Skip to main content
banner image
venafi logo

Certificate Lifespans Just Got Shorter: Are You Prepared?

Certificate Lifespans Just Got Shorter: Are You Prepared?

shorter certificate lifespans
August 31, 2020 | Emil Hanscom

Digital keys and certificates act as machine identities that authenticate connections and communications. In other words, these machine identities control the flow of sensitive data to trusted machines in a wide range of security and operational systems. Enterprises rely on machine identities to connect and encrypt over 330 million internet domains, over 1.8 billion websites and countless applications. When these certificates expire unexpectedly, the machines or applications they identify will cease to communicate with other machines, shutting down critical business processes.

Starting tomorrow, September 1st, all publicly trusted TLS certificates will have a lifespan of 398 days or less. This is roughly half of the previous certificate lifespan. This latest change is an indication that machine identity lifetimes will continue to shrink. Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.
 


“This latest change in the certificate lifespan originated due to unilateral move from Apple to reduce machine identity lifespans, and it will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced.”

Bocek continues: “In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing. It seems inevitable that certificate-related outages, similar to those that have haunted Equifax, LinkedIn, and the State of California, will spiral out-of-control over the next few years.”

According to analysis by Venafi, the interval between changes in the length of certificate lifespans has been shrinking over the last decade:

  • Pre-2011—8-10 years
    Certificate lifespans were 96 months
  • 2012—5 years
    Certificate lifespans were shortened to 60 months, a reduction of 37%This change was preplanned in CA/Browser Forum Baseline Requirements.
  • 2015—3 years
    Certificate lifespans were shortened to 39 months, a reduction of 35%. This change happened three years after the five-year limitation was adopted.
  • 2018—2 years
    Certificate lifespans were shortened to 27 months, a reduction of 30%. This change happened two years after the three-year limitation was adopted.
  • 2020—1 year
    Certificate lifespans were shortened to 13 months, a reduction of 51%. This change happened one year after the two-year limitation was adopted.

     

Unfortunately, eliminating certificate-related outages within complex, multitiered architectures can be challenging. Ownership and control of these certificates often reside in different parts of the organization, with certificates sometimes shared across multiple layers of infrastructure. These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.

“If the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to 6 months by early 2021 and perhaps become as short as three months by the end of next year,” concludes Bocek. “Actions by Apple, Google or Mozilla could accomplish this. Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”
 

Related posts


 

Like this blog? We think you will love this.
mongolian-ca-hit-by-supply-chain-attack
Featured Blog

Mongolian CA Hit by Supply Chain Attack: The Latest in a Growing Trend [Encryption Digest 62]

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS MIM For Dummies
eBook

TLS Machine Identity Management for Dummies

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat