The Clock is Ticking: Why 47-Day SSL Certificates Make Automation Non-Negotiable

Written by Calvin Long

If you manage websites or online services, you know the familiar padlock icon and the "HTTPS" in the address bar are crucial signs of trust and security. These are powered by TLS/SSL certificates, which encrypt data and verify server identity. Historically, managing these certificates, while essential, often involved a manual renewal process once a year. However, the ground is shifting rapidly.

The CA/Browser (CA/B) Forum, the industry body governing these certificates, has recently voted on a significant change: drastically reducing the maximum lifespan of public TLS/SSL certificates. This isn't a distant possibility; it's a phased plan culminating in a maximum validity of just 47 days by 2029.

This change signals a fundamental shift in how organisations must approach certificate management. Manual processes are quickly becoming unsustainable, making automation not just a convenience, but a necessity.

Why the Big Change? The Move Towards Shorter Lifespans

The push for shorter certificate lifespans isn't arbitrary. It's driven by several key security goals:

1. Reduced Risk Window: If a certificate's private key is compromised (stolen or leaked), a shorter lifespan limits the time an attacker can use it maliciously. With a 47-day validity, the window of opportunity for exploitation shrinks dramatically compared to the current ~398-day maximum.

2. Faster Security Adoption: Shorter cycles encourage quicker adoption of newer, stronger cryptographic algorithms and security practices across the web.

3. Improved Revocation: Certificate revocation (invalidating a certificate before its expiry) remains a challenging process in many environments. Shorter lifespans partially mitigate this issue, even if revocation fails, the certificate expires naturally much sooner.

4. Driving Automation: The industry recognises that robust security requires agility. Shorter lifespans effectively mandate the move away from error-prone manual processes towards automated systems.

5. Quantum Preparedness: Frequent, automated certificate rotation builds "crypto-agility" – the ability to quickly swap out cryptographic algorithms. This is crucial preparation for the eventual need to migrate to post-quantum cryptography standards as outlined in NIST SP 800-227 utilising algorithms outlined in FIPS 203, FIPS 204 and/or FIPS 205.

The Phased Rollout: A Timeline for Change

This isn't happening overnight, but the deadlines are approaching:

Simultaneously, the period for which Domain Control Validation (DCV) can be reused will also decrease, eventually down to just 10 days by 2029.

The Manual Management Nightmare: Why It Won't Work

Imagine renewing certificates manually every 1-3 months, or eventually, every month and a half. Now scale that across dozens, hundreds, or thousands of servers, domains, and subdomains.

• Increased Workload: IT and DevOps teams will be buried under a constant cycle of certificate requests, validations, installations, and verifications.

• Higher Risk of Outages: The more frequent the renewals, the higher the chance of human error – missing an expiry date, misconfiguring a server, using the wrong file. Expired certificates lead to service disruptions, browser warnings, loss of customer trust, and potential compliance failures.

• Scalability Issues: Manual processes simply don't scale for modern, dynamic infrastructure (cloud, containers, microservices).

• Lack of Visibility: Tracking certificates manually (often via spreadsheets) becomes impossible, leading to "rogue" or forgotten certificates expiring unexpectedly.

The Undeniable Benefits of Automation

Automating your certificate management brings significant advantages, especially in light of the upcoming changes. We’ve completed a number of these deployments for clients (some with many thousands of certificates to be managed) and have seen the following as the main benefits realised:

1. Prevent Outages: Eliminate costly downtime and trust erosion caused by expired certificates.

2. Save Time & Reduce Costs: Free up valuable IT/DevOps resources from repetitive manual tasks to focus on strategic initiatives.

3. Enhance Security: Ensure timely renewals and facilitate faster adoption of security best practices. Reduce the risk associated with compromised keys.

4. Improve Scalability: Effortlessly manage certificates across large and complex environments.

5. Ensure Compliance: Maintain continuous encryption and avoid penalties associated with expired certificates.

6. Increase Visibility: Gain a clear overview of your entire certificate inventory.

Get CLM Automation today!

In case you haven’t worked it out by now, we’re a fan of automation in this space. There are four main methods typically used in order to automate Certificate Lifecycle Management (CLM) in environments. 

ACME

A key enabler for free CLM automation is the Automated Certificate Management Environment (ACME) protocol. Popularised by Let's Encrypt (which already issues free 90-day certificates), ACME is an open standard allowing software (ACME clients) to automatically interact with CAs to obtain and renew certificates.

