To an era where the validity period of server certificates is shortened to "47 days"
"SSL/TLS certificates" that support the security of websites.
Previously, the maximum validity period was 398 days (about 13 months), but in recent years, Google has been proposing to shorten the validity period to "47 days".
At first glance, you may think, "Why is it so short?" or "Isn