Regular readers will know my views on the validity period of TLS certificates, and how they definitely need to be made shorter than they currently are! We made some good progress on reducing their lifetime over the last few years, but recently, that progress seems to have stalled out... Well, now, we might have our first glimmer of hope!
The story so far
There's a lot of really good information out there on this topic, and I myself have covered this in various ways over the years. I'd definitely recommend my post on Cryptographic Agility as a good starting point, but I will pull the most pertinent information out into this post here. Looking at the historic reductions to certificate lifetimes, we can summarise them as the following maximum limits and when they were introduced:
- 2012 - 60 months
- 2015 - 39 months
- 2018 - 825 days
- 2020 - 398 days
That means that right now, the longest a certificate can be valid for is 398 days total. If you look at the cadence for change there, you can also see how we fell of the pace a little as an industry, and I've long been waiting for the announcement of the next change. Well, we don't have to wait any longer!
SC-081: Introduce Schedule of Reducing Validity and Data Reuse Periods
You can go and read the full details of the proposed ballot yourself, but let's just dive straight into the good stuff because I'm too excited to delay any further. (Also, please drop by that page and give a 'thumbs up' response to show some support!)
Here's the data from the ballot that will show how, over the next 3 years, it is proposed that we continue our efforts to reduce certificate lifetimes and improve the security of the ecosystem. I've put it in a table to make it easier to digest, and here it is!
| Certificate issued on or after | Certificate issued before | Maximum number of days for validity |
|---|---|---|
| September 1, 2020 | September 15, 2025 | 398 |
| September 15, 2025 | September 15, 2026 | 200 |
| September 15, 2026 | April 15, 2027 | 100 |
| April 15, 2027 | 45 |
First of all, this does mean that nothing will happen for almost a year. A shame, yes, but, I can also understand why. It's nice to give the industry time to plan and prepare for a change, and, the first change is also a smaller change too.
It's from September 2025 that change starts happening, with the new limit of 200 days on certificates. That still leaves certificates valid for a really long time, so is a gentle introduction into the reduction schedule.
This is followed by a 100 day limit on certificates a whole year later in September 2026, so again, another huge period of time to plan and prepare for the next change.
Finally, we arrive in April 2027, when the 45 day lifetime limit will be introduced! At this point, fully automated certificate renewal is obviously the goal, and the path to get there has now been laid out.
What does this mean?
It means that we're finally making the progress we need to make as an industry. It means that someone has finally been willing to be the person that steps forward and proposes the changes we need, saying the things that need to be said, but that many won't like.
For so many years now, in both of the training courses that I deliver, I've been telling people and organisations that certificates are only going to get shorter, because they simply need to!
If you haven't been preparing for automation in your certificate renewal processes already, you've missed the writing that's been on the wall for many years now. Certificates have only ever gotten shorter as time has gone by, and key industry players have been pushing for shorter certificates for a long time. If you haven't started working on automating your certificate renewal processes, then you should. The best time to start that work was yesterday, the next-best time is today, and the worst time is tomorrow.
Will this ballot pass?
Thus far, the reaction to this proposal has been exactly what I expected it would be. Those that are looking forwards and to the improvement of security are supportive, and those who are not prepared or willing to change are resisting. I'm hoping that the gradual introduction of these changes, with a nice, steady and predictable timeline will help to sway some to do the right thing, but we're just going to have to wait and see how the vote goes. If we graph the proposed changes, and look at them alongside historic changes, we can see that this is a very reasonable plan being proposed.
We should also consider what has happened in the past when this industry desperately wants change for the better, but commercial entities have tried to hold us back, being swayed by their profits rather than what's best for the average Internet user. I have my fingers crossed that we can get this done, but only time will tell... 🔒🌍✅