Apple’s 45-day certificate proposal: A call to action

In a bold move, Apple has published a draft ballot for commentary to GitHub to shorten Transport Layer Security (TLS) certificates down from 398 days to just 45 days by 2027. The Apple proposal will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months.

Apple isn’t the first of the big players to suggest such a move. Last year, Google announced its intention to mandate 90-day certificates – something that it is expected to come into force any day now, which will mean any sites connecting to Chrome will need to renew their identities every 90 days.

By putting the issue up for a vote among CA/B Forum members and suggesting even shorter lifecycles – Apple is upping the ante even further, as the CA/B forum has significant influence over all major web browsers. But even if the ballot fails, these big players can force the community’s hand by updating their own browser rules – as they have done in the past.

Make no mistake, these changes are positive news. Reducing lifecycles lessens the chances that a certificate can be compromised by a bad actor and used for malicious purposes. The changes could create short-term pain for those who are unprepared. Every business with a website uses public TLS certificates and will be impacted by this news. And each of these certificates is a potential single point of failure if not properly managed and secured. Therefore, the implications for businesses and governments are huge.

What are the changes and why do they matter?

TLS certificates are used to secure and authenticate machine to machine communication. They provide a machine – e.g. a server – with an identity. It is this system that enables your browser to know the site you’re visiting really is your personal bank and not a phishing page, for instance.

Businesses use thousands of TLS machine identities across every part of their infrastructure, from the cloud to the datacenter. The average enterprise currently has 3,730 TLS certificates, but that is expected to grow to over 5,000 within two years – and this doesn’t even account for the massive number of TLS machine identities associated with containerized workloads, which are exponentially higher. If any one of these is left to expire it can lead to an outage – and herein lies the challenge. Shortening lifecycles means that identities need to be renewed or replaced much more frequently, increasing the burden on developer and security teams, while also increasing the risk of outages and man-in-the-middle attacks.

And while the CA/B forum rule only applies to public TLS certificates, the need for shorter lifecycles applies across both public and private certificates. In fact, it’s arguable there is an even greater need to shorten lifecycles for certificates issued by private CAs – as they often have even longer lifecycles and are used for more sensitive internal systems – such as workloads, clusters and applications. The Google 90 day / Apple 45 day validity period for certificates serves as a great reminder for organizations to think about how certificates issued for internal workloads from a private CA is managed. More importantly, start to think about how to reduce the validity of certificates used by private workloads.

There may be trouble ahead…

When recently asked about their views on Google’s proposal to reduce public certificate lifespans to 90 days, 81% of security leaders said they believe it will amplify existing challenges they have around managing certificates. And nearly three-quarters (73%) said it could cause “chaos”, with 75% saying it could even make them less secure. Worryingly, 77% think more outages are “inevitable”. With Apple planning to cut certificate lifespans in half, things could get even more chaotic.

These incidents aren’t just inconvenient – they’re costly and devastating. While it wasn’t a certificate related issue, the recent Crowdstrike outage demonstrated just how damaging such an incident can be. Over a 72-hour period, the CrowdStrike outage caused a total of $5.4 billion in direct losses to Fortune 500 companies, with over 6,000 hospital appointments cancelled in the UK and approximately 16,896 flights cancelled worldwide.

As the number of machine identities such as TLS certificates increases and the renewal period for replacing them shortens, outages are likely to become the new normal – unless companies get ahead of the problem. To prevent reputational and financial damage, automation needs to be central to Machine Identity Security (MIS) strategies.

As the number of machine identities such as TLS certificates increases and the renewal period for replacing them shortens, outages are likely to become the new normal – unless companies get ahead of the problem. To prevent reputational and financial damage, automation needs to be central to Machine Identity Security (MIS) strategies.

An automated-first approach

The good news is there have been many advances in machine identity management and security that can enable a smooth transition. Mitigating these challenges will require automation to be built into machine identity management. By implementing a control plane, organisations can manage the entire lifecycle of machine identities – both public and private – and ensure all digital assets can effectively communicate with each other through secure connections.

Automated solutions to machine identity management must be designed with a unified and integrated set of abilities. Through visibility into certificate inventory, including key details such as who owns it, where it is installed, when it expires and most importantly, if identities are compliant to security policies, organizations can easily identify and resolve potential issues.

Furthermore, an automated renewal feature means IT teams don’t have to worry about updating certificates as it’s all done automatically. With real-time monitoring and reporting, all certificates can comply with 45-day lifespans, avoiding the downtime and disruption caused by expired certificates.

Staying ahead of the risks

With Apple’s recent proposal pushing for shorter certificate lifespans, the digital landscape is shifting faster than many businesses are prepared for. Organizations that don’t respond will face even greater risks as they become increasingly vulnerable to outages and security incidents.

Businesses must act now. By implementing automation and developing a robust machine identity security strategy, organizations can stay ahead of the curve and protect themselves from the outages and disruptions that are otherwise inevitable. This won’t likely be the last time certificate lifespans are shortened, so preparing now is vital. Businesses that priorities automation in their machine identity management will thrive in this new environment, ensuring operational stability and future growth.