In March of 2023, Google announced plans in their Moving Forward, Together statement, to reduce the maximum validity period for public TLS certificates to 90 days (down from 398 days). In this statement, Google explains that reducing certificate lifespans to 90 days “will allow for faster adoption of emerging security capabilities and best practices, and promote the agility required to transition the ecosystem to quantum-resistant algorithms quickly.”
In addition to decreasing the maximum validity period for TLS, Google also intends to shorten the domain validation reuse period to 90 days, down from 398 days. Requiring more frequent domain validation is intended to protect domain owners and minimize the risk of Certificate Authorities (CAs) inadvertently using outdated or inaccurate information, which could lead to certificate mis-issuance and potential abuse.
Reducing certificate lifespans aims to drive automation, streamline issuance processes, and mitigate potential security risks associated with longer certificate validity periods. Adopting shorter certificate validity periods will ultimately help:
The effective date for Google’s proposal is still to be determined. Google states that they plan to introduce this change either in a future policy update of Google’s Chrome Root Program or a CA/Browser (CA/B) Forum Ballot Proposal.
The industry has been pushing for shorter TLS certificate validity periods for over a decade, with TLS certificate validity continuing to be reduced. As part of a collective effort to fortify security and encourage streamlined certificate management practices, the CA/B Forum has reduced certificate validity, through updated baseline requirements, approximately every 3 years.
Reducing TLS Certificate validity down to 90-days has both positive and negative implications for organizations of all sizes:
While transitioning to 90-day TLS certificates presents challenges, the advantages far outweigh the drawbacks, particularly in the context of today’s dynamic threat landscape. Fortunately, comprehensive, automated Certificate Lifecycle Management (CLM) solutions are readily available to help organizations overcome 90-Day TLS validity hurdles, achieve crypto-agility and reinforce security.
Although the effective date is still undecided, it’s crucial for organizations to start preparing now for the transition to 90-day TLS certificate validity. Google publicly announced their proposal in 2023 to give organizations ample warning and to encourage organizations to take action now. Proactive planning, including implementing effective certificate lifecycle management (CLM) strategies and crypto-agility will help ensure a smooth transition to reduced certificate lifespans.