Shorter SSL/TLS Lifetimes: Business Impact of Monthly Certificate Renewals
The CA/Browser forum has reportedly approved a measure to reduce the allowed time for certificate validity from 398 to 47 days by March 15, 2029. This change will require users to renew certificates on a nearly monthly basis. This is a manual process that will now have to be done up to 10 times per year, instead of just once. This change will not be evident to most Internet users and businesses.
A TLS/SSL certificate is the cryptographically secure “digital drivers license” for a web URL that is accessed with the “https://” prefix. Browsers enforce that traffic is only directed to the encrypted connection and display error messages for any insecure connection. When a certificate expires, the website becomes totally inaccessible unless the user specifically clicks through a series of prompts designed to deter access (intentionally scary design). This is a usability disaster. It also impacts your mobile applications accessing a JSON API as well and for those there is often no exception path accessible to the user of the mobile app.
In the past, SSL/TLS certificates could have very long validity times. Sometimes that time is so long that renewal of the certificate(s) were forgotten, which resulted in important business services being unavailable. This has even happened at very large companies such as Microsoft! This long validity time created a downtime risk in a world where certificate renewals were a cumbersome process that involved many manual steps to not only validate server ownership, but also the legal entity that owned it. Since that time, the life time of certificates have been ratcheted down and automatic renewal process standards have been created. Additionally, “Let’s Encrypt” was created as a partnership of browser makers to provide free, short lived public certificates with domain control validation only. This exploded the use of HTTPS everywhere and with it the browser enforcement of TLS effectively ended widespread insecure Internet traffic.
A key point to consider: Imagine that you woke up to find that your business completely shut down because of an expired license. No one can get to your website to place an order. Your employees can not login to do their jobs. In certain circumstances even your email could be down. You are scrambling to get in touch with your contractor who manages your website to fix the issue and it takes hours or a days to resolve. That is extremely costly. The good news is that the path to short lived, automatically renewed certificates has been well traveled in recent years. Services such as “Let’s Encrypt” have replaced the need for paid certificates for many public facing websites. Businesses hosting with Amazon Web Services (AWS) load balancer options can use the Amazon Certificate Manager (ACM) service. Microsoft Azure also has an equivalent option.
However, these services have limitations. In particular, validation for “Let’s Encrypt” requires that a web server be publicly accessible, or have a public DNS entry for validation. Organizations that do not use specific cloud services and have internal use intranet web applications (that require a VPN) cannot directly use “Let’s Encrypt” and must still purchase manual certificates.
Among Rietta’s clients, most will not be impacted by this CA/B policy change, as they are already using “Let’s Encrypt”, the AWS ACM, or an equivalent option. We will work with our clients impacted by use cases that require a long term solution in place before 2029. This will avoid the need for monthly manual intervention.
The key take away is that fully automatic TLS certificate management is the way of the future. The manual process will no longer be a workable solution. This applies to both public and private infrastructure. It is time for everyone to plan accordingly.