New, Shorter Lifetimes for SSL/TLS Certificates: What’s Changed and What Does This Mean for Users?

On 1 September 2020, new, shorter lifetimes were introduced for SSL/TLS certificates. They can now be valid for a maximum term of 13 months (i.e. 397 days). Browser manufacturers expect this change to bring greater security. For website operators, however, shorter lifetimes mean more work.

Certificate Authorities (CAs), such as D‑TRUST, and browsers are independent of each other. Browsers use certificates to determine the trust level of websites. CAs benefit when certificates are displayed in the browser. This process is managed by root programs. In order for a certificate to be considered trustworthy, CAs must follow the guidelines of the root program and at the same time those of the browser operator.
 

Why did browser manufacturers opt to have the period of validity reduced?

Up until 2015, it was still possible to issue certificates with a validity period of up to five years. This was reduced to three years in 2018 and later to only two years. Now, under strong pressure from major browser manufacturers, a decision was made to limit the validity of website certificates to one year beginning September 2020. This move offers two major advantages.

• From a technical perspective, updates and changes can now be implemented much faster.
• From a user perspective, there is a security advantage: If a certificate is valid for just one year, the identity behind the certificate will be verified once again the following year. Browser manufacturers hope that the shorter validation intervals will lead to greater security on the net.
   

What does this decision mean for individual website operators?

• Validity: This change has no effect on SSL/TLS certificates purchased before 1 September of this year. These certificates will remain valid until they reach their expiry date even if they were issued for two years. All website certificates purchased after 1 September 2020 are now valid for one year only. It is therefore advisable to keep a precise record of when certificates are due to expire. This often means higher costs and more time for correct connection.
  
  Website operators who use several certificates should manage them using a suitably managed PKI platform. In this way, operators are informed before a certificate expires—and new certificates can be applied for and issued in a matter of seconds. Following initial verification of the company and domain, it is no longer necessary to verify every single certificate request.
   
• Certificate type: The decision to shorten the validity period also influences the choice of certificate: In the case of organization-validated or extended validated certificates, the identity of the website operator is thoroughly checked by the CA. This, however, requires more work that must now be carried out at ever shorter intervals. There is a risk that due to this additional work users will be likely to resort to certificates without proof of identity. However, identity-validated certificates are what, in fact, creates greater security on the net.
  
  In the case of domain-validated (DV) certificates, verification is limited to checking whether the customer is also the owner of a domain. This often creates a false sense of security. Cybercriminals often take advantage of this and register with a similar sounding URL which then enables them to easily obtain a DV certificate.
  
  Identity-validated certificates are the certificate of choice for secure online communication. In the case of organization-validated (OV) certificates, the organization behind the website is checked in addition to the domain.
  
  When it comes to extended validated (EV) certificates, the certificate provider also checks whether the applicant actually works for the stated organization and is authorized to apply for a certificate. It is therefore advisable to invest in identity-validated certificates. Only then will data traffic on the net become more secure, SSL-secured pages will have a higher level of trust and traffic will increase.
   
• Partners: Since certificates have to be renewed annually, it makes sense to work with a provider who knows the requirements of the country in question and who can communicate with the website operator in the same time zone and language.
  
  In Europe, the eIDAS regulation provides guidance on qualified trust service providers (qTSPs). These TSPs are subject to very strict security requirements and liability rules and are obliged, among other things, to demonstrate that their technical and organizational measures are state-of-the-art. They, like D‑TRUST GmbH, can be recognized by the EU trust mark.

Recent developments due to the shortened lifetime of SSL/TLS certificates show just how important domain validation methods are becoming. It goes without saying that an efficient certificate management system is also required, which provides information in good time before a certificate expires. A corresponding solution from Venafi combined with the managed PKI solution from D-TRUST ensures a perfectly smooth workflow.

Learn more about D-TRUST on the Venafi Marketplace.

Related posts

• Certificate Lifespans Just Got Shorter: Are You Prepared?
• OCSP Stapling Can Help You Gain Control of Your Own Certificate Lifespans
• Majority of Businesses Still Experience Outages: Are You Protecting Your Certificates?
• GAO Report: Expired Certificate Allowed Extended Exfiltration