Managing your certificates

Certificate lifespans are getting shorter and it’s never been a better time to automate

Avesta Hojjati
certificate lifespans
© Shutterstock / Breitformat

Before 2011, certificate lifespans ran as long as a decade. In 2012, they were shortened to five years. In 2015, that became three years and in 2018, two years. As of September 2020, that became just one year. Certificate lifespans are likely to get even shorter down the line.

TLS certificate lifespans have shortened dramatically. In 2020, major browsers decided to shorten the maximum lifespan of certificates from two years to just over one year, or 398 days.

This is merely the latest in a long line of constrictions. Before 2011, certificate lifespans ran as long as a decade. In 2012, they were shortened to five years. In 2015, that became three years and in 2018, two years. As of September 2020, that became just one year. Certificate lifespans are likely to get even shorter down the line.

SEE ALSO: SolarWinds hack and security – What is a software bill of materials?

The security argument for it makes a lot of sense. Security bodies want to minimise the chances for private keys to be exposed and shortening certificates means that improvement to web PKI can be implemented even more quickly. Furthermore, it will force greater attention onto certificates – an area which is too often overlooked.

Whatever the price of shorter certificate lifespans, the price of a certificate-related security issue runs much higher. Perhaps the best example of this is the 2017 Equifax breach, which saw the data of over 150 million people exposed. Although the breach point was a vulnerability in Apache Struts, the US government’s autopsy of the breach found that a certificate outage had exacerbated the problem. Equifax had overlooked an expired certificate, which allowed the breach to remain undiscovered for nearly three months – 76 days – and the attackers to move stealthily through the network and siphon off the data of millions.

That is an extreme example, but certificate outages are extremely common. A recent study from Ponemon has shown that 88 percent of organisations experienced an unplanned outage in the last two years. Nearly half – 41 percent – reported that they’d experienced four or more such outages. In separate research, analysts have estimated that those outages can cost large organisations over €413,000 ($500,000) per hour.

Many enterprises already suffer from poor certificate management and if they don’t change, it will only get worse. The digital enterprise is expanding exponentially. Companies and organisations everywhere are transforming, handling more data, onboarding new identities and introducing new devices and technologies. That is going to necessitate more certificates which, if enterprises can’t effectively manage, will quickly get out of hand and lead to all kinds of damaging repercussions.

Two 2019 surveys bear this out. The first shows that 80 percent of organisations expect TLS use to grow by a quarter over the next five years – reflecting the increasing complexity of the digital enterprise. The next survey showed that 85 percent of CIOs believe that the same growing complexity is going to make certificate outages all the more damaging.

The aforementioned Ponemon study revealed two more details which drive home the unsustainability of manual certificate management. Only 38 percent of their respondents believed that they had adequate numbers of security staff to effectively manage their PKI. Furthermore, 74 percent revealed they did not know how many or what kind of certificates they were using.

Certificate management is a hard job to do manually – especially given the size and complexity of the modern network. The CA/B forum’s baseline requirements say that in the case of compromise, keys should be replaced within 24 hours. Many organisations struggle with that, and will continue to do so if they cannot automate renewal and revocation functions. That’s why automating the certificate lifecycle makes so much sense.

The request, provisioning, renewal and revocation functions of certificate management can all be automated, thus taking onerous manual labour off the hands of IT security staff and handing it off to a machine. From there, certificate automation tools can enable faster decisions founded on real-time actionable insights into your certificate inventory. Certificates can be automatically renewed; expiry windows can be quickly addressed and outages can no longer bring an organisation to its knees.

SEE ALSO: How an Open-Source ML Project is Helping Penetration Testers Hunt Security Flaws

While many have not yet done so, I predict certificate automation will become a foregone conclusion. The visibility into the certificate lifecycle and the agility gained from automation is hard to turn down. In the near future, it could be impossible to turn down. Compliance is problematic for certificate management and automation may be required to comply with international regulations like the General Data Protection Regulation (GDPR).

The shortening of certificate lifespans might be seen as a burden, but it should be considered a prompt. Enterprises need to pay much greater attention to their certificates and automation provides a way for them to do that. Even if the potential security outcomes of mismanagement aren’t of prime concern for them, then compliance should be.

Enterprises already have a problem in managing their certificates. With the increasing complexity of the digital enterprise and the ever shortening lifespan of certificates, automation may soon be the only way to get PKI under control.


Avesta Hojjati

Avesta Hojjati is the Head of R&D at DigiCert, where he manages advanced development of cybersecurity products. Before joining DigiCert, Avesta was part of the Symantec and Yahoo security teams, as well as operating his own cybersecurity startup. Avesta focuses on applied cryptography, blockchain, post-quantum crypto, and IoT security. Avesta earned his Masters in computer science with a concentration on security from University of Illinois at Urbana Champaign, and he’s currently completing his PhD dissertation on applications of blockchain and IoT in manufacturing.

Inline Feedbacks
View all comments