Are you 90-Day Ready? Tech Alone Won’t Prepare You

May 1, 2024 Florin Lazurca

90 day ready tech alone

If your organization isn’t already discussing it, it’s time to ask: how will radically shorter TLS certificates impact our operations?

Why act now?

Transitioning to a 47-day or 90-day TLS standard requires coordinated efforts across people, processes and technology. This takes time. Change management takes time.

Google understands this. When they proposed in March of 2023 to shorten certificate lifespans to 90 days, there were lots of reasons based on security and other factors. And then in October of 2024, Apple upped the ante with a draft proposal to the CA/B Forum for a transition to 47-day certificate lifespans. Regardless of the ultimate outcome, now is the time to prepare. And the bottom line is that if your organization is ready to successfully implement and organizationally deploy critical 90-day automations, you will also be prepared to support even shorter certificate lifespans, such as the 47-day certificate lifespan proposed by Apple. Either way, you’ll need a detailed plan, visibility to eliminate outages, process and policy reviews, and clear roles and responsibilities.

But the one you should be most concerned with is time. The industry is giving you time to get ready for shorter certificates. Apple’s draft ballot aims to gradually reduce certificate lifespans from the current standard of 398 days to a mere 47 days by 2028, with key milestones at 200 days in 2026 and 100 days in 2027. But the preparation path is the same for all of these shorter certificate lifespans. Do you have the time you need to get your organization ready?

To prepare for shorter certificate lifespans, you need to determine the time required, identify capability gaps and develop a roadmap to avoid cutover day outages. What about any capability gaps? What does the roadmap need to look like?

Start the research. Start the planning. There will be nothing worse than waking up to a 90-day go-live date announcement, only to later find that your organization doesn’t have the time it needs to implement this transformational change broadly across your organization so that it can succeed.

That’s because certificate lifecycle automation for shorter-lived certificates is more than just a collection of technologies that enable more frequent renewals. It’s also a discipline that your organization needs to adopt to guarantee success in the impending world of 90-day certificates. Automating TLS certificate lifecycles streamlines management and renewal, reduces manual errors and enhances security. Without automation, you’ll be hard pressed to establish an accurate certificate inventory, reduce outage risks, enhance security posture and ensure organizational agility to swiftly adapt to changing needs and future challenges like post-quantum cryptography.

But if you don’t complement significant changes in your certificate lifecycle automation strategy with equally significant changes in your processes—including re-education of certificate owners—you’re not going to make the headway you need to succeed. Preparing your organization to successfully implement and organizationally deploy critical automations requires a detailed roadmap, visibility to eliminate outages, process and policy reviews, and clear roles and responsibilities.

This challenge scales with organizational size and requires more than technical steps—it involves the entire PKI, including policies, hardware and software. But it also requires participation across an even wider range of teams, certificate owners and consumers. Successfully automating the renewal of TLS certificates before a shorter TLS standard requires that your organization overcome a series of intricate challenges to ensure seamless, secure certificate management and renewal processes now and well into the future.

The Industry’s Only Comprehensive Solution to Migrate to Shorter Certificate Lifespans

To help our customers successfully navigate the transition to shorter certificate lifespans across people, process and technology, we’ve put together a comprehensive 90-Day TLS Readiness solution.

This industry-first, end-to-end solution combines essential technology and expert services to ensure a smooth, secure transition to shorter certificate lifespans—whether they are 200, 100, 90 or 47 days.

The solution combines expert Professional Services with TLS Protect to deliver full visibility and control over TLS certificates across environments, proactively identify and map TLS certificate across the organization—providing a comprehensive certificate inventory and renewal schedules—and to automate the entire lifecycle management of TLS certificates.

The solution enhances security posture and supports digital transformation by integrating with various environments, simplifying certificate management and preventing outages. To complement that, Venafi Professional Services further ensures readiness through tailored support across all TLS certificates to ensure seamless renewal and compliance with shorter standards for certificate lifecycles.

Organizational Readiness is Critical

The 90-Day TLS Readiness Solution helps enterprises accelerate their transition to impending standards for shorter TLS certificates, merging technology with expert services for a seamless shift. This unique, orchestrated approach ensures alignment across your organization—promoting automation, minimizing disruptions and enhancing cybersecurity posture in compliance with NIST recommendations. The solution is built around a control plane for machine identities, which offers visibility to effectively manage 90-day or shorter certificates, coupled with the intelligence for ongoing monitoring and policy enforcement. This comprehensive solution not only streamlines certificate renewal processes but also strengthens security posture, ensuring organizations can confidently navigate the complexities of shorter certificate lifespans.

