Sectigo, a global leader in digital certificates and automated Certificate Lifecycle Management (CLM), announced it has endorsed a ballot submission to the CA/Browser Forum that proposes a significant reduction to public SSL/TLS certificate lifecycles. The ballot, spearheaded by Apple, seeks to reduce the maximum certificate lifecycle from the current 398 days to 47 days by 2028, representing a major potential shift in digital certificate management.
Cyber Technology Insights: IBM to Acquire DataStax, Enhancing WatsonX for Generative AI
In recent years, Apple and other major web browsers have been advocating for shorter public certificate lifecycles. Shortening certificate lifespans brings a cluster of important benefits to the WebPKI, including increased security, better crypto agility, and closer alignment of certificate ownership to domain control. For these reasons and more, certificate validity periods have gradually decreased from several years to the current 398-day maximum. These ongoing changes are expected to promote faster adoption of security updates and improve overall crypto agility. Further, the automation required to manage these shorter certificates lifespans better positions organizations to prepare for impending transitions to postquantum cryptography (PQC) by enabling them to respond more quickly to evolving cryptographic standards and potential quantum threats.
“As the industry moves towards shorter public certificate lifecycles, including Apple’s proposal to step down to 47-day maximum TLS term, we at Sectigo recognize both the security benefits and operational challenges this transition presents,” said Tim Callan, chief compliance officer at Sectigo and vice-chair of the CA/Browser Forum. “These changes are crucial for enhancing security, but they also demand a shift towards automated certificate lifecycle management. Organizations must embrace automated solutions to ensure seamless renewals and avoid potential service disruptions. We are committed to supporting businesses through this critical industry shift.”
Key Implications for Enterprises
While the proposed updates aim to bolster security, they necessitate noteworthy adjustments in digital certificate management. The shift to shorter validity periods increases certificate renewal frequencies, posing substantial operational challenges for businesses, especially those relying on manual processes. To mitigate the risk of missed renewals, potential system outages, and compliance breaches, organizations must adopt automated certificate lifecycle management solutions, especially those that leverage the ACME (Automated Certificate Management Environment) protocol. This transition will also require businesses to adjust their financial and strategic planning, potentially embracing new subscription models from certificate providers that align with these shorter certificate lifecycles.
Apple’s Proposed Phased Approach
Rather than immediately shifting to 47-day lifespans, Apple would follow a phased approach, with lifespans shrinking at a slower and steadier pace each year. This gradual approach by Apple not only demonstrates a thoughtful strategy for implementing considerable change, driving to the end goal, but allows organizations time to adapt their infrastructure and processes. The proposed timeline provides businesses with a structured pathway to update their certificate management systems, implement automated renewal processes, and minimize potential disruptions.
Cyber Technology Insights: OneLayer Enhances ZTP for Private LTE/5G with Palo Alto
To share your insights, please write to us at news@intentamplify.com
