Due to the shortening of the validity period, the maximum certificate term is reduced to about one year.Initially, certificates were issued with a term of up to five years. In 2015, their maximum validity was reduced to three years, then in 2018 to two years. In February 2020, Apple announced at the CA/Browser Forum in Bratislava that it would only accept SSL certificates with a validity of one year from 1 September 2020.
Why is the lifespan of SSL/TLS certificates increasingly shortened?
There are three main reasons:
- Certificates with outdated algorithms that are considered insecure expire more quickly and are no longer used.
- Security for the user increases with regular annual checks of who is behind the certificate. This prevents misuse.
- Cyber criminals can misuse compromised SSL certificates for their own purposes. Due to the shorter terms, compromised certificates are also taken out of circulation more quickly and there is less time for criminal activities.
The more often an SSL/TLS certificate has to be renewed, the more often websites and their operators are checked by the CA (certificate authority). Fake websites will thus be recognised more quickly and can be avoided.
A long certificate validity period also gives hackers more opportunities to crack private keys and control websites or machine identities. If certificates become invalid more quickly, updates and changes are applied more quickly. This leaves less time for attacks.
At the same time, building trust in their website with valid SSL/TLS certificates is a benefit for website operators, as successfully checked pages are classified as trustworthy. This makes the internet a bit safer and provides better protection for users.
Why are there different certificate types?
Certificate types are also a decisive security factor. Organisation-validated x.509 certificates or those with extended validation (OV or EV certificates) are considered more resistant to cyber-attacks. This is because a trustworthy institution (a so-called trust centre) thoroughly checks the identity of the website operator when issuing these certificate types.
For EV certificates, the CA checks additional information. For example, whether the applicant is actually an employee of the website operator and whether he is authorised to request certificates.
It is therefore not surprising that only a negligible share of fake websites are equipped with an EV certificate.
The majority of phishing attacks, on the other hand, are carried out via websites that are only secured via domain-validated certificates (DV certificates) or where there is no certificate at all.
Why then is the attractiveness of certificates with identity verification decreasing?
This higher effort is now necessary at ever shorter intervals. In order to evade it and thus save costs, domain operators could be tempted to increasingly use DV certificates. With these, the only thing checked is whether the client is also the domain holder. An identity check, on the other hand, does not take place.
Unfortunately, this means an easy job for cyber criminals. They register internet addresses that can easily be mistaken for those of large shops or banks. They only install DV certificates, which in this case only feign security for the users.
Identity-checked certificates therefore denote more security on the net and in online communication. Despite the higher administrative effort, it is therefore worthwhile to prefer OV and EV certificates.
What do certificate holders currently have to keep in mind?
SSL/TLS certificates issued up to August 2020 can still be valid for two years and will expire in September 2022 at the latest. Digital certificates requested from 1 September 2020 will only be valid for one year and will therefore become invalid from October 2021. Especially in the present transition phase, it is therefore important to keep a precise overview of the digital certificates used in the company in order to avoid unpleasant surprises.
How long an SSL certificate is still valid and whether it is correctly installed can easily and quickly be determined by a free SSL check on the net.
What happens when a certificate expires unnoticed?
If a website certificate expires unnoticed, the browser cannot check the identity of the accessed website. A flawless connection can no longer be ensured.
For this reason, the page is blocked by the browsers or a warning is placed in front of it. Many visitors will no longer visit the page or will cancel their purchases. This leads to a loss of sales.
Security warnings of this kind are not only embarrassing, especially for large companies, they can also lead to reputational damage.
Expired SSL/TLS certificates can also have devastating consequences in the internal network. In many internal processes, for example, different production machines authenticate themselves using digital certificates. In other cases, data is transmitted in encrypted form. Such processes are also based on digital certificates and come to a complete standstill if they expire unnoticed.
Certificates with organisation validation or extended validation increase security on the internet as well as in online communication. This is particularly important in the case of machine identities, for example.
In order to continue to guarantee high security standards, certificate validity periods will probably continue to be shortened. Especially if a company has several certificates in use, it is recommended to manage them with a certificate management tool like essendi xc.
With essendi xc you can easily and conveniently keep track of your certificate inventory. You will be informed in time before digital certificates expire and reminded to renew them. Depending on the configuration, essendi xc also automatically handles the request for new certificates and even installs them in the target system.