Categories
Trust, Identity and Access Blogs

Navigating change: An update on 90-day Certificates

Blue brick wall with a large white arrow pointing right
Photo by Nick Fewings on Unsplash

If you missed the news, Google have signalled their intent to drive through the reduction from 398-day to 90-day certificate lifecycles, as the new standard. This update was provided as part of their ‘Moving Forward, Together’ plan, in March 2023.  

The anticipation of diminishing certificate lifespans has been a long-standing prediction. And indeed, it seems it’s no longer a case of ‘if’, but ‘when’.  

In September, the Jisc Certificates team conducted a comprehensive survey throughout our customer base, to better understand your thoughts, concerns, and requirements from Jisc to help manage this type of change.  

In this blog post, you can find:  

  • An update on the 90-day proposal 
  • Headlines from the survey  
  • Insights into what we’ll be doing in response 

 Sound good? Read on to find out more!  

What’s happening with the proposal then?  

Although Google have not yet confirmed a timeline, Certificate Authorities such as Sectigo, GlobalSign and Digicert have been advising people to prepare for it to be accepted, and to get ahead of the change.  

While it was initially indicated that this policy could be implemented as soon as October 2024, Google have now said it’s bottom of their priority list, as of the latest CA/B Forum meeting in October 2023.  

However, according to Digicert, ‘the message from Google and other root programs [remains] clear: Manual certificate management and replacement are no longer acceptable.’ 

We have asked Google for further comment on their expected timeline.  

So, what next?  

As we’ve said, this is no longer a case of ‘if’ but ‘when’. Although a move to a 90-day lifespan will no doubt present its short-term frustration for IT leaders, this policy change will ultimately benefit internet trust, operational efficiency, employee and end-user experiences.  

The decision to shorten certificate durations stems from the imperative to heighten cybersecurity measures, making it more challenging for cybercriminals to compromise or misuse certificates—an increasingly lucrative threat vector in recent years. Sectigo, as well as other CAs and cyber security experts are now emphasising that the longer the duration between information verification, the less reliable the validation becomes. This shift in approach marks a significant stride in fortifying online security and reflects the industry’s collective commitment to staying ahead of evolving cyber threats. 

Embracing automation and shorter certificate lifecycles aligns with Jisc’s commitment to staying at the forefront of technological advancements and bolstering cybersecurity measures for a more resilient digital landscape. 

To mitigate risk of disruption when the 90-day policy is finally implemented and get ahead of the curve, we are therefore recommending that all members and customers start to explore automation as a form of certificate management in their organisations. This will ensure you are fully prepared for the next evolution in cyber security best practices, as and when it does come into play.  

What do other members and customers think?  

If you’re worried about this proposal and what it means for your organisation, you’re not alone.  

In August 2023, Jisc conducted a survey among its members and customers to gather feedback on the proposed change and drive to automation, and the kind of support you want from us to help navigate through it. Continue reading to delve into some of the key insights that emerged from the survey results: 

Who did the survey go to?  

  • The survey was distributed to the most recent two Registration Authority Officers (RAOs) added to our certificate service   
  • The survey garnered almost 300 completed responses, with a total response rate of 23% (including partially completed surveys)  

What were the results?  

  • Trouble ahead: Over 95% of respondents were fairly or very worried about managing this type of policy change, with more than 55% saying it would be very difficult to manage .  
  • Automation is not widely adopted: Less than 10% of respondent indicated that they’ve already started incorporating automation into their processes. This means 9 in 10 of you are in the same boat. We are entering unchartered waters together!   
  • Capacity for change: In terms of internal change management capabilities, just over a quarter of respondents expressed confidence in managing the impending changes internally, while a significant 72.5% acknowledged the need for external assistance.  
  • Training & Guidance: most respondents expressed a desire for guidance (77%) and training (63%), due to the lack of skills and knowledge within their organisation. To support this, we’re working on developing a dedicated automation training & guidance hub, which we plan to launch in early 2024. The hub will initially focus on protocols such as ACME and Ansible, however we will continue to update this based on your feedback and support requirements.  
  • Managed Services: Additionally, 35% of respondents, displayed interest in a managed service approach, highlighting the diverse needs and considerations within our community. Jisc are exploring procurement options and aim to provide updates no later than April/May 2024.   
  • Improving functionality with Sectigo: Some members have also requested better access to features and functionality available from Sectigo, that are not yet part of the Jisc x Sectigo Certificate service. Jisc are exploring procurement options with Sectigo and aim to provide updates no later than April/May 2024.   

The verbal feedback trends gleaned from our survey responses also shed light on several common themes:  

  • There is a significant lack of automation skills & knowledge across responding organisations   
  • Particularly in the context of concerns about automating specific systems, including webservers/on-prem servers, VPNs, firewalls/load balancers, legacy systems, VMware, third-party apps and vendors, and hardware.   
  • Many respondents felt they didn’t have the available resources in place to deliver automation   
  • Prevalent poor practices were also a prominent theme, such as widespread use of wild cards  

These insights underscore the nuanced challenges and aspirations within our community, guiding our efforts to address and support a diverse range of automation needs. We will be focused on delivering enhanced guidance, training, functionality and support services throughout 2024, to help address these needs.   

And that’s all for now. As always, we hope that this has been a helpful update.  

If you’d like to read our answers to your FAQs about the 90-day change, check out our latest blog! 

Please keep an eye out for further updates from Jisc, Google and the CA/B Forum regarding the implementation timeline and enforcement dates. It’s crucial to note that these policies are not set in stone, and there is currently no formal ballot at the CA/B Forum for voting on them.  

We’ll be back in touch in the new year with the launch of our automation guidance, so look forward to seeing you in 2024! If you have any feedback or questions in the meantime, please contact the service desk via certificates@jisc.ac.uk   

 

Leave a Reply

Your email address will not be published. Required fields are marked *