Home » Digital certificates with increasingly shorter validity period
Digital certificates with increasingly shorter validity period
Due to the shortening of the validity period, the maximum certificate term is reduced to about one year.
Initially, certificates were issued with a term of up to five years. In 2015, their maximum validity was reduced to three years, then in 2018 to two years. In February 2020, Apple announced at the CA/Browser Forum in Bratislava that it would only accept SSL certificates with a validity of one year from 1 September 2020.
March 2023: Google calls for a reduction of the validity period to 90 days
In March 2023, Google proposed to shorten the maximum validity period of TLS certificates to 90 days. The aim is to increase security and minimize risks from compromised certificates.
October 2024: Apple plans to gradually reduce the validity period to 45 days
In October 2024, Apple submitted a proposal that would gradually reduce certificate durations. Starting with 200 days from March 15, 2026, increasing to 100 days from March 15, 2027, the maximum duration would be 47 days from March 15, 2028.
January 2025: Let’s Encrypt is planning certificates with a validity period of just six days for certain use cases
To further increase security, Let’s Encrypt is planning to introduce certificates with a validity period of just six days starting at the end of 2025. These are intended for automated environments and special use cases. Certificates with a validity period of 90 days will continue to be available.
Why is the lifespan of SSL/TLS certificates increasingly shortened?
There are three main reasons:
Faster elimination of insecure algorithms
Certificates with outdated algorithms that are considered insecure expire more quickly and are no longer used.
Increased security through more frequent validation
Security for the user increases with regular annual checks of who is behind the certificate. This prevents misuse.
Reducing the risk of compromised certificates
Cyber criminals can misuse compromised SSL certificates for their own purposes. Due to the shorter terms, compromised certificates are also taken out of circulation more quickly and there is less time for criminal activities.
The more often an SSL/TLS certificate has to be renewed, the more often websites and their operators are checked by the CA (certificate authority). Fake websites will thus be recognised more quickly and can be avoided.
A long certificate validity period also gives hackers more opportunities to crack private keys and control websites or machine identities. If certificates become invalid more quickly, updates and changes are applied more quickly. This leaves less time for attacks.
At the same time, building trust in their website with valid SSL/TLS certificates is a benefit for website operators, as successfully checked pages are classified as trustworthy. This makes the internet a bit safer and provides better protection for users.
Challenges and benefits for users
Challenges:
Increased administrative effort: Shorter validity periods require more frequent renewals, which increases the administrative effort.
Need for automation: Manual processes reach their limits with short validity periods and large numbers of certificates, making automated certificate management systems indispensable.
Decreasing attractiveness of OV/EV certificates: OV (Organization Validation) and EV (Extended Validation) certificates require a detailed identity check each time they are renewed. Since shorter terms make this process necessary more often, the use of such certificates could become less practical if companies do not rely on efficient automation.
Compatibility requirements: Systems that are not yet prepared for the regular renewal of certificates will need to be adapted to ensure a smooth process.
Timely planning required: Companies need to prepare for more frequent certificate renewals and new technical requirements. Forward planning is crucial to avoid outages and security breaches.
Advantages:
Increased security: Compromised certificates have a shorter lifespan, reducing the risk of misuse.
Up-to-date encryption standards: More frequent renewals ensure that the latest and most secure encryption algorithms are always used.
More control over your own certificate infrastructure: Companies that address automated certificate processes early on can strengthen their IT security and compliance.
What happens when a certificate expires unnoticed?
If a website certificate expires unnoticed, the browser cannot check the identity of the accessed website. A flawless connection can no longer be ensured.
For this reason, the page is blocked by the browsers or a warning is placed in front of it. Many visitors will no longer visit the page or will cancel their purchases. This leads to a loss of sales.
Security warnings of this kind are not only embarrassing, especially for large companies, they can also lead to reputational damage.
Expired SSL/TLS certificates can also have devastating consequences in the internal network. In many internal processes, for example, different production machines authenticate themselves using digital certificates. In other cases, data is transmitted in encrypted form. Such processes are also based on digital certificates and come to a complete standstill if they expire unnoticed.
How can a certificate management system help affected users?
An efficient certificate management system like essendi xc helps users meet the increased requirements resulting from shorter certificate durations.
Automated renewal: The system renews certificates automatically and in a timely manner, minimizing human error.
Centralized management: All certificates are managed in one place, enabling better oversight and control.
Notifications and alerts: Users are notified in a timely manner of upcoming renewals or issues, allowing proactive measures to be taken.
Ensuring compliance: The system supports compliance requirements by supporting the latest security standards and protocols.
With certificate lifespans getting shorter and shorter, reliable certificate management is becoming increasingly important. With essendi xc, you can automate your certificate management, minimize risks and ensure that your digital identities are protected at all times.
Find out more now and take your IT security to the next level!
Beyond the Padlock: Why Certificate Types Make a Difference
Why are there different certificate types?
Certificate types are also a decisive security factor. Organisation-validated x.509 certificates or those with extended validation (OV or EV certificates) are considered more resistant to cyber-attacks. This is because a trustworthy institution (a so-called trust centre) thoroughly checks the identity of the website operator when issuing these certificate types.
For EV certificates, the CA checks additional information. For example, whether the applicant is actually an employee of the website operator and whether he is authorised to request certificates.
It is therefore not surprising that only a negligible share of fake websites are equipped with an EV certificate.
The majority of phishing attacks, on the other hand, are carried out via websites that are only secured via domain-validated certificates (DV certificates) or where there is no certificate at all.
Why then is the attractiveness of certificates with identity verification decreasing?
This higher effort is now necessary at ever shorter intervals. In order to evade it and thus save costs, domain operators could be tempted to increasingly use DV certificates. With these, the only thing checked is whether the client is also the domain holder. An identity check, on the other hand, does not take place.
Unfortunately, this means an easy job for cyber criminals. They register internet addresses that can easily be mistaken for those of large shops or banks. They only install DV certificates, which in this case only feign security for the users.
Identity-checked certificates therefore denote more security on the net and in online communication. Despite the higher administrative effort, it is therefore worthwhile to prefer OV and EV certificates.
What do certificate holders currently have to keep in mind?
SSL/TLS certificates issued up to August 2020 can still be valid for two years and will expire in September 2022 at the latest. Digital certificates requested from 1 September 2020 will only be valid for one year and will therefore become invalid from October 2021. Especially in the present transition phase, it is therefore important to keep a precise overview of the digital certificates used in the company in order to avoid unpleasant surprises.
How long an SSL certificate is still valid and whether it is correctly installed can easily and quickly be determined by a free SSL check on the net.
In a nutshell
Certificates with organisation validation or extended validation increase security on the internet as well as in online communication. This is particularly important in the case of machine identities, for example.
In order to continue to guarantee high security standards, certificate validity periods will probably continue to be shortened. Especially if a company has several certificates in use, it is recommended to manage them with a certificate management tool like essendi xc.
With essendi xc you can easily and conveniently keep track of your certificate inventory. You will be informed in time before digital certificates expire and reminded to renew them. Depending on the configuration, essendi xc also automatically handles the request for new certificates and even installs them in the target system.
