Skip to main content
banner image
venafi logo

Certificate Lifespan Controversy Sparks Machine Identity Management Concerns

Certificate Lifespan Controversy Sparks Machine Identity Management Concerns

certificate lifespan
September 23, 2019 | Guest Blogger: Kim Crawley

The CA/Browser Forum helps to determine the policies that certificate authorities and web browser developers must abide by when it comes to TLS certificates, an important type of machine identity.

On September 10th, they had a vote regarding a proposed policy change. TLS certificates currently have a maximum validity period of 27 months. The proposal was to shorten it to a year. Forty people were eligible to vote. In my opinion, if a small number of people are voting on something, it’s best to have an odd number of voters. That would theoretically eliminate the possibility of ties. But there was no tie in this vote. 18 people voted in favor of shortening the validity timespan to a year, 20 opposed, and two people abstained from voting. Oh well.

So, it looks like certificates with a 27-month lifespan are here to stay. I personally would have preferred a 13-month limit, because longer lifespans expand the attack surface that a cyber attacker could acquire if they intercepted a certificate. As I said in a collaborative post with David Bisson:


“Shorter time durations for HTTPS certificates sounds like a great idea to me. Sometimes certs are breached. A certificate that lasts 13 months instead of 27 reduces the scope of data compromise when that happens. Proper machine identity management can handle the greater frequency of certificate deployment so users won't even have to worry about the CA/Browser Forum proposal if it's implemented, and it should improve web security.”


Overall, most cybersecurity professionals who have looked at the issue support shorter maximum certificate lifespans. Because if a certificate falls into a cyber attacker’s hands, data is at stake for less time. The cyber attack surface is lessened a bit.


So why would anyone oppose shortening the lifespan of TLS certificates? When the CA/Browser Forum had their vote, the main objection was about how well certificate authorities’ customers could manage shorter certificates, possibly not well at all.



For an organization to be able to keep all of their TLS certificates to a lifespan of 13 months or less, they need more robust and effective certificate management across their cryptographic systems and infrastructure. Many organizations are afraid of not only the direct financial cost of upgrading their PKIs (public key infrastructure), but also all of the extra time and labor that could be involved.  Also increasing the frequency of their certificate generation may lead to accidental certificate outages and related security disasters.

Some of the organizations which vote in the CA/Browser Forum would happily comply with shorter certificate lifespans, except this year’s vote wouldn’t have given them enough time to prepare their customers before the new policy came into effect.


Another matter to consider is that the CA/Browser Forum consists of members with possibly conflicting interests. Some support smaller organizations that would be especially reluctant to overhaul their PKIs and certificate management.


The SSL Store’s Patrick Nohe wrote:


“One of the dynamics at work in the discussion of validation is that the non-CA members (browsers) of the Forum generally have a theoretical knowledge of validation, whereas the CAs are actually performing it and have a different perspective owing to their experience with the process. Neither viewpoint is wrong. In a truly collaborative environment, the two differing perspectives could even be a strength. But as it stands, even validation is a contentious topic at the Forum.


Right now, you can re-use validation data for 27 months (13 months for EV). After the initial validation, a CA can issue any certificate you order with only a domain control check if you ask for a new domain. That means it’s near instant. For large organizations this is a godsend. Reducing the amount of time that validation information stays ‘fresh’ and can be re-used means organizations and CAs must validate more often. That consumes time and resources from both the CA and the organization getting the certificate. It’s also another move that devalues higher-validation certs because the re-validation process is more burdensome.”

Perhaps more of these more CA/Browser voters would be on board with shortening the lifespan of TLS certificates if they knew their customers had proper machine identity management. As Katrina Dobieski and Scott Carter wrote here:


“Manual management techniques left too much room for human error. And we saw many high-profile instances of certificate-related outages that resulted from uncontrolled machine identities. New research indicates that these same under-managed machine identities are also prime tools for organized cyber criminals.


Forward-thinking companies began to realize the value of centrally managing, and ultimately protecting, machine identities early on. And now, we’re seeing an increasing number of the world’s leading organizations getting serious about managing their machine identities.”


If we can get more organizations to implement good machine identity protection and management, maybe the next vote the CA/Browser Forum has on TLS certificate lifespans may actually be in favor of 13-month maximum validation durations! Imagine that.



Related Posts

Like this blog? We think you will love this.
Featured Blog

What is the ACME Protocol and How Does It Work?

How does the ACME protocol work?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more