One way that vendors and customers are forcing the improvement of security posture of web public key infrastructure (PKI) is through progressively shortening the certificate rotation lifetime of the TLS Baseline Requirements (TBRs). Apple led a charge in 2025 toward this end through a
CA/Browser (CA/B) Forum Ballot SC-081v3 initiative. The measure was overwhelmingly approved and certificate authorities and browser vendors have begin preparations for the eventual support of the following TLS certificate lifetime shortening guidelines:
Root CA Validity
Between 2922 days (approximately 8 years) and 9132 days (approximately 25 years)
Short-lived Subscriber Certificates
Certificates issued between March 15, 2024 and March 15, 2026 have maximum validity period of 10 days
Certificates issued after March 15, 2026 have a maximum validity period of 7 days
Domain Name and IP Address (Subject Alternative Name [SAN]) validation data reuse periods
Certificates issued before March 15, 2026 have a validity period of up to 398 days
Certificates issued between March 15, 2026 and March 15, 2027 have a validity period of up to 200 days
Certificates issued between March 15, 2027 and March 15, 2029 have a validity period of up to 100 days
Certificates issued after March 15, 2029 have a validity period of up to 10 days
Subscriber Certificate Subject Identity Information and validation data reuse periods
Certificates issued before March 15, 2026 have validity window of up to 825 days
Certificates issued on or after March 15, 2026 have a validity window of up to 398 days
Subscriber Certificate operational periods and key pair usage periods
Certificates issued before March 15, 2026 have a validity period of up to 398 days
Certificates issued between March 15, 2026 and March 15, 2027 have a validity period of up to 200 days
Certificates issued between March 15, 2027 and March 15, 2029 have a validity period of up to 100 days
Certificates issued after March 15, 2029 have a validity period of up to 47 days
What does this mean to you? Enterprises need to work through automating detection, validation, issuing and deploying certificates across their infrastructure as soon as possible. There are many ways to detect certificate but the easiest is by using the openssl command to check the certificate validity period of a target <host>:<port>. For example:
echo|openssl s_client -connect <database_host>:2484 2>&1 | openssl x509 -noout -text|egrep "^Certificate:|^ Issuer:|^ Subject|^ Validity|^ Not "
Certificate:
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
Validity
Not Before: Oct 27 17:49:47 2024 GMT
Not After : Nov 6 16:19:28 2025 GMT
Subject: CN = hrdb.dbauthdemo.com
Subject Public Key Info:
Cloud providers such as Oracle Cloud Infrastructure (OCI) include services such as
Cloud Guard for some certificates.
Automating the issuing of certificate renewal and certificate retrieval is available via API for most public certificate authorities.
Automating of rotating the old certificate out and the new one into a given product is product specific.
Here are some great references and commentaries on these TLS certificate lifetime reductions:
1. DigitCert: TLS Certificate Lifetimes Will Officially Reduce to 47 days
2. DigiCert: How Short-Lived Certificates Improve Certificate Trust
I hope you find this information helpful.
Blessings!
No comments:
Post a Comment