The CA/Browser Forum has voted to reduce the life of SSL/TLS certificates to just 47 days by 2029. The move is part of a plan to improve online security. The reduction in lifespan should also drive automation and make systems ready for quantum computing challenges.
Of course, there is another side to this: cost. The cost of a Sectigo Domain Wildcard (DVWC) certificate is currently £350 ex VAT. By 2029, customers will be paying this at least 7 times a year. That means their costs will rise to over £2,700. That sum excludes any increases due to inflation or other costs the company passes onto customers.
Savings from automation will only apply on the issuer side, increasing their profits. For customers, automation means that many will end up locked into a supplier, as the technical costs and planning involved in changing a certificate will mean they won’t bother.
Kevin Weiss, chief executive officer at Sectigo, commented, “At Sectigo we have long advocated for shorter certificate lifecycles as a crucial step in bolstering internet security, which is why we endorsed this ballot from its inception.
“This collaborative initiative passed by the CA/Browser Forum not only showcases the industry’s unified commitment to enhance digital trust for all but also empowers customers to be at the leading edge of preparing for a quantum future.”
What is this about?
Sectigo claims that this is about improving security across the Internet, at least as far as SSL/TLS certificates are concerned. Over the last decade, there have been several issues with Certificate Authorities and how they manage digital certificates.
Some of those issues have been around the failure to revoke compromised certificates. Others have included poor management processes, misuse of certificates and an increase in man-in-the-middle attacks. With the risks from quantum computing getting closer, the industry has been focused on what is needed to improve trust.
In January, Sectigo published a blog written by Jason Soroco, Senior Fellow at Sectigo. In it, he outlines the case for reducing SSL certificate validity. It includes all the reasons above and some of the challenges. It is an interesting read.
In this announcement, Sectigo boils it down to three key things:
- Enhanced security: Shorter certificate renewals protect private keys from being compromised by limiting the time they are exposed to potential threats, ultimately reducing the risk of man-in-the-middle attacks and data breaches.
- Encouraging automation: Reducing certificate lifespans encourages automation and the adoption of practices that drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes. The result enables faster adoption of emerging security capabilities, changes in cryptographic algorithms, and general best practices.
- Preparing for quantum challenges: In an era of promoting quantum preparedness, shorter certificate lifespans foster crypto agility by accelerating the adoption of stronger algorithms and ensure compliance with evolving security standards.
What is the timescale for reducing certificate life?
Apple initially proposed reducing the lifespan of certificates on October 7th, 2024, at the CA/Browser Forum meeting. That proposal followed Google’s announcement that it intended to reduce the lifespan to just 90 days.
The newly adopted timescale is:
- March 15, 2026: Maximum TLS certificate lifespan shrinks to 200 days. This accommodates a six-month renewal cadence. The Domain Control Validation (DCV) reuse period reduces to 200 days.
- March 15, 2027: Maximum TLS certificate lifespan shrinks to 100 days. This accommodates a three-month renewal cadence. The DCV reuse period reduces to 100 days.
- March 15, 2029: Maximum TLS certificate lifespan shrinks to 47 days. This accommodates a one-month renewal cadence. The DCV reuse period reduces to 10 days.
As can be seen, this is an aggressive timescale that will create challenges for organisations of all sizes, including certificate issuers. That is why there is a focus on the need for greater automation in the process.
Sectigo launched its Sectigo Certificates as a Service (CaaS) in February. An API-driven service, it targets resellers, domain registrars, web hosting companies and managed service providers. It claims that this will create a subscription-based pricing model with a pay-per-domain model. It has not provided any indication on how that will impact or support those end-users with wildcard certificates.
Enterprise Times: What does this mean?
There is good and bad in this announcement. The good is that the industry is addressing the shortcomings that have been around since we started using SSL/TLS certificates. Anything that improves security should be welcomed.
The bad news is that the reduction to 47 days will significantly impact customers. It will mean a yearly increase of more than 7.77 times what organisations pay now.
On top of that, large organisations will need to purchase new certificate management solutions that integrate with the proposed automation solutions. There is no single API on offer. Instead, large organisations using multiple CAs will need to integrate with each of them separately. The approach will lead to smaller organisations being locked into a single supplier.
Enterprise Times approached Sectigo to discuss the cost increases, automation and what it would mean. They had nobody available to comment.
A mistype in the first version of this piece said that the certificate time would reduce to 42 and not 47 days. That has now been corrected. It means that customers will be paying 7.77 times more per year for the same service as they get now and be expected to pick up the costs of buying solutions to manage automated certificate services.