Popular ACME clients include:

1. Certbot: A widely used, versatile client developed by the EFF (Electronic Frontier foundation).

2. acme.sh: A lightweight shell script client with minimal dependencies that can be used on linux servers to fully automate certificate deployment on that server.

3. Cert-manager: An open-source certificate management tool for Kubernetes and Openshift

The down side to using some of these ACME clients is that if you have multiple servers which require the same certificate ACME clients can’t really be used as it’ll require additional automation and complexity to push the certificate to additional locations (unless you’re using cert manager with Kubernetes or Openshift). An example architecture of when to use the ACME client is:

This basic architecture is able to leverage ACME since the certificates for this architecture will sit on the Nginx proxy. Since the EC2 Webservers in this architecture (Other architecture it might be required) don’t require certificates we’re able to centralise the location of the certificate just to the Nginx proxy and run Certbot or acme.sh to automatically rotate the certificate for the proxy when it expires.

Migrate to Cloud

Many of the major cloud providers (AWS, GCP, Azure) offer services which automatically renew and manage certificates for free, requiring only a DNS record to be entered or an Email to verify who the domain is owned by. Depending on the deployment method and application it may be easier to migrate an application to cloud or if it is already on cloud leverage cloud services in order to automatically renew certificates for applications is easier than many of the other methods in this article. 

Cloud Services which will manage certificates include:

• ACM (AWS)

• Key Vault (Azure)

• Certificate Manager (GCP)

Leveraging these services is super easy, usually these certificates end up being deployed on the externally facing Loadbalancers. However, many of these cloud services don’t allow you to export these certificates after they’ve been generated, forcing you to integrate these certificates using their cloud services. An example architecture of when to use Cloud Services certificates can be seen below:

Custom Automation Script

Typically more complex certificate deployments into applications or some servers may require some level of custom scripts in order to hit a specific API or push a certificate into a particular file path. In these cases certificate automation patterns can be used in order to standardise the deployment of certificates for applications and servers. Leveraging CI/CD tooling or application automation tooling is the best option, since it can be easily integrated with most applications with a standardised template that can be leveraged for future integrations.

Popular CI/CD and Application Automation tools include:

• Github Actions

• GitLab

• Bamboo

• Jenkins

• Ansible (Playbooks)

Enterprise CLM management tool

For smaller organisations, managing certificates on a server by server basis may be ok, but for larger organisations a decentralized certificate management at the server level risks oversight and complicates monitoring certificate lifecycles, expirations, and renewals. While ACME automation can help, network constraints, firewalls, or policies may limit its use, requiring alternative methods and increasing complexity and error risk. In these cases, we use enterprise CLM management tools.

Popular CLM enterprise tools include:

• Keyfactor Command

• Venafi

• AppViewX CERT+

• Sectigo Certificate Manager

• Hashicorp Vault

The problem with Enterprise CLM tooling is that it does cost a lot of extra money with the deployment of these tools being extremely complex and expensive. However, once working these CLM management tools provide visibility, automated rotation and alerting to all certificates which are managed by the tool. A typical architecture for Enterprise CLM tools can be seen below:

Which method is right for me?

There’s no perfect answer to this, and in our experiences in designing and deploying each type, it really comes down to a few main considerations:

1. The pure volume of certificates to be managed

2. The complexity of the clients and uses for the certificates: Not all applications are the same and requires careful evaluation!

3. The degree of in-house / external support capabilities available: Certificate management can be complex and has the potential to cause outages if not integrated correctly.

4. Investment available: No matter the use case volume or complexity of the certificate automation without extra investment requires you to think out of the box and leverage potentially existing tooling and processes internally to manage certificates. It may not be as pretty as a fancy new tool, but it'll do the job.

Don't Wait – Start Automating Now!

The CA/Browser Forum's decision is a clear signal: the era of manual certificate management is ending. The transition to 47-day certificates by 2029 requires proactive adoption of automation.

If you haven't already, now is the time to:

1. Assess your current inventory: Understand how many certificates you have, where they are, and how they're managed.

2. Explore and pick an automation tool: Investigate ACME clients like Certbot or consider integrated solutions offered by your cloud provider or dedicated CLM platforms, especially for complex environments.

3. Implement and Test: Start deploying automation in a controlled manner across your platform / environment.

4. Monitor: Ensure your automation systems are working correctly and providing alerts for any issues.

Waiting until the deadlines loom closer invites unnecessary risk and stress. By embracing certificate automation today, you can ensure seamless security, maintain user trust, and stay ahead of the curve in an evolving digital landscape. The clock is ticking!