Google’s recent proposal to reduce the maximum validity period of public TLS certificates from 398 days to 90 days has yet again sparked a discussion around short-lived certificates and their role in reinforcing security.
This is not the first time that TLS certificate lifespan has been reduced. In the past decade, the lifespan has consistently shrunk from five to two years in 2018, then to one year (13 months) in 2020, and now to the proposed 90 days .
As organizations prepare their certificate lifecycle management (CLM) processes and systems to accommodate the change in validity, it is essential to understand that shortening certificate lifespans is not just about frequent renewals and extra work. Short-lived certificates help reinforce security and minimize risk in several ways.
Here are seven ways in which short-lived certificates enhance cybersecurity:
Reduced Attack Surface:
Long-lived certificates present a larger attack surface since they remain valid for an extended period. Short-lived certificates limit this attack surface with frequent expirations, prompting replacement or renewal of certificates, making it harder for attackers to predict or exploit certificates. Even if a certificate gets compromised, attackers will have a much shorter window of opportunity to exploit a stolen or compromised certificate before it expires. As the exposure time is much less compared to long-lived certificates, the scope of the damage is also significantly reduced.
The field of cryptography is constantly evolving. As new vulnerabilities are discovered, and quantum-enabled threats solidify, old crypto standards are getting replaced with new and safer standards. Organizations need to be crypto-agile to keep up and respond to these changes quickly. Short-lived certificates promote crypto-agility and help mitigate the risk of using outdated cryptographic algorithms or key lengths by forcing regular renewal, ensuring that the latest security standards are applied. On the other hand, long-lived certificates are typically treated with a “set and forget” mindset. Due to their long validity periods, PKI teams tend to delay crypto upgrades and overlook threats, inadvertently increasing the risk of vulnerabilities and data breaches.
As short-lived certificates need to be renewed more often, they can help promote CA-agility and help reduce the organization’s dependency on a single Certificate Authority (CA). Enterprise-wide crypto policies should include multiple approved CAs for both public and private trust. Organizations become accustomed to more frequent certificate monitoring, renewals and re-provisioning, including across multiple CAs as best practice.
Given their short lifespans, short-lived certificates will need frequent renewals and re-provisioning. Handling frequent renewals requires automation to prevent certificate expiry and outages. Robust automated CLM systems can help not only auto-renew certificates on a pre-set basis but also re-provision and re-install the new certificates without human intervention. This ensures all certificates are up to date at any given time, minimizing the risk of unauthorized access, breaches, or insider attacks.
Improved Revocation Handling:
Revoking certificates is a crucial aspect of managing digital certificates. In the event of private key compromises, revoking the certificate is essential to let browsers know they can’t trust that certificate anymore. As certificate revocation lists (CRL) grow, browsers may find it difficult to run through a large CRL file and detect the revoked certificate, resulting in slow page loading time. In case the browser does not have an updated list, it might even allow the connection, resulting in man-in-the-middle attacks. On the other hand, short-lived certificates simplify revocation management because they naturally expire relatively quickly. In the event of a security incident or the need to revoke a certificate, the impact is limited to the certificate’s short validity period.
Secure Key Management:
As a security best practice, private keys need to be rotated on a regular basis to avoid key compromises. Key rotation dictates generating a new key for the certificate, necessitating a new certificate from the CA. The process takes time and effort. Short-lived certificates address this problem by allowing organizations to rotate keys when renewing certificates periodically – both at the same time. This eliminates extra effort and reduces the risk of private key compromises.
Zero Trust Alignment:
Short-lived certificates align well with the principles of Zero Trust security. In a Zero Trust environment, continuous verification and authentication are crucial, and short-lived certificates support this approach by frequently reevaluating and renewing trust.
It’s irrefutable that shorter certificate validity periods are good for enhancing security. That said, it is important to understand and factor in operational complexities that come with monitoring, renewing, provisioning and managing short-lived certificates.
Google’s proposed change in public TLS certificate validity will likely come into effect in 2024. When it does, the change is expected to drive the frequency of renewal up by four times a year, considerably increasing the management workload of PKI and security teams. Monitoring expiry and renewing thousands of certificates on time will become practically impossible with manual processes.
This is where automation plays a key role. An advanced automated CLM solution simplifies the management of a large number of short-lived certificates by auto-renewing and re-provisioning them on time, minimizing the risk of certificate expiry-related outages and cybersecurity breaches. Automation accelerates the entire process of certificate enrollment, renewal, and installation while keeping it free from human errors.
Manage Short-lived Certificates Easily and Efficiently with AppViewX CERT+
AppViewX CERT+ is a ready-to-consume, scalable certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, and automate the complete certificate lifecycle, all through a central console. By providing visibility, control, and insights, AppViewX CERT+ simplifies certificate lifecycle management and helps you balance the benefits of enhanced security with the operational complexity introduced by short-lived certificates.