Enterprises urged to prepare for major PKI changes
Certificate authority GlobalSign is warning that later this year, and into 2024, there will be significant changes within the Public Key Infrastructure (PKI) marketplace that they need to be aware of.
These changes involve several critical areas: Google's move to reduce the lifespan of SSL/TLS certificates to 90 days, new CA/Browser Forum Baseline Requirements for email security, and mandatory Root changes issued by Mozilla.
The upcoming changes will create significant impact on industries using PKI which is relied on millions of businesses worldwide. These shifts will require companies to adapt their PKI to ensure continued security compliance.
"Website admins will need to move towards automation if/when the Google proposed 90-day maximum certificate validity and domain re-use goes into effect. It’s going to become increasingly difficult to replace certificates using manually generated CSRs and subsequent certificate installations as the validity period and domain revalidation periods shorten," says Doug Beattie, vice president, product management at GlobalSign. "Technologies such as GlobalSign's ACME offering helps automate certificate lifecycle functions and reassures certificates are being automatically replaced using fully automated processes before they expire. This keeps companies secure and prevents their websites from using expired certificates which results in loss of business."
The current lifecycle of SSL/TLS certificates is 398 days. Companies are strongly advised to evaluate their certificate lifecycle processes now and be prepared for the transition to a 90 day cycle.
Standards for S/MIME certificates will change on on September 1st. This will mean standardized certificate profiles which will require additional organizational or individual validation and, in some cases, CAs will need to replace their current S/MIME CAs with new, compliant ones. Mozilla has announced plans to remove the SSL/TLS and S/MIME trust bits in Roots when they are 15 and 18 years old respectively. This will affect GlobalSign's issuing of SSL/TLS certificates, more details of which will be available later in the year.
You can find out more on the GlobalSign blog.
Photo credit: cigdem / Shutterstock