Lovingly hand-crafted in small batches just for you by me.

Aug 14, 2019 - 2 minute read - Comments - technology

Reduce the maximum validity period for TLS/SSL server certificates

Question: What would be the impact on your organization if the CA/Browser Forum approves a ballot reducing the maximum validity period for SSL/TLS server certificates from the current 825 days (27 months) at present to 397 days (13 months), effective for new certificates issued on or after March 1, 2020? (Existing certificates will remain valid for their full term).

My answer:

This proposal would be a huge benefit! In fact, we would benefit from an even more aggressive renewal time (90 or 120 days).

Higher frequency renewals creates a better ROI for automation. Such automation prevents errors, reduces customer support costs, and prevents organizations from accidentally not renewing a certificate.

Some examples:

OLD: Company installs a cert. 2 years later is expires. Nobody can remember who installed it or how to replace it.

NEW: Knowing that a new cert has a short expiration, the company establishes a certificate inventory, documents update/upload procedures, sets up mechanisms to periodically check expiration dates.

OLD: Vendors create products with nearly impossible certificate update procedures, or procedures that require downtime because “who cares, the customer won’t think about this for years.

NEW: Vendors are forced to stop being so lazy or shirking their responsibility to do a good job of security and provide mature certificate management practices “built in”

OLD: Idiots set up websites and think they are secure because… you know… it has SSL!

NEW: Idiots that don’t need SSL won’t use it, reducing the number of badly run SSL websites.

OLD: Hosting companies let users upload SSL certs (probably insecurely) and then deal with expensive customer support issues 2 years later.

NEW: ISPs and hosting companies will not be able to offer SSL hosting services without providing mature certificate management. After investing in better practices, their customer support expenses will dramatically be reduced, saving everyone money.

Let’s Encrypt has the right idea. Require a short certificate lifetime to force everyone to manage their certs better.

If cert management is something you do every few years, you’ll do it badly. If you have to do it a lot, you will get better at it… and automate it.

If you want to reduce the risk of a process, do it more often. It forces everyone to get their shit together and do things right.