Apple & Chrome propose reduced certificate lifetime

The lifetime of SSL/ TLS certificates continues to grow shorter. Chrome initially proposed reducing certificate lifespans to 90 days to enhance security and mitigate risks associated with compromised certificates. Apple took this initiative further, proposing a draft ballot to shorten the maximum validity period for public SSL/TLS certificates to just 47 days by 2028.

The move is expected to make a significant impact on digital security by pushing for even stricter measures to ensure the authenticity and safety of certificates. It could also reshape industry standards for certificate management, and if rumors are true, other prominent internet providers may support further efforts to reduce certificate lifespans.

The announcement adds to a series of ecosystem changes that teams are already navigating, such as Entrust distrust and the upcoming PCI-DSS 4 mandate

The downside of lifespan reduction

A rapidly expanding digital ecosystem brings the challenge of managing ongoing changes, not to mention the significant increase to certificate management by a staggering eightfold (up from x4 increase by Google). By reducing certification lifespans to just 47 days, Apple has significantly increased the pressure on security teams already concerned with Google’s 90-day limit.

In addition, existing automation tools could lead to workflow failure, with end-to-end processes missing certificates that need to be replaced. This includes an increased risk of mismanagement, leading to certificate expiry and costly service downtime alongside reputational damage. 

What benefits are expected?

It’s not all doom and gloom, as shorter certificate lifetimes come with strong advantages. Organizations will be better equipped to keep pace with changes in the ecosystem, especially as we move toward Post-Quantum Cryptography (PQC). A shorter life cycle promotes better security hygiene by encouraging more automation, resulting in frequent key rotations. This means compromised assets can be swiftly replaced, helping with revocations and reducing overall risk.

Reducing certificate lifetime will also lead to enhanced security, shortening the window for attackers to exploit compromised certificates. In larger organizations, automation is expected to grow, particularly through the use of AI to manage the volume of certificates in rotation. This shift reduces the potential of human error leading to tighter cybersecurity overall. 

Let Red Sift Certificates support you

At Red Sift, we understand the pain that comes with new updates and the pressure on your organization to adapt. Our Red Sift Certificates application continuously ingests and monitors every public certificate issued, tracking real-time changes to provide comprehensive oversight and immediate alerts for potential security risks.

Preventing downtime from expired or misconfigured certificates will be critical to an organization’s risk management. While options for mitigation through cloud provider tools or certificate authorities exist, automation isn’t foolproof. Red Sift Certificates provides a more comprehensive solution, offering complete discovery, expiration monitoring, and configuration checks—all in one package. This level of visibility and control is something that other solutions simply can’t match.

Chrome and Apple may have fired the starting gun on the reduction of certificate lifetimes, but Red Sift is here to ensure you win the race. Reduce the pressure to adapt by adopting Red Sift Certificates and streamline your organization’s certification management. By automating your inventory, you can prevent misuse, avoid downtime and stay compliant—speak to the Red Sift team today.

PUBLISHED BY

Jack Lilley

22 Oct. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
BEC

The threat of Business Email Compromise in US healthcare

Jack Lilley

Executive summary: Business Email Compromise is siphoning billions from U.S. healthcare by exploiting human trust instead of software flaws. Spoofed or hijacked messages authorize fraudulent payments, spark ransomware, and expose patient data—causing crippling financial, operational, and compliance damage. Deploying DMARC, MFA, and rigorous multi-person payment checks is now critical. 3 key takeaways Business Email…

Read more
Email

Cloudflare selects Red Sift as a preferred partner to provide DMARC and…

Rebecca Warren

AI-generated email attacks are rapidly growing in scale and sophistication, demanding stronger defenses from at-risk organizations. Starting today, Red Sift is excited to announce a new strategic partnership with Cloudflare, the leading connectivity cloud company, to deliver its market-leading email security application, Red Sift OnDMARC, to a broader global audience.  Today’s alignment enhances Cloudflare’s…

Read more
Cybersecurity

New Zealand moves to mandate DMARC enforcement

Jack Lilley

Executive summary: New Zealand’s Secure Government Email Framework mandates DMARC at p=reject—plus hard-fail SPF, universal DKIM, enforced MTA-STS, and TLS-RPT—by October 2025. The rules replace SEEMail, curb soaring phishing losses, and will affect every organization that emails the public sector. Key takeaways: The New Zealand Government has recently published the Secure Government Email (SGE) Common…

Read more
BEC

DMARC: The best ROI for your organization

Jack Lilley

Executive summary: Implementing DMARC delivers one of the clearest, fastest returns on investment in email security. By authenticating outgoing mail and blocking spoofed messages, DMARC cuts the direct costs of phishing and Business Email Compromise, safeguards brand reputation, and boosts deliverability—ultimately driving revenue and trimming operational workload. Key takeaways: Email is a critical communication tool for…

Read more