Technology is Still a Key Success Factor

As organizations brace for the transition to a 47- or 90-day TLS standard, TLS Protect stands out as an essential tool for navigating this change. It offers unmatched visibility and control over TLS certificates across diverse environments and provides a platform for automating the renewal process to avoid costly outages and ensure continuous compliance. This capability is important for maintaining the trust and integrity of digital communications in an increasingly stringent cybersecurity landscape. TLS Protect also enables businesses to respond swiftly to emerging threats and adapt to new regulatory demands with ease. Moreover, the integration capabilities of TLS Protect extend its utility beyond mere compliance, facilitating a seamless and secure digital transformation journey for enterprises aiming to stay ahead in a rapidly evolving digital ecosystem.

Everything in Certificate Lifecycle Management (CLM) is predicated on having an accurate inventory. Think about it—it’s the lifecycle of certificates in your inventory that gets managed. If your CLM solution doesn’t incorporate multi-layered false positive mitigation technology into its internet-based discovery capabilities, you’ll be left with an inaccurate inventory of the certificates. For example, if your CLM solution relies heavily on certificate transparency logs to inventory your TLS certificates, this will result in a staggering number of false positives. So, you’ll have to budget time each day to manually suppress false positives one-by-one to determine which certificates were issued but shouldn’t be managed. Granted, you can always update the inventory yourself. But shouldn’t your CLM solution maintain an accurate inventory for you, freeing you to do more valuable things than matching lists? With 5-10x the number of certificates looming, be sure you’re not signing up for 5-10x the false positives.

90-Day TLS Readiness Solution: Key Features

Prepare for 90-day certificates and you’ll be ready for even shorter certificate lifespans as well as the ultimate move to quantum-ready certificates.

  • Readiness Assessment. Initiates the transition to the 90-day standard by identifying critical areas needing attention, ensuring focused and effective readiness efforts.
  • Certificate Validated Discovery. Uncovers all certificates—especially those not compliant with the new standard—to understand the project’s full scope.
  • Enterprise Impact. Evaluates the potential risks and costs associated with non-compliance, aiding in prioritization and mitigation strategies.
  • Critical Automations. The critical automations required by your enterprise to ensure a seamless cutover to the 90-day TLS certificate standard.
  • Critical Workflows. Streamline and enforce critical workflows associated with the management, renewal and compliance of 90-day TLS certificates.
  • Ready Enterprise Roadmap. Provides a detailed action plan, ensuring all parts of the organization move in unison towards 90-day TLS certificate readiness.
  • Implementation Guidance. Delivers expert services to navigate the transition, emphasizing the seamless implementation of necessary automations.
  • Enterprise Readiness Validation. Validates readiness for the 90-day TLS certificate standard, ensuring all aspects of the transition have been assessed and offering assurance that the organization will be compliant and secure.
  • Enterprise Certification. Demonstrates and provides assurance of the enterprise’s 90-day readiness among vendors, partners and customers to meet and exceed security standards recommended by bodies like NIST.
  • Enterprise Enablement. Equips teams with the knowledge and skills to navigate the transition to 90-day TLS certificates seamlessly, ensuring readiness and compliance.

Now Is the Time to Get Ready

Preparing now for a 47-or 90-day TLS certificate standard is essential to ensure your organization’s smooth transition, minimize outages and maintain compliance. The 90-Day TLS Readiness Solution provides the tools and services needed for this adaptation, offering comprehensive visibility, automation and professional guidance to navigate the complexities of shorter certificate lifespans efficiently.

Florin Lazurca is head of technical marketing for machine identity security at CyberArk.

Previous Article
Transforming Critical Infrastructure Security: The Power of Identity
Transforming Critical Infrastructure Security: The Power of Identity

In an era when every aspect of our society depends on reliable critical infrastructure, the role of identit...

Next Article
The Importance of Identity Security in Zero Trust Endpoint Defense
The Importance of Identity Security in Zero Trust Endpoint Defense

Identity security and Zero Trust have emerged as critical components in the defense against quickly evolvin...