90 day certificates already exist and have done for years. The most well known is probably letsencrypt.org – apparently they have existed for 10 years. Time flies.

Forcing it though? That is going to be a bit of a bother to be honest. Hopefully this post will answer some of your questions or maybe my own.

Why?

I think an analogy is required here: when you first moved into the house that you currently live in, did you change the locks? If the answer is “no” then ask yourself who else has a copy of a key to get into your house – the answer will be “no idea”. That means that you do not know who can get into your house – previous owners/tenants/landlords/estate agents/etc.

If you answered “yes” then ask yourself have all the keys that can get into the house been accounted for at all times. The answer might be yes but again it will probably be “no idea”. Have you taken your car in for a service and left the house keys on the key ring? Other ways your keys might be outside of your control are available.

Perhaps then it would be prudent to change the locks on your house, say, annually?

New keys and lock

For me the first step was realising just how many external doors there are in my house (and don’t forget sheds!). I have four external doors (at some point a garage got converted, so right now I am sitting where my car would have been) and two sheds. A quick glance at everyone’s favourite shopping site suggests that if I am reasonably concerned about having reasonably secure locks then I am looking at £30+ for each lock and as much again for padlocks for the sheds. That works out at £180. Assuming I fit them myself, a couple of hour’s work on top. Probably quite a bit of swearing too. Oh, and don’t forget the spare keys that you’ll have to give to your kids, etc.

Blimey.

However, if I do this annually then I am reasonably confident that I know where the keys have been for the house. That might be worth it.

If I want to keep up with Google though I am going to have to do this four times per year. That will cost me nearly £800 and take a long working day changing locks. Don’t forget that you have to have your door open to change the lock – a couple of the changes will be fine but a couple will be a bit cold. At least if you are doing this annually then you can choose a nice time of the year.

That sounds expensive and time consuming. I don’t think that is worth it, but what if my home insurance company insisted on it?

Certificates

Change lock to certificate and to answer the question “Why?”: it is to ensure that you can be confident that the certificate you see in your browser hasn’t been hijacked by a malicious party.

How are the prices/time translated to certificates? Prices vary greatly but you could be looking at £50 per certificate (so not too different from my reasonably secure locks). The time to request and install a certificate is probably quite similar too. Perhaps 30 minutes (again, suspiciously similar to the amount of time it will take me to change a lock).

If this happens four times more often then there’s a problem.

Time

Installing a certificate can be a bit of a manual process – if you only have one or two certificates to worry about this is fine. The steps (basically):

  1. Create a certificate signing request
  2. Download the certificate that has been generated
  3. Import the certificate into the server
  4. Bind that certificate to the website

That might take 30 minutes if you only have one certificate to worry about.

If you have 10s or 100s to do then this becomes difficult to manage and is more than likely to go a bit wrong. It’s all a bit repetitive and putting your credit card details in 100s of times is going to trigger some sort of block.

This probably means that if you have even a small amount of certificates to worry about, someone in your organisation is going to spend a day, at least, every time these things need renewing.

What happens when Google say “We are now requiring certificates to only be valid for 30 days”.

Or a week.

Or a day.

Or hour.

What can we do? There is a simple answer.

Automate

Automation is the key to this succeeding. Not just for us, but for Google too. If this becomes something that can’t be done then it cannot work.

If I can automate generating the certificate signing request, uploading that, downloading the generated certificate, installing it into the server and binding it then I don’t care how short the valid lifetime is.

wile e coyote

Luckily there is a standard that helps us with this – it is called ACME (yes, I have an image of Wile E. Coyote in my head too) – this stands for Automatic Certificate Management Environment. Sounds like just what we need – if you are having trouble sleeping you can read all about RFC 8555.

Also, luckily, this has been around for a while. It should be possible to automate our certificate renewals.

There are plenty of mature tools that will help to automate this. We’ll be looking at them carefully and coming up with our preference. I think a lot of it will depend on which certificate provider you use.

However…

Some devices may not be able to do this.

Room with photocopiers

Older printers, photocopiers and scanners are a perfect example of this – your device is unlikely to be accessible outside of your network so you think you do not need to worry about this… your users will still be running browsers that need to trust the certificate and if Google has its own way then it won’t work. Or at least will come up with a scary warning.

It is going to be a bit tricky. This is fine if you only have one photocopier to worry about but what if you are an organisation that has hundreds of them. Hopefully, those manufacturers can help but if it is an older device then will they fix it or expect you to purchase a new one?

Will this actually happen?

Yes.

Google have a fair amount of weight behind them. If they start implementing for their own browser, Chrome, then it will more than likely be implemented on Chromium (which is what Edge, Brave, Chrome, and many others) are based on. 

Other browsers don’t have to start doing this as it won’t affect whether they think a certificate is still valid. I would, however, expect Firefox, Opera, Safari, etc. to follow Google and require it.

When will this happen?

Any certificates issued right now, July 2023, could have the current 398 days of validity. This will mean that they will be valid until August 2024 so that’s about as early as it can start to become a requirement.

That is what we call a deadline. Start sorting this out now, there is no penalty for doing this now rather than panicking during August 2024.

Conclusion

This IS going to happen. Start now. You have 398 days.

Your choices written on napkin

Plan:

  1. Discovery: work out what you have
  2. Automate: get certificates automatically renewed every 90 days (or more often)
  3. Repeat: until all your certificates are automatically renewed.

Yes, I answered my own questions. We have got to do this, there are standards, there are tools that help. And we have 398 days to get this sorted.

Contact Get in touch