Why We Need Shorter SSL Certificate Lifetimes
SSL certificate validity periods have shortened in recent years. We’ve seen industry standards go from five years, to three, to two. Apple recently announced that, beginning later in 2020, their Safari browser would block certificates that are valid for more than 13 months. The reality is, without a validity period and expiration date, SSL certificates would be useless. Certificate expiration is incredibly important to the security guarantees of SSL. Every SSL certificate has a period in which it can be used to establish secure connections. One of the core features of SSL is server authentication, which allows your web browser to know the identity of the server it’s connecting to. Without it, you would never know if you’re connecting to a real website, or a fake.
Previously, long-term certificates meant that you had to wait for the expiration in order to move to something new. Of course, you could manually expire them and start over, but many people felt that would be a waste of their investment. We all know how difficult it is to force companies to upgrade, even when they are creating security problems by supporting old systems or software. Things move rapidly in the evolving security landscape. A shorter shelf life ensures that your site and servers are protected by the most relevant encryption algorithms.
Shorter SSL certificate lifetimes
Enter the 90-day certificates. It might seem like a nightmare for administration, having to renew certificates more frequently. We go to the website, make the request, pay, re-cut any duplicates and install. It seems absurd that this should consume a few hours every three months. However, there are several critical security benefits that come with reducing the lifetime of your certificates.
90-day certificates come with advantages:
- You always stay on top of the latest encryption and security
- With scheduled automation, you eliminate last-minute renewal emergencies
- You have the flexibility to change certificate providers without being locked in long-term
- If your certificate’s private key is unknowingly compromised, the attacker’s window of opportunity is much smaller
Of course, there are a few disadvantages as well. They may require a software agent on the server, which could violate your organization’s software policies, or the agent may be blocked from communication if in a DMZ. Furthermore, nonstandard servers (think VPNs, appliances) may not support immediate issuance of 90-day certificates and might need to be restarted for the certificate to properly apply.
Automate and stay secure
Regardless, even with shorter certificate validity periods, you can always automate the process. Manual processing of certificate services is a waste of valuable time, which is why your process should include automation. SSL providers are catching on and have provided complete automated solutions for the renewal purchase, request, issuance and installation of these 90-day certificates.
As computing speed increases, so does our need for equally complex encryption methods. We must ensure the security of our information, whether on a web server, over VPN or in the Internet of Things. Maintaining a comprehensive certificate solution is just one key to minimizing your company’s exposure and strengthening your security stance.