Apple & Chrome propose reduced certificate lifetime

The lifetime of SSL/ TLS certificates continues to grow shorter. Chrome initially proposed reducing certificate lifespans to 90 days to enhance security and mitigate risks associated with compromised certificates. Apple took this initiative further, proposing a draft ballot to shorten the maximum validity period for public SSL/TLS certificates to just 47 days by 2028.

The move is expected to make a significant impact on digital security by pushing for even stricter measures to ensure the authenticity and safety of certificates. It could also reshape industry standards for certificate management, and if rumors are true, other prominent internet providers may support further efforts to reduce certificate lifespans.

The announcement adds to a series of ecosystem changes that teams are already navigating, such as Entrust distrust and the upcoming PCI-DSS 4 mandate

The downside of lifespan reduction

A rapidly expanding digital ecosystem brings the challenge of managing ongoing changes, not to mention the significant increase to certificate management by a staggering eightfold (up from x4 increase by Google). By reducing certification lifespans to just 47 days, Apple has significantly increased the pressure on security teams already concerned with Google’s 90-day limit.

In addition, existing automation tools could lead to workflow failure, with end-to-end processes missing certificates that need to be replaced. This includes an increased risk of mismanagement, leading to certificate expiry and costly service downtime alongside reputational damage. 

What benefits are expected?

It’s not all doom and gloom, as shorter certificate lifetimes come with strong advantages. Organizations will be better equipped to keep pace with changes in the ecosystem, especially as we move toward Post-Quantum Cryptography (PQC). A shorter life cycle promotes better security hygiene by encouraging more automation, resulting in frequent key rotations. This means compromised assets can be swiftly replaced, helping with revocations and reducing overall risk.

Reducing certificate lifetime will also lead to enhanced security, shortening the window for attackers to exploit compromised certificates. In larger organizations, automation is expected to grow, particularly through the use of AI to manage the volume of certificates in rotation. This shift reduces the potential of human error leading to tighter cybersecurity overall. 

Let Red Sift Certificates support you

At Red Sift, we understand the pain that comes with new updates and the pressure on your organization to adapt. Our Red Sift Certificates application continuously ingests and monitors every public certificate issued, tracking real-time changes to provide comprehensive oversight and immediate alerts for potential security risks.

Preventing downtime from expired or misconfigured certificates will be critical to an organization’s risk management. While options for mitigation through cloud provider tools or certificate authorities exist, automation isn’t foolproof. Red Sift Certificates provides a more comprehensive solution, offering complete discovery, expiration monitoring, and configuration checks—all in one package. This level of visibility and control is something that other solutions simply can’t match.

Chrome and Apple may have fired the starting gun on the reduction of certificate lifetimes, but Red Sift is here to ensure you win the race. Reduce the pressure to adapt by adopting Red Sift Certificates and streamline your organization’s certification management. By automating your inventory, you can prevent misuse, avoid downtime and stay compliant—speak to the Red Sift team today.

PUBLISHED BY

Jack Lilley

22 Oct. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

400,000 DMARC boost after Microsoft’s high-volume sender update

Jack Lilley

Microsoft’s decision to join Google and Yahoo in enforcing stricter rules for high-volume senders has triggered an immediate response across the internet. In the last 30 days alone, 406,042 new domains have deployed Domain‑based Message Authentication, Reporting & Conformance (DMARC), pushing the global total to 10.9 million. While not all domains will be exclusive Outlook users,…

Read more
DMARC

Red Sift partners with Gradian to strengthen email security through OnDMARC

Jack Lilley

Today Red Sift launches a new partnership with Gradian, a leading data protection provider, to offer its award-winning applications, including Red Sift OnDMARC, to new and existing customers. Established through Red Sift’s relationship with UK distributor E92plus, the two companies look to strengthen defences against phishing and Business Email Compromise (BEC) attacks. Allowing organisations…

Read more
Cybersecurity

DMARCbis: What are the changes and how to be ready

Jack Lilley

Executive Summary: DMARCbis, also known as DMARC 2.0, is the forthcoming update to the DMARC email authentication protocol, designed to address limitations and ambiguities in the original standard, with an expectation to be finalized and published in 2025. The update introduces clearer guidelines, a new method for determining organizational domains, and streamlined record management.…

Read more
Certificates

TLS certificates are changing: What you need to know

Jack Lilley

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more