cursor pointing at URL in browser window

Why 90-Day SSL Certificates Make Automation a Must-Have

Don’t Get Caught Short by the Switch to 90-Day Certificates 

In March 2023, Google announced it was shortening the validity of all publicly trusted TLS/SSL certificates from 398 days to just 90 days. Though the timing of the switch isn’t clear, its effects were felt almost immediately, as enterprise IT teams took a look at their certificate management processes and began to wonder if they were prepared. The aim of reducing certificate lifetimes is to drive the ecosystem away from baroque, time-consuming and error-prone issuance processes. That sounds good in theory, but some organizations are discovering they still have work to do.

That’s because managing TLS certificates can feel like a game of Whac-A-Mole, even under the best circumstances. According to NIST’s Special Publication 1800-16A, Securing Web Transactions: TLS Server Certificate Management, a large or medium scale enterprise may have thousands or even tens of thousands of TLS certificates to manage. But Google’s announcement ups the ante, because it forces organizations to renew many of those certificates on a cadence that’s four times more frequent.

Fortunately, there is a solution, and it’s one that’s been pushed for years by industry groups and leaders: automation. In this article, we’ll review how TLS/SSL certificate automation works — and why it’s become an imperative for enterprise PKI management.

How Certificate Automation Works

Certificate automation enables organizations to provision, install and renew certificates without human intervention — streamlining security workflows and preventing the outages caused by expired certificates.

The most efficient way to automate TLS and SSL certificates at scale is through the Automated Certificate Management Environment (ACME) protocol. Designed by the non-profit Internet Security Research Group (ISRG), ACME clients make it possible to generate a certificate request and install it at the end point. ACME clients also monitor the validity of all certificates and automatically renew them 30 days in advance so that there is no risk of outages due to expiration. 

That means manual certificate requests, domain validations, installations and renewals are a thing of the past. No more labor-intensive provisioning processes or time-intensive report generation — or expired certificates that nobody notices until after it’s too late.

Why Automation Is So Powerful

Automation takes the pain out of certificate lifecycle management, but its benefits go way beyond streamlining cumbersome workflows. With the right tools, automation also enables organizations to:

  • Enhance Security — It’s not hard to make mistakes in complex enterprise environments, and certificate-related outages grow with the number of certificates to manage. Automation reduces these risks by eliminating human error. It also helps ensure that you’ll always have a valid certificate for your server or website to prevent any disruption.
  • Increase Operational Efficiency — Short-lived certificates demand an almost continuous cycle of renewal and replacement. Automation frees your IT staff from that time-intensive task and enables them to focus on other mission-critical systems and software.
  • Reduce Risk — TLS/SSL outages pose substantial security risks. Automation reduces these risks, as certificates can be automatically renewed and replaced without any human intervention. 
  • Scale as You Grow — Certificate automation is infinitely scalable, allowing organizations to easily expand to new systems and use cases without adding additional staff
  • Stop Worrying About Changing Validity Periods — Automating certificate lifecycle management makes it easy for your organization to navigate changes to certificate validity periods. It’s a benefit that’s likely to become even more relevant in the future, considering how frequently those periods have changed in the past, shrinking from three years to one year and, according to some, 90 days in the future. In fact, we could see even shorter certificate validity periods in the future. 

Getting Started With Automation

A wide range of automation solutions — ACME and otherwise — are available to help organizations manage digital certificates like TLS/SSL. HID’s Enterprise SSL solution keeps things simple with a straightforward subscription model that offers DV, OV and EV certificates, and spares organizations the hassle of dealing with per-certificate pricing. 

Included in the package is our powerful, cloud-based Account Certificate Manager (ACM), which automates the distribution and management of digital certificates onto devices and gives IT teams complete policy control as well as the ability to delegate administration and conduct on-demand audits and reporting. It also supports domain whitelisting — so there is no need to revalidate the domain while requesting individual certificates. It provides a single pane of glass for both public and private trust certificates.

Transitioning from other CA providers or migrating from in-house systems? HID PKI-as-a-Service has got you covered with the best-in-class PKI that deploys and scale rapidly with end-to-end automation and predictable pricing.

The rise of short-lived certificates isn’t just a challenge, it’s also an opportunity — not just, as Google puts it, to “make the Internet a safer place,” but to boost efficiency, streamline budgets and make enterprise services easier to scale. That doesn’t sound so scary, does it?

Automation is key, but which model is best for your organization? Find out in our guide to PKI Automation Strategies >>

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).