Cut in TLS certificate life could lead to greater risk of outages
As of September 1st, all publicly trusted TLS certificates must have a lifespan of 398 days or less -- roughly half the previous life.
According to security experts from Venafi, a provider of machine identity management, this latest change is an indication that machine identity lifetimes will continue to shrink.
Certificate lifetimes have been steadily getting shorter over the last decade. Before 2011 certificate lifespans were 8–10 years (96 months), this came down to 60 months in 2012, 39 in 2015, 27 in 2018 and now to 13 in 2020.
Apple, Google, and Mozilla are set to reject publicly rooted digital certificates in their web browsers that expire more than 13 months (or 398 days) from their creation date. The move is intended to boost security, Apple -- back in February -- was the first to announce it would enforce the new limit from today and the others have since followed suit.
"Apple’s unilateral move to reduce machine identity lifespans will profoundly impact businesses and governments globally," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. "The interval between certificate lifecycle changes is shrinking, while at the same time, certificates lifecycles themselves are being reduced. In addition, the number of machines -- including IoT and smart devices, virtual machines, AI algorithms and containers -- that require machine identities is skyrocketing. It seems inevitable that certificate-related outages, similar to those that have haunted Equifax, LinkedIn, and the State of California, will spiral out-of-control over the next few years."
Digital keys and certificates act as machine identities. They control the flow of sensitive data to trusted machines in a wide range of security and operational systems. Enterprises rely on machine identities to connect and encrypt over 330 million internet domains, over 1.8 billion websites and countless applications. If these certificates expire unexpectedly, the machines or applications they identify will cease to communicate with other machines, shutting down critical business processes.
Certificates that were issued before the enforcement date won't be affected, neither will those that have been issued from user-added or administrator-added Root certificate authorities (CAs). To avoid any unintended consequences Apple is recommending that new certificates be issued with a maximum validity of 397 days.
You can read more about the change on the Venafi blog.