that managed solutions and automation will become the industry standard, regardless of whether or not certificate validity periods move to 90 days.
We have continued to develop innovative solutions to help our customers stay ahead — not just of shrinking lifetimes but also of other evolving threats, like post-quantum cryptography. For instance, when the industry moved to one-year certificates, we introduced Multi-year Plans, which automated renewal for up to six-years of coverage, eliminating the need for annual per-certificate purchases and locking in pricing discounts for succeeding years.
We also recently introduced DigiCert® Trust Lifecycle Manager, which integrates CA-agnostic certificate management, across public and private trust, and PKI services to deliver centralized visibility and control, prevent business disruption and secure identity and access. DigiCert Trust Lifecycle Manager is a full stack solution that can help enterprises remain compliant with ever-evolving industry standards.
DigiCert Trust Lifecycle Manager is different from other certificate management solutions in that it not only offers certificate lifecycle management (CLM) but also PKI services. CLM addresses the need for centralizing visibility and management of both public and private certificates across the organization and across CAs. PKI services govern private PKI issuance from the creation and management of CAs and ICAs to the issuance of the certificates that govern user, device and server security, with integrations that drive these certificates all of the way to end entity and third-party application installation.
For more information, visit https://www.digicert.com/trust-lifecycle-manager.
While there is not currently a ballot in place for 90-day certificates, it is possible that we could see one in the future. Furthermore, any changes to certificate validity periods or requirements will be made in advance to give companies an appropriate time window to incorporate changes. We will share any relevant updates on the DigiCert blog or social. As always, you can read our full recap of the CA/B Forum meetings at www.digicert.com/blog/category/ca-browser-forum.