Google wants to shorten the duration of digital certificates of websites to 90 days. This change affects all companies that secure their communication with digital certificates. The maximum validity of SSL certificates has already been reduced several times. Most recently in September 2020 from two years to 13 months. Now Google wants to drastically reduce the term again. The Chrome team gives various reasons for this in an article on the Chromium Project blog. We would like to highlight the most important ones in the following.
It is high time for automation: Due to the shortening of the term of digital certificates to 90 days, certificate management can no longer be handled manually.
What are SSL/TLS certificates used for?
SSL/TLS certificates play an important role in ensuring security and privacy on the web. They enable an encrypted connection between a user and a website. This protects sensitive information such as passwords, credit card information and personal data from unauthorised access. They cannot be intercepted or manipulated by third parties.
However, certificates can also be flawed, stolen or forged. Cyber criminals can use them to create fake websites, for example. Their goal is to lure users to one of these fake websites. There, they steal the user’s personal data or install malware on his computer.
What improvements does the Chromium team hope to see?
Promoting modern infrastructures and agility
Promoting modern infrastructures and agility is the first-mentioned and probably most important goal. Shortening the duration is intended to “move the ecosystem away from baroque, time-consuming and error-prone issuance processes”.
Shorter certificate validities allow new security features to be adopted more quickly. This will provide the flexibility needed to rapidly transition the certificate ecosystem to quantum-resistant algorithms.
With the growing importance of the internet, certificates are becoming increasingly important. They are crucial when it comes to ensuring security and trust in digital communication. Their misuse can have serious consequences.
Long durations and the growing number of digital certificates offer hackers more and more opportunities for abuse.
There are two ways to check an SSL certificate for validity. You can check it in a certificate revocation list (CRL) or via the Online Certificate Status Protocol (OCSP). But neither CRL nor OCSP are 100% reliable. A shortened technical validity reduces the dependency on the query results.
So the most important goal of shortening the validity of digital certificates is to increase the security of websites and online transactions. This is because an undetected vulnerability persists for the entire validity period of a certificate. By shortening the runtime, vulnerabilities are remedied more quickly.
Specialisation of CAs
In future, certification bodies are to specialise in certain types of certificates. So far, CAs can issue different types of certificates. Specialisation makes them a less attractive target for cyber criminals. A CA that offers different types is a much more lucrative target.
The Chrome team sees a big advantage in the automation that becomes necessary due to the shortened runtime. Certificate management tools like essendi xc provide support when one wants to renew a large number of SSL certificates. They minimise the sources of error that exist when applying for certificates manually. In addition, they facilitate the quick changeover to quantum-resistant encryption.
Automated certificate management moves more into focus
The effects affect browser manufacturers and certification authorities on the one hand. They have to adjust to the new situation and a massive increase in certificate requests.
But many companies also have to renew expired certificates much more frequently. If the certificate management is not automated, this results in a lot of work:
Companies have to monitor the technical expiry date, create valid SSL certificates and make them available in their own systems. Usually, many certificates are in use and their number is constantly growing. If the annual effort for certificate management now quadruples, it can no longer be managed manually.
With essendi xc we offer a certificate management tool that effectively supports you in this process. It automates the processes from certificate application to issuance in the target systems. Once set up, all processes run by themselves.
Individually configurable default settings allow certificates to be applied for according to specifically defined criteria. Specialisation of the certification authorities can therefore be implemented easily with the multi-CA-capable essendi xc. It can obtain certificates from different certification authorities. A special CA can be assigned to each certificate type.
We would be happy to demonstrate our tool in a live demo.
The reduction of the lifetime of digital certificates to 90 days has not yet been finally decided. It is a proposal of the Chrome team that still has to be discussed in the CA/Browser Forum. A decision is expected in spring 2023. Due to the high market share of the Chrome browser, Google could theoretically make the changes standard even without the forum’s approval.
We will keep you informed.