Reduced lifespan of TLS certificates could cause increase in outages

Beginning September 1st, all publicly trusted TLS certificates must have a lifespan of 398 days or less. According to security experts from Venafi, this latest change is another indication that machine identity lifetimes will continue to shrink.

Since many organizations lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations.

“Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines—including IoT and smart devices, virtual machines, AI algorithms and containers—that require machine identities is skyrocketing.

“It seems inevitable that certificate-related outages, similar to those that have haunted Equifax, LinkedIn, and the State of California, will spiral out-of-control over the next few years.”

Certificate lifespans

The interval between changes in the length of certificate lifespans has been shrinking over the last decade:

• Pre-2011: Certificate lifespans were 8–10 years (96 months)
• 2012: Certificate lifespans were shortened to 60 months (five years), a reduction of 37%. This change was preplanned in CA/Browser Forum Baseline Requirements.
• 2015: Certificate lifespans were shortened to 39 months (3 years), a reduction of 35%. This change happened three years after the five-year limitation was adopted.
• 2018: Certificate lifespans were shortened to 27 months (two years), a reduction of 30%. This change happened two years after the three-year limitation was adopted.
• 2020: Certificate lifespans were shortened to 13 months, a reduction of 51%. This change happened one year after the two-year limitation was adopted.

Bocek continued: “If the interval between lifecycle changes continues on its current cadence, it’s likely that we could see certificate lifespans for all publicly trusted TLS certificates reduced to 6 months by early 2021 and perhaps become as short as three months by the end of next year.

“Actions by Apple, Google or Mozilla could accomplish this. Ultimately, the only way for organizations to eliminate this external, outside risk is total visibility, comprehensive intelligence and complete automation for TLS machine identities.”

Digital keys and certificates act as machine identities

They control the flow of sensitive data to trusted machines in a wide range of security and operational systems.

Enterprises rely on machine identities to connect and encrypt over 330 million internet domains, over 1.8 billion websites and countless applications. When these certificates expire unexpectedly, the machines or applications they identify will cease to communicate with other machines, shutting down critical business processes.

Unfortunately, eliminating certificate-related outages within complex, multitiered architectures can be challenging. Ownership and control of these certificates often reside in different parts of the organization, with certificates sometimes shared across multiple layers of infrastructure.

These problems are exacerbated by the fact that most organizations have certificate renewal processes that are prone to human error. When combined, these factors make outage prevention a complex process that is made much more difficult by shorter certificate lifetimes.