Digital certificates, like SSL/TLS certificates, create user trust by authenticating a website’s ownership by providing information like domain name and organization details. A key component underpinning this process is the certificate’s validity period. The movement toward shorter TLS certificate lifespans, particularly the push for 45-day certificates, is gaining momentum. While shorter validity periods offer enhanced security by reducing the window for exploitation, they also introduce new challenges in management and tracking.
While digital certificates ensure trustworthy communications, managing them manually is a time-consuming process that can lead to service outages. By consolidating all certificate recertifications in a single location, organizations streamline processes with automation to mitigate risks arising from shorter TLS certificate validity periods.
The Push for 45-Day Certificates
SSL/TLS certificates use public-key cryptography and public-key infrastructure to secure verification, enabling trusted online interactions. The key benefits that digital certificates provide are:
- Authentication: Validates the identity of websites and devices.
- Encryption: Ensures that communications remain private and secure.
- Trust: Establishes user confidence in website interactions.
- Security: Certificate lifespans limit exploitation by attackers.
As organizations adopted cloud technologies, digital communications across the public internet became critical to business operations. Over time, the maximum certificate validity period started shrinking in response to these new cybersecurity risks, moving from three years to two years.
A shift occurred at the March 2020 Certificate Authority/Browser Forum when Apple Announced that it was reducing its TLS certificate validity period to 398 days. Three years later, Google announced that they intended to limit certificate validity periods to 90 days. Since then, the following timeline for changes has been released:
- 200 days by September 15, 2025
- 100 days by September 15, 2026
- 45 days by April 15, 2027
What are the Benefits of Shorter Certificate Lifespans?
Reducing the maximum validity period from 13 months to just 90 days – or ultimately 45 days – enhances identity validation and nudges organizations toward improving overarching security.
The shorter certificate validity period offers various security and operational benefits, including:
- Limiting the impact of a private key compromise by forcing changes
- Requiring more regular reviews to address certificate misissuance issues, like incorrect information or security flaws
- Using SSL/TLS certificates that rely on domain control validation (DCV) to enforce review of domain ownership
- Enabling cryptographic agility by making organizations review certificates more regularly makes them more likely to adopt advanced solutions sooner
- Encouraging automation that will reduce or eliminate human error risks in manual processes
What are the Challenges That Shorter Certificate Lifespans Create?
While shorter TLS/SSL certificate lifespans improve security, they create additional administrative work that can overwhelm internal teams. Many organizations use their DNS infrastructure to automate certificate management processes, but without proper tools and policies in place, this can lead to inefficiencies, missed renewals, and increased risk of outages. Some organizations can maintain tens or hundreds of thousands of certificates, making automation and centralized management critical for ensuring security and operational continuity.
Manual Processes
Many companies still rely on fundamentally manual processes for initiating, completing, and tracking certificate management. The recertification process typically requires coordination between various internal stakeholders, including:
- A department that needs the certificate, like marketing or DevOps
- Certificate management team
- DNS team if using DNS records for validating the domain
Tracking in Multiple Locations
With multiple internal teams working on recertification, organizations often find that they manage tracking in multiple locations. The line of business owner may email the certificate team or use an IT service management (ITSM) system to create a ticket. The certificate team needs to update the ITSM, documenting that it sent a request to the DNS team. Without a single location for tracking the certifications, the different people involved have no insight into the process and spend too much time on follow-up tasks, like emails.
Security and Business Disruption Risks
When the TLS/SSL certificate for a domain expires, the connection is no longer trusted. The certificate encrypts the data transmitted between a browser and the domain. Once the certificate expires, attackers can intercept and view the data. Additionally, most browsers will send users an error message and block their access to the site, causing business disruption for domains hosting critical applications.
Different Types of Certificates
As organizations implement secure software development processes, development teams create their own security infrastructure, often issuing certificates with a combination of less secure SSL certificates, secrets management tools, DevOps platforms, and scripts. However, this creates security risks because they issue the certificates rapidly but may not manage them in line with the organization’s overarching certificate management processes.
How Using DNS Records Streamlines Recertification Processes
The move towards shorter validity periods for TLS certificates demands more efficient recertification processes. Using DNS records is key to streamlining this. Here’s how it works:
- Quick Validation: DNS records can speed up Domain Control Validation (DCV). This allows for faster certificate issuance and renewal.
- Automation: Automated systems use DNS data to quickly verify domain ownership. This reduces manual effort and human error.
- Efficiency: By keeping DNS records up-to-date, organizations ensure timely renewals and installations. This helps avoid disruptions caused by certificate expiration.
- Security: Faster validations limit the risk of using compromised certificates. Timely renewals protect websites from security threats and maintain trust.
Embrace Automation to Improve TLS Certification Processes
Automation is transforming how organizations handle TLS certificates. Automated tools also enhance security by reducing human error. They apply the latest security practices consistently, which is crucial with the increasing need for frequent renewals.
Centralize All Activities in a Single Location
Centralizing certificate lifecycle management in one console boosts visibility and control. Many organizations use third-party providers to help manage their activities. However, this still means that documentation and updating require ensuring that the right people have access to those third-party platforms. Additionally, this can increase costs while expanding the attack surface.
Organizations should look for solutions that enable them to easily connect DNS and certificate management in a single location. By leveraging API integrations that import DNS information into a certificate management platform, organizations can manage all processes in a centralized hub that allows them to create automated workflows.
Manage all Certificates for Enhanced Visibility and Application Security
Modern enterprise organizations may have hundreds of thousands of domains and subdomains, including separate ones for development and production environments. By centralizing all certificate management activities in a single location, organizations can ensure that DevOps teams consistently replace development and test certificates with production certificates to reduce application risks arising from unauthorized CAs.
Build Automated Workflows
Automated workflows track expiration dates, notify the right personnel, and perform necessary validations efficiently to reduce risk and enhance scalability, especially for those managing numerous certificates. Investing in a solution that natively integrates DNS and certificate management enables organizations to create automated workflows that natively document all activities. These solutions and automation will update DNS records every time the CA issues a new certificate so that the DNS teams no longer need to spend time on low-level tasks that take them away from more strategic activities.
Vercara: Enterprise Grade DNS for Domain Verification and Authentication
Vercara’s UltraDNS provides enterprise DNS hosting that includes authoritative DNS servers to ensure seamless and secure management of your digital infrastructure. Designed for near-zero response times, organizations can manage up to 100 billion global authoritative DNS queries per day without experiencing latency. With our 100% availability, you can ensure that your online assets are always available because our global platform is highly redundant, with up to 47 nodes across six continents.
We offer built-in security features, like Distributed Denial of Service (DDoS) protection and DNSSEC management, to help you mitigate security and operational risks. Our DNS services are engineered as a proprietary, non-open-source solution so that you can protect against threats by leveraging publicly available information and software supply chain risks.
To learn how Vercara can help you navigate the shorter TLS certification timelines, contact us today.
