How to manage your TLS certificates under Google’s new rules?


From September 1st 2020, major web browsers will block TLS certificates that have a validity period of longer than 398 days (approximately 13 months). If you use TLS certificates on your website(s), as most organisations do, this could have a significant impact for you. Managing them will become much more complex and if you lose control of them there’s a risk that browsers will block your website and show it as unsafe.

What are the recent changes?

Google and Mozilla have followed Apple’s lead in limiting the validity period of TLS certificates to 398 days. From September 1st 2020, browsers including Chrome, Safari and Mozilla, will allow a maximum lifetime for these certificates of approximately 13 months – certificates with longer lifespans will be blocked.

What are the pros and cons?

Browser owners say it will help to limit exposure to compromise by only allowing certificates with a shorter validity period. It will also allow more agility in responding to major incidents and upgrading to more secure technology and will enable the use of recent data in certificates.

Certificate authorities are less positive about the change, however. Last year, Google filed a proposal for this limitation during the CA/Browser Forum, where major browser parties and certificate authorities discuss such topics. Back then, most of the certificate authorities voted against the proposal as they’re concerned it will increase the amount of work and complexity involved in managing their certificates.

Despite this, Apple decided to implement the measure within Safari at the beginning of this year to protect its users against the potential fraudulent use of certificates. And now Google and Mozilla have followed suit.

What are TLS certificates?

TLS stands for Transport Layer Security and is a cryptographic protocol that enables secure communications over networks. It’s the technology that ensures your internet connection is safe and prevents data being compromised by hackers.

Websites use TLS certificates to show they’re secure. When a browser tries to connect to a website with a TLS certificate, it asks the webserver to identify itself. The browser then checks that the certificate is valid and, if it is, the webserver initiates the secure connection.

What does this mean for me?

If your organisation uses TLS certificates that don’t comply with the browsers’ new maximum validity requirement of 398 days, your certificates will be blocked. This may mean that visitors to your website will get warning or they won’t be able to reach your website at all.

This can have significant negative consequences in terms of reducing your sales or enquiries, and damaging trust in your brand. It means you’ll need to monitor and manage your TLS certificates stringently to prevent them expiring without your knowledge and then being blocked.

Alongside this, a variety of risks may arise when managing certificates with shorter lifespans:

  • The processes involved may take too long, due to their complexity, to respond adequately to expiring certificates.
  • To keep pace with the work required, there’s a danger of rushing processes and not executing them properly.
  • Administrators may be tempted to circumvent these processes altogether and, out of time pressure, turn to less secure self-signed certificates.

How to manage TLS certificates effectively

To mitigate these risks and ensure your TLS certificates comply with browsers’ requirements, you’ll need to ensure robust certificate management using well-defined processes, skilled personnel and supporting technology. This will not only prevent your websites from being blocked, it will show visitors to your website that you comply with strict security standards and can be trusted.

“By 2020, we expect that companies that are digitally trustworthy will generate 20% more online profit than those that aren’t.”Gartner.

It will be crucial to follow these steps:

  1. Create well-defined procedures and processes. Clear guidance on how to register, validate, issue, revoke and renew certificates will help your administrators and certificate operators to manage their digital certificates. So they can stay in control of them throughout their lifecycle.
  2. Recruit and educate. You’ll need the right people in place to ensure your certificates can be managed properly. You’ll also need to educate and train them, so they understand the principles of digital certificates and the various processes involved in managing them.
  3. Use a certificate management system. This will ensure your people have just one application where they can manage digital certificates effectively and securely. It will notify them about certificates that are due to expire and will enable them to easily create reports and find other certificates in your infrastructure.

We’re here to help

Our certificate management solution, BlueX eID Management, is built on decades of PKI experience and will help you take full control of your TLS certificates and other digital certificates.

Want to find out more or join us in our mission to establish digital trust and secure communications? Please get in touch.

Colin van den Heuvel, Business Consultant