Education Center

Google’s 90-Day TLS Certificate Validity Proposal

  1. What is Google’s 90-Day TLS Validity Proposal?
  2. Why Shorter Certificate Lifespans?
  3. When will the proposal take effect?
  4. What is the impact of 90-Day TLS?
  5. What is the call to action?

1. What is Google’s 90-Day TLS Validity Proposal?

In March of 2023, Google announced plans in their Moving Forward, Together statement, to reduce the maximum validity period for public TLS certificates to 90 days (down from 398 days). In this statement, Google explains that reducing certificate lifespans to 90 days “will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly.

In addition to decreasing the maximum validity period for TLS, Google also intends to shorten the domain validation reuse period to 90 days, down from 398 days. Requiring more frequent domain validation is intended to protect domain owners and minimize the risk of Certificate Authorities (CAs) inadvertently using outdated or inaccurate information, which could lead to certificate mis-issuance and potential abuse.

Crypto-Agility and Preparing for Post-Quantum Cryptography

2.Why Shorter Certificate Lifespans?

Reducing certificate lifespans aims to drive automation, streamline issuance processes, and mitigate potential security risks associated with longer certificate validity periods. Adopting shorter certificate validity periods will ultimately help:

  • Enhance Security
  • Encourage Automation
  • Promote Agility
  • Support Compliance
  • Encourage Post Quantum Cryptography (PQC) Readiness

3. When Will the Proposal Take Effect?

The effective date for Google’s proposal is still to be determined. Google states that they plan to introduce this change either in a future policy update of Google’s Chrome Root Program or a CA/Browser (CA/B) Forum Ballot Proposal.

The industry has been pushing for shorter TLS certificate validity periods for over a decade, with TLS certificate validity continuing to be reduced. As part of a collective effort to fortify security and encourage streamlined certificate management practices, the CA/B Forum has reduced certificate validity, through updated baseline requirements, approximately every 3 years.

4. What is the impact of 90-Day TLS?

Reducing TLS Certificate validity down to 90-days has both positive and negative implications for organizations of all sizes:

Positive Impact:

  • Agility: Shorter certificate lifespans promote quicker response times to security incidents or policy changes, with certificates being frequently rotated and renewed.
  • Enhanced Security: Shorter certificate validity reduces the window of opportunity for potential attackers to exploit compromised or weak certificates.
  • Improved Compliance: Many regulatory frameworks, including PCI DSS and GDPR, recommend or mandate shorter certificate validity for enhanced security.

Negative Impact:

  • Increased Operational Overhead: Managing certificates with shorter lifespans requires more frequent renewals and rotations (more than 4 times per year), which can drastically increase operational overhead if automation is not implemented.
  • Increased Risk of Outages/Service Disruptions: If certificate renewal processes are not automated or effectively managed, there is a greater risk of outages, security vulnerabilities or service disruption due to expired certificates.
  • Compatibility Challenges: Some legacy systems or devices may not support certificates with shorter certificate validity, requiring updates or workarounds to maintain compatibility.

While transitioning to 90-day TLS certificates presents challenges, the advantages far outweigh the drawbacks, particularly in the context of today’s dynamic threat landscape. Fortunately, comprehensive, automated Certificate Lifecycle Management (CLM) solutions are readily available to help organizations overcome 90-Day TLS validity hurdles, achieve crypto-agility and reinforce security.

5. What is the call to action?

Although the effective date is still undecided, it’s crucial for organizations to start preparing now for the transition to 90-day TLS certificate validity. Google publicly announced their proposal in 2023 to give organizations ample warning and to encourage organizations to take action now. Proactive planning, including implementing effective certificate lifecycle management (CLM) strategies and crypto-agility will help ensure a smooth transition to reduced certificate lifespans.

Navigating Google’s 90-Day TLS Certificate Validity Proposal