Shorter TLS certificate lifespans expected to complicate management efforts

76% of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security, according to Venafi. However, many feel unprepared to take action, with 77% saying the shift to 90-day certificates will mean more outages are inevitable.

Google plans to cut TLS certificate lifespans

81% of security leaders believe Google’s proposed plans to shorten TLS certificate lifespans from 398 days to 90 days will amplify existing challenges they have around managing certificates. An overwhelming 94% of respondents are concerned about the impact of the changes, with 73% saying it could cause “chaos” and a further 75% saying it could even make them less secure.

The recent announcement that certificates issued by certificate authority (CA) Entrust can no longer be trusted is just the latest example of disruption in the CA market. In fact, 88% of security leaders report their organization has been impacted by CA revocations. Of these, 45% had to deploy extra resources to find, revoke and replace certificates; 38% suffered a security incident; and 31% had a certificate-related outage.

With momentum gathering around the need to migrate to new quantum-resistant encryption algorithms, 64% of security leaders say they “dread the day” the board asks about their migration plans. 78% say if a quantum computer capable of breaking encryption is built, they will “deal with it then,” with 60% believing that quantum computing doesn’t present a risk to their business today or in the future. Moreover, 67% dismiss the issue, stating it has become a “hype-pocalypse.”

“We recently lived through the world’s greatest IT outage – the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates,” said Kevin Bocek, chief innovation officer at Venafi.

“Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams – and it’s a double whammy with Entrust being distrusted in Chrome. There aren’t just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It’s not just one software update vendor; it’s the entire Internet as we know it,” Bocek continued.

90-day certificate challenges

The introduction of 90-day certificates means organizations will need to renew their certificates five times more often than they do now – quintupling the effort needed.

The survey reveals this will be a major challenge for businesses for two reasons:

Delayed deployment – Only 8% of security leaders fully automate all aspects of TLS certificate management across their entire enterprise, with almost a third (29%) still relying on their own software and spreadsheets to manage the problem. As a result, it takes an average of 2-3 working days (21.75 hours) to deploy a certificate.

TLS transformation – The volume of TLS certificates in use at organizations has been steadily rising, due to the growth in technology adoption in recent years. 95% of security leaders say digital transformation initiatives have increased their organization’s use of SSL/TLS in the past year by an average of 36%. As a result, the average enterprise now manages 3,730 TLS certificates – a number that is expected to increase by 39% by 2026, taking the figure up to over 5,000.

Similar challenges exist with quantum. 67% of survey respondents believe shifting to post-quantum cryptography will be a nightmare, as they don’t know where all their keys and certificates are. Looking at the specific challenges these shifts present, the potential speed of the migration, scale and cost, as well as lack of internal skills and knowledge were cited as the top three concerns. However, 86% say taking control of the management of keys and certificates is the best way to prepare for future quantum risks.

“There’s great news: from 90-day certificates to replacing distrusted CAs to making the transition to post-quantum, security teams today have machine identity security capabilities they didn’t have available just a few years ago. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane now,” Bocek concludes.

“The business case is simple for making sure 90-day certificate lifetimes don’t wreak havoc. We know the problem is coming, unlike the last major IT outage, and the automation we put in place with machine identity security gets us ready for the post-quantum future, the next CA distrust and running in whatever cloud our developers choose.”