SSL/TLS certificate lifetimes are getting shorter and shorter

The term of SSL/TLS certificates may not exceed one year in the future.

Digital certificates and the associated digital signatures serve to confirm identity and to securely transmit sensitive data on the internet or within a corporate network. They are used for secure email, web security, Windows SmartCard logon, VPN, file encryption, digital document signatures, and many other applications.

A digital certificate is an immutable “electronic identity card,” comparable to an electronic ID card, confirmed by the certification authority. Just like an ID card, a digital certificate also has a limited validity period. After the maximum validity of SSL/TLS certificates had already been reduced to 825 days (approx. 27 months) in 2018, the regulations for issuing SSL certificates (Secure Sockets Layer) have now been tightened further: Since September 1, 2020, they may only be issued with a maximum validity of one year.

Apple had already announced at the CA/Browser Forum in Bratislava in May 2020 that, starting September 1, 2020, the Safari browser and its devices would only accept SSL certificates with a validity of one year. Google and Mozilla followed Apple’s announcement and likewise no longer plan to accept multi-year certificates. The reduction of certificate validity periods is not surprising and fits into the context of the ongoing improvement of internet security, as it makes it easier for server operators to respond to security incidents. More frequent generation of a new key pair (public key and private key) significantly reduces the risk of key loss or compromise. The validity periods of email certificates are not affected by this change and remain unchanged.

Continuously shorter certificate validity periods inevitably increase administrative effort. It is foreseeable that validity periods will be further reduced and may soon be limited to just three months. Exponentially growing certificate inventories in increasingly complex IT environments can hardly be managed with traditional means. They increase process costs for administration as well as the risk of errors in handling certificates. In addition, the risk of IT service disruptions caused by unexpectedly expired certificates rises. The consequences: potential legal repercussions and lasting damage to the company’s reputation.

New, secure encryption algorithms such as Elliptic Curve, as well as compliance with stricter regulatory requirements, also increase the demands on companies’ “crypto agility.”

Comprehensive certificate management includes monitoring, automated requesting, and distributing certificates to target systems, as well as renewing or revoking them. Certificate chain verification (certificate chain / chain of trust) is also carried out automatically.

essendi xc – the answer to greater crypto agility. To address these challenges, essendi it GmbH, based in Schwäbisch Hall, has developed an application for the professional and efficient management of digital certificates (X.509). essendi xc simplifies, automates, and optimizes certificate management end-to-end.
The software supports all processes – from the request (certificate signing request), to renewal, through to the installation of certificates. essendi xc helps companies maintain an overview of their certificate inventories and their validity periods, thereby reducing known risks. At the same time, the application can be seamlessly integrated into existing infrastructure and adapted to individual requirements: for example, the connection of well-known HSMs as well as the import of existing certificates into the central inventory is easily possible.

Certificate holders should check with their certification authority or authorities until which date SSL/TLS certificates with a two-year validity can still be purchased, or until when already purchased two-year licenses can still be redeemed. These deadlines also apply to the ordering of certificates via essendi xc.

While operators of websites or webshops, for example, must take into account that certification authorities do not support renewals and that new certificates must instead be ordered and distributed to the respective target systems, essendi xc users are in a comfortable position: essendi xc supports the renewal and enrollment of certificates – or even takes care of both completely automatically.

Subscribe to the free essendi it newsletter.

SIGN UP NOW AND STAY INFORMED.