fbpx

398 > 90 Days

Certifying your documents

In a move aimed at improving internet security, Google recently announced its intention to decrease the validity of public SSL/TLS certificates to just 90 days. This change is expected to have a significant impact on all users of the internet as SSL certificates are a fundamental part of online security used by 95% of all known websites globally.

The decision to reduce the maximum validity period for SSL/TLS certificates from 398 days to just 90 days was announced in March 2023 by Google. This change is intended to improve the security of online communication by reducing the potential impact of compromised or stolen certificates.

While the change potentially could improve security, it will for sure create additional work for website owners and administrators who will need to keep track of more frequent certificate renewals; an increase of 400% in workload to be precise. Overall, this change will have a significant impact on close to all organizations.

The reason for this change, as explained by Google, is to promote automation, optimize processes, mitigate CRL-issues, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly. Essentially, this means that websites and online services will need to renew their SSL certificates every 90 days, quadrupling the workload required to maintain secure online communications.

What shorter SSL/TLS validity means for website owners

This announcement follows a similar move made by Apple in 2020, which announced that it intended to reject new SSL/TLS certificates issued on or after September 1, 2020, that have a validity of more than 398 days. Shortly after, both Google and Mozilla followed suit to enforce similar 398-day limits.

Despite overwhelming support from major browser makers, a proposal to reduce certificate lifetimes to one year was shot down in a CA/B Forum ballot in September 2019. However, Google has now taken the initiative to enforce a stricter limit, which most likely will prompt other major browsers such as Apple, Microsoft, Mozilla, and Opera to follow suit and announce similar validity decreases in the coming months.

This change is expected to have a huge and significant impact on all those involved in Certificate Lifecycle Management, particularly those who are invested in SSL/TLS certificate operations secure their business critical digital assets. Website owners, administrators, application owners, and many more will need to ensure that they keep track of more frequent certificate renewals to avoid disruptions in service and potential security breaches.

In addition to the serious workload implications, this change may also create compatibility issues for older devices or systems that are not capable of handling the shorter certificate lifetimes. This could have a significant impact on businesses and individuals who rely on older technology to access the internet.

The decision to reduce the validity of SSL/TLS certificates to just 90 days is a significant change that will have a major impact on the digital certificates industry.

The reason for shorter SSL/TLS certificate lifespans

Despite the potential challenges posed by this change, it is ultimately intended to improve the security of online communications and ensure that websites and online services are as secure as possible. By reducing the maximum validity period for SSL/TLS certificates, Google hopes to minimize the impact of compromised or stolen certificates and promote the adoption of more secure encryption algorithms.

Website owners and administrators who rely on SSL/TLS certificates to secure their online communications should begin preparing for the upcoming changes by ensuring that they have systems in place to manage the more frequent certificate renewals. Additionally, they should ensure that their websites and online services are compatible with the new, shorter certificate lifetimes to avoid any potential disruptions in service.

In conclusion, the decision to reduce the validity of SSL/TLS certificates to just 90 days is a significant change that will have a major impact on digital certificates industry. While this change will create a huge additional workload for organizations, it is ultimately intended to improve the security of online communications and ensure that websites and online services are as secure as possible. By adopting more secure encryption algorithms and minimizing the impact of compromised or stolen certificates, Google hopes to promote a safer and more secure internet for all users by using the stick instead of the carrot.

This article is based on this link.

If you have any questions about how these changes may uniquely affect your organization or website, please don’t hesitate to contact us – just fill out the contact form below: