You may have read our previous blog about the pending reduction of digital certificate life cycles to just 90 days. This past weekend, the issue gained momentum at the Certification Authority Browser Forum when more detail was discussed following the proposed ballot to set a timeline for shorter lifetime certificates by Apple®.
This creates real urgency for organizations of all sizes to seriously consider and implement automation into their certificate life cycle management. “But it’s just a proposal,” I hear! Yes, currently, it’s just a proposal subject to further discussion and then a ballot. But even if the ballot fails to pass it, it’s highly likely that Apple or Google® will make it policy anyway.
Let’s look at the timeline:
Timeframe | Life cycle for certificates | Domain control validation re-use period |
After September 2025 | 200-day certificates | DCV re-use 200 days |
After September 2026 | 100-day certificates | DCV re-use 100 days |
After April 2027 | 45-day certificates | DCV re-use 45 days |
After September 2027 | 45-day certificates | DCV re-use 10 days |
This may seem complex at first, but the life cycles follow a simple logic of ideal certificate term, plus an early renewal window:
- 200 days = 180 days (six months) + 20 days early renewal
- 100 days = 90 days (three months) + 10 days early renewal
- 45 days = 42 days (six weeks) + three days early renewal
The good news is that previous predictions that we’d see 90-day certificates come into effect in 2025 is not realized in this proposal—it suggests 180-day certificates next year, with 90-day certificates not coming into effect until 2026. It’s good news insomuch as there’s slightly more time to get your digital ducks in a row. But only slightly more time.
The gradual decrease in certificate life cycles undoubtedly causes a headache for busy IT security teams—and a headache that will only get worse without certificate automation. Organizations with manual tracking and monitoring methods simply will not be able to cope with hundreds (or even thousands) of certificates expiring at different times. Missed certificate renewals = unencrypted sites = security risk.
Automate, automate, automate!
By September 2027, your current renewal workload will have increased eight-fold—organizations can’t really afford to adopt a wait-and-see approach. To automate certificate renewals, you first need to see if your current web servers are Automated Certificate Management Environment (ACME) compatible. Our secure sockets layer (SSL) automation checklist can help you assess whether your current SSL set up is compatible for automation. If it isn’t, I would expect a large-scale project like making all your infrastructure ACME-compatible to take about 12 months, with at least two tests in that period to ensure the new renewal process works smoothly—so it really is time to act!
We’re ready to talk
CSC has multiple automation options to help you address the issue of shortened certificate life cycles. If you’d like to discuss your current situation with one of our experts, complete our contact form.