Nixon Digital

SSL Certificate Validity Drastically Shortened: 90-day Renewals  

Introduction – what is the challenge?  

SSL certificates used to be valid for two years but since 2020 this has been shortened to one year. This was enforced through root certificate stores, where SSL certificates were only recognized and trusted with a maximum validity of one year. Additionally, industry regulations and guidelines, such as those set by the CA/Browser Forum, have been updated to reflect this shortened validity period, ensuring compliance across certificate authorities and web servers. This shift aims to enhance security by reducing the window of vulnerability to potential exploits or compromised certificate authorities. 

Recently however, popular browsers such as Google Chrome and Mozilla Firefox are considering lowering the period that SSL certificates are valid to 90 days (about 3 months).    

Shortening the validity period of SSL certificates enhances their trustworthiness by minimizing the window of opportunity for potential exploitation. We can compare this to the keys for rooms in hotels. A key will not be changed after a guest checks out of their room, leaving it vulnerable to unauthorized access. Similarly, once an SSL certificate is issued based on the pairing of a private key and a public key, if the private key is compromised, the certificate falls at risk. Given that hackers may not always disclose breaches promptly, more frequent replacement of the private key increases the security and trustworthiness of the SSL certificate, lowering the risk of unauthorized access or data interception. Reducing the validity period of SSL certificates not only aligns with best practices for cybersecurity but also reflects a proactive approach to protecting the integrity and confidentiality of online communications.

Why is this a challenge?

Manually renewing SSL certificates every 3 months will be an error-prone process but also costly.    

Companies owning over 35+ websites and their individual SSL certificates, might not have an accurate and up-to-date overview of whether automated renewal of SSL certificates has been implemented and/or is still being executed manually. In an era where changes are made, this could be forgotten. 

What will happen if you don’t take action?   

The expiration of an SSL certificate has a significant impact on your visitors. If you can’t renew the SSL certificate timely, how serious are you with taking care of your customers’ (personal) data being kept safe?  

How can you solve it / What does the solution look like?   

Different solutions exist which automate the renewal of SSL certificates. The question is whether you can implement a ‘one-size-fits-all’ solution especially if the IT landscape is made up of different solutions hosted at different locations with different vendors.   

In the end, whatever choice of preference is implemented, the first step is using your CMDB (single source of truth containing all information about your applications including type of certificate and whether the SSL certificate is renewed automatically). Using this information, you can easily determine which of the SSL certificates issued are not based on automation and will require attention in case the renewal days are shortened to 90. 

How can the Nixon Team / Platform help you?

Using the Nixon Platform to feed your CMDB or act as your CMDB, you have centralized insight into SSL certificate management. You will know who the issuer of the certificate is, what type of certificate it is (single domain, SAN, wild card etc.) when will it expire and is the certificate renewed automatically (in case of automation the sequence of the issue date has a pattern).   

In this way, you not only have insight into all relevant SSL certificate management information but also have a monitor to notify the responsible team in case automation fails. That must bring peace of mind if you’re the one responsible for ensuring that your website visitors do not get the “SSL Expired “message.