Short-lived certificates requires automation

image Managed Keys Editions

The issue

A few years ago, we had certificates with lifetimes of several years and right now one year is the maximum from publicly trusted certificate authorities (CAs). But the industry1 2 is pushing towards 90-day, or even 7-day, validity. As validity gets shorter and shorter, automation is a must!

Currently, our proposed maximum TLS server authentication subscriber certificate validity is ninety (90) days.Google in Chromium project2

Challenges with 90-Day Certificate Validity

As the industry moves toward a standard of 90-day certificate validity, organizations face additional burdens in managing frequent renewals. Shorter lifespans require more automation and robust tracking systems to prevent lapses in security. Without proper infrastructure, businesses risk an increase in expired certificates, leading to service outages and compliance violations. Furthermore, manual renewal processes become unsustainable at scale, making centralized certificate management and automation essential to maintaining security and operational efficiency.

The solution - automation

Obviously, automation is a must as validity gets shorter and shorter. But how?

One way to do it to implement a little bit of ACME here and there, SCEP somewhere else, and a some clever scripting in yet another corner of the organization. However, with ACME implemented in one way in the Kubernetes cluster, ACME implemented in another way in the Web Application Firewall etc., your organization will run into all the challenges of fragmented certificate management

Another way, at the potentially high-cost of getting a hard CA and/or platform dependency, is to get a certificate lifecycle management tool from a specific CA or use use built-in platform features for certificate management.

Our approach with Managed Keys is to get all the keys in the organization managed, with central policy governance, and fully automated - using the best certificate/key type for each use case and regardless of ever changing requirements and platforms.

Managed Keys in two simple steps

  • Get the overview - Using our tools and proven processes, you can quickly and at a low cost get an assessment of the current situation.
  • Implement automation - Managed Keys is independent of target platform, certificate source etc. and ensures you can keep the overview and stay compliant across the entire organization

  1. From DigiCert: DigiCert ↩︎

  2. From Google: Google ↩︎ ↩︎