You may have heard that Google has announced their intention to implement a new standard, reducing certificate lifecycles from 398 days to 90 days.
You also may have heard that this change was being implemented in 2024.
The exact timeline for this change remains uncertain. However, Certificate Authorities like Sectigo, GlobalSign, and Digicert strongly advise to prepare for its adoption and stay ahead of the curve. Jisc support the notion around getting ahead, and urge you, our members, to spend time automating…now.
We’ve received a surge of inquiries over the past few months, so here are the answers to some of your most frequently asked questions.
From our survey in May, we asked ‘Other than the additional integration features mentioned in this survey, what, if anything, is the single most important thing that Jisc could do to help you navigate your way through the 90-day change?’
1. ‘I would value guides to help us automate our certificate estate’
You want guidance and we hear you. It is important to remember that everyone has a different tech stack so bear with us – here is what we have so far:
2. ‘Regular, timely, notifications of cert expiration’
You can set up as many notifications as you require on your certificates today already:
- Sign in: Log into your account on the Sectigo Managment Portal.
- Navigate to Settings: Once your logged in, find the settings section.
- Access Notifications: Under the settings menu, find and select the Notifications option.
- Name Your Notification: Give your notification a meaningful name that helps you to identify it easily.
- Select Notification Type: Choose the type of notification you want to set up (e.g. certificate expiration alerts).
- Choose Recipients: Specify who should receive these notifications by selecting the recipients.
- Press Save.
By following these steps, you’ll ensure that you receive regular, timely alerts about your certificate expirations, allowing you to manage your certificates with ease.
3. Will DCV be reduced down to 90days?
In Sectigo’s Webinar from March 2023, they stated that domain control validation (DCV) would be reduced down to 90 days to match duration of a certificate lifecycle. Since then, we have contacted Sectigo and they have confirmed that the duration of DCV is yet to be decided. We will keep you posted!
4. What automation tools are on offer?
For an overview of the types of tools we currently offer, please see the below link to our newly launched automation guidance hub
We plan to update the hub with additional information soon, aiming to address the specific needs of our members over time.
5. ‘Find a way around the 90-day change’
We understand the inconvenience of the upcoming reduction in certificate lifetimes. To begin to address this upcoming change, we suggest you consider a phased implementation of automation into your systems. Survey your existing system and break down the required areas that require automation into smaller, manageable phases and then implement automation across your systems as certificates come up for renewal, this will reduce the need to try automate all your systems in one sweeping go. Additionally, we should use the time we have now to test the changes while there are no major consequences. By considering these approaches, we can find effective ways to manage the impact of the 90-day change.
6. Where should we go for support!?
If customers require support while using the Jisc Certificate Service, you can reach out to our service desk by emailing certificates@jisc.ac.uk, 9-5 Monday-Friday, alternatively you can phone 01235 822185
We would recommend not contacting Sectigo directly. If needed, we will log a ticket with Sectigo to raise your query and our service desk team will liaise with you in due course.
Take a look at our certificate service documentation resources and our security certificate automation toolkit for further support.
7. What is the technical need to reduce the certificate lifecycle?
From Google’s side, they have stressed the significance of crypto agility i.e. the ability to respond to a change or threat in an agile and timely manner. Long lived crypto algorithms are becoming atypical moving forwards, thus, to achieve crypto agility, certificate agility is of the highest importance. We need to begin to foster environments where our cryptography can change rapidly, if needed.
8. Can Automated Certificate Management Environment (ACME) update a certificate for nginx and any IIS/Apache web server hosted behind it?
Certbot can optionally manage Apache and nginx, other implementations are also available.” But only one for a given run… more than that, your next comment about long-lived not withstanding, will need a post-hook or something to put the certchain/key in more than one place.
9. We’re interested (and currently investigating) integration with the NSX AVI LB load balancer. We previously used Citrix Netscaler. The other ‘non-web’ cert automation might be a challenge too e.g. mail relays, LDAP servers etc..
Yes, ideally NSX would support ACME natively for this, but some other automation (as you’ve said) that could do the ACME work and then “put” the certificate etc into NSX would work too. It wouldn’t need to be Ansible.
10. Would it be acceptable to give the 3rd party ACME credentials in order to renew certificates?
Yes, if and only if you scope the credential to specific DNS names in the same way that you would give them a private key/certificate for a specific name and not a wildcard for *.example.ac.uk. If you change provider, then you should also cycle the ACME credentials and ensure they are contractually bound to use them appropriately.
We hope this has been a helpful read, make sure to keep an eye out for further updates / future blogs.
If you have any feedback or questions in the meantime, please contact the service desk via certificates@jisc.ac.uk
