Industry push for shorter SSL certificate lifespans
Apple and Google, the titans of the tech industry, are shaking things up by proposing significantly shorter SSL/TLS certificate lifespans. These digital certificates, crucial for securing online communication, have seen their validity shrink from years to just 398 days today. Now, Apple wants to cut that down to 45 days by 2028, claiming this will reduce the risk of cyberattacks exploiting orphaned domain names. On paper, it sounds reasonable: if you limit the time a certificate is valid, you reduce the window for attackers to exploit them.
Here’s the catch: experts aren’t convinced this solves the real problem. Hackers can still operate within a 45-day window, and some argue it’s more about vendors pushing for automation tool sales than addressing a major threat.
As Jon Nelson of Info-Tech Research Group bluntly puts it, “This isn’t one of the top ten problems that needs to be solved.” For context, orphaned domain names arise when companies reserve web addresses for future projects, then abandon them. Attackers can hijack these unused domains to launch phishing attacks. While shortening certificate lifespans may reduce risks slightly, the impact appears marginal.
This debate leads to a bigger question: are we solving real problems or chasing theoretical ones?
Increased burden on IT departments
Now, let’s talk about the massive operational burden these changes will impose on IT teams. Currently, renewing an SSL certificate once a year is manageable. But imagine doing it every six weeks. That’s an eightfold increase in workload, and for large enterprises juggling hundreds of certificates, it’s like turning a manageable task into a constant scramble.
Renewing a certificate isn’t just a matter of clicking a button. It involves coordinating with certification authorities, ensuring seamless server integration, and avoiding disruptions. Every missed step can lead to those dreaded browser warnings that scare users away. Without automation, this process will eat up time, increase costs, and open the door for human error.
For C-suite executives, the takeaway is clear: shorter certificate cycles mean your IT teams will need more resources or smarter tools. If you’re not thinking about automation yet, it’s time to start.
Automation as a solution, but with risks
Automation is the lifeline for IT departments facing these new certificate requirements. Through automating the renewal process, businesses can stay ahead of the curve, reduce errors, and save valuable time. Tools like certificate lifecycle management (CLM) systems handle the entire process, from obtaining new certificates to deploying them across servers. However, it’s not all sunshine and rainbows.
Relying on third-party automation tools introduces security risks. Recent incidents, like the 2024 CrowdStrike update that brought down millions of devices, serve as cautionary tales. The key is balance. Companies like Hearst are smartly adopting automation while creating “virtual fences” to limit third-party access to critical systems. As their CIO, Atti Riazi, notes, larger organizations have the resources to impose controls and protect their core systems while leveraging external tools for efficiency.
The lesson? Automation is essential, but it must be implemented thoughtfully. It’s about maximizing efficiency without compromising security.
Expired certificates disrupt website operations
Here’s a scenario that keeps IT leaders awake at night: an SSL certificate expires, and suddenly, your website traffic plummets. When certificates expire, most users are greeted with alarming browser warnings. While the website itself may still function, visitors are immediately put on edge, and many won’t risk proceeding.
But the damage doesn’t stop there. Expired certificates can cause more than just a drop in site traffic. Many of these certificates are critical for server-to-server communication, the foundation of modern IT infrastructure. When a certificate lapses, these communications can break down, leading to cascading failures across internal systems. In the worst cases, key processes grind to a halt, costing both time and revenue.
Tim Callan of Sectigo sums it up well: visitors rarely bypass those browser warnings, and system outages caused by expired certificates can escalate quickly. For C-suite leaders, the message is simple: ensuring certificates are up-to-date isn’t only an IT task, but is actually vital to maintaining business continuity and user trust.
Practical implementation and timeline skepticism
While the push for shorter certificate lifespans is gaining momentum, don’t expect sweeping changes overnight. Industry experts remain skeptical about Apple’s ambitious timeline to enforce 45-day lifespans by 2028. Even Google’s six-month certificate validity proposal, floated years ago, has faced delays. Change in the tech industry is rarely instantaneous—it’s an evolution, not a revolution.
For many enterprises, modern hosting platforms like Cloudflare, AWS, and Azure already provide automated certificate management. This reduces the manual burden on IT teams and ensures smooth operations even with shorter lifespans.
As Himanshu Anand from c/side points out, most public-facing platforms are now designed to minimize the need for direct IT intervention.
However, not all companies are in the same position. Smaller organizations or those relying on legacy systems will need to adapt quickly to avoid falling behind.
Alex Lanstein of StrikeReady remains doubtful about the timeline, predicting delays and incremental changes. The takeaway? While the shift to shorter lifespans may be inevitable, businesses have time to prepare, implement automation, and develop strategies that align with their security needs and operational capabilities. Being proactive now will pay dividends in the long run.
Key takeaways for decision-makers
- Accelerated certificate lifespans: Industry leaders are pushing for SSL certificates to expire every six weeks, significantly increasing workload for IT departments. Decision-makers should evaluate and invest in automation solutions to streamline frequent renewals and minimize manual errors.
- Emphasis on automation: Shorter certificate cycles necessitate robust automation strategies. Leaders should prioritize implementing or refining automation tools while establishing strict security protocols to mitigate third-party risk and maintain system integrity.
- Balancing security and practicality: The rationale for shorter certificates is to reduce exploit windows for cyberattacks, yet experts question its effectiveness. Executives should focus on comprehensive risk assessments, balancing certificate strategies with broader security measures rather than relying solely on shorter lifespans.
- Mitigating disruption from expired certificates: Expired certificates can lead to user trust issues and internal system failures. Organizations must develop clear renewal processes and contingency plans to prevent downtime and maintain seamless operations.
