In March this year, Google announced its plans to reduce the maximum validity period for public TLS certificates from 398 days to 90 days. The change in certificate validity is intended to “encourage automation” and promote the “agility required to transition the ecosystem to quantum-resistant algorithms quickly.” The policy change could either be introduced in a future policy update or a CA/B Forum Ballot Proposal.
Google’s proposal is likely to have a profound impact on certificate lifecycle management. Shorter certificate validity means more frequent renewals. With a validity period of a mere 90 days, public TLS certificates will require renewals not once but four times a year. Imagine the workload that goes into manually identifying expiring certificates and carrying out the renewal and provisioning process for tens and thousands of certificates! It would indeed be a monumental task.
Besides the staggering amount of effort involved, there is also the risk of missed certificate renewals, causing outages, service disruptions, vulnerabilities, financial losses, reputational damage, and compliance issues. The business impact is real and often disastrous.
To navigate the complexities and the challenges this imminent policy change will bring, organizations must start taking the right steps to prepare for 90-day certificates well in advance, streamline their renewals, and eliminate the possibility of unexpected certificate expiry.
Here are five steps to follow to stay on top of frequent certificate renewals and prevent outages:
Gain Complete Visibility of the Certificate Landscape
Complete visibility of all certificates in your infrastructure is essential to stay on top of expiring certificates and to eliminate outages. Build and maintain a central inventory of certificates, along with the necessary information, such as their expiration date, certificate location, issuing CA (Certificate Authority), owner, and other metadata. Having a holistic view of all certificates in your environment reduces the complexity of managing certificates, prevents blindspots and helps ensure timely renewals. Even in the event of an outage, ready access to certificate information helps to quickly identify the expired certificate’s location and replace it to restore services.
Monitor Certificates for Expiry
Track certificates regularly for expiry. Group certificates and keys based on specific business use cases or by business unit or team, to simplify monitoring. Manually tracking thousands of certificates can be impractical. Configure automated alerts to notify certificate owners and administrators or preferably set up auto-renewal well in advance of certificate expirations. The alerts can be delivered to certificate owners via emails for manual actions or via simple network management protocols (SNMP) for automation. Automated alerts and notifications will help ensure timely renewal or replacement of certificates, minimizing the risk of application outages due to expired certificates.
Automate Certificate Lifecycle Operations
Certificate renewal is a process that involves several steps and multiple approvals. While manual processes may work for renewing a handful of certificates, they certainly will cause inadvertent delays when it comes to renewing tens and thousands of certificates, increasing the risk of unexpected certificate expirations and outages. Given the amount of workload involved, manual processes are also highly prone to certificate provisioning errors, in turn causing outages.
Automation is an effective way of simplifying certificate lifecycle management (CLM). An automated CLM solution allows for auto-renewal of certificates based on pre-set policies and re-provisioning them to the right endpoint or application. Removing the need for human intervention accelerates the renewal process while ensuring that all certificates are correctly provisioned and installed. An advanced automation solution can also ensure that certificates are auto-renewed with newer and safer crypto standards for stronger security, which will be especially crucial for post-quantum transitions.
Establish Certificate Ownership
One of the common reasons for a certificate-related outage is certificate ownership dilemmas. Who should have tracked and monitored the certificate? Was the approval process followed? Who provisioned it? Who was responsible for enforcing a security policy around certificate issuance? These dilemmas often create confusion leading to outages.
Establishing clear certificate ownership, or in other words, delegating the management responsibility of certificates and keys, is one of the first steps toward preventing outages. Define an ownership hierarchy, an approval workflow, and a certificate enrollment process, ideally using automation, to provide the right information to the right people at the right time. Doing so helps enforce accountability for certificate actions and eliminates the potential for rogue certificates that expire and cause outages.
Enforce a Uniform PKI Policy
Enforcing strict PKI policies can greatly help streamline certificate issuance and management across all business units. Policy-driven management ensures the use of best practices, in terms of compliant and approved CAs, recommended crypto-standards, validity periods, and trust levels, in turn, ensuring compliance with internal, industry, and regulatory standards and mandates. Implement role-based access control (RBAC) to regulate permissions and provide the right level of access to certificates and keys to the right roles. Create audit trails to log every certificate and key-related activity for granular control and easy auditing. Generate periodic reports to detect anomalies, eliminate non-compliant certificates, and simplify auditing.
The change in the validity period for public TLS certificates is likely to come into effect in 2024. When the shift happens, PKI and security teams managing digital certificates with manual and ad hoc processes will crumble under the pressure of endless renewal cycles. Outages will become a frequent phenomenon, impacting business operations and growth in more ways than we can imagine.
Moreover, it is not just about Google’s proposal that PKI and security teams need to worry about; cryptography is undergoing rapid evolution, thanks to quantum computing. When advanced quantum computers become commercially available, quantum-enabled threats will run wild, potentially breaking today’s cryptographic algorithms. The best way to stay ahead of these threats is to become crypto-agile – building the ability to update and adapt certificate lifecycle operations without rewiring the entire infrastructure. It is important to remember that crypto-agility can only be enabled by automation. The sooner organizations understand this need and automate their certificate lifecycle management processes, the better equipped they will be to cope with the challenges.
How AppViewX Can Help
AppViewX CERT+ is a ready-to-consume, scalable certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, and automate the complete certificate lifecycle, all through a central console. By providing visibility, control, and insights, AppViewX CERT+ simplifies certificate lifecycle management and helps you prevent outages and cyber threats.
AppViewX CERT+ enables complete certificate lifecycle automation, including CSR generation, domain validation, and provisioning to endpoints through:
- Advanced out-of-the-box and customizable automation workflows
- Support for public and private Certificate Authorities (CAs)
- Extensive native integrations and REST APIs
- Support for all major auto-enrollment protocols, including – ACME, EST, SCEP, Native Windows Auto-enrollment, and Microsoft Intune
Talk to an AppViewX expert today for a demo on how to quickly begin automating certificate lifecycle management to prepare for the upcoming 90-day TLS validity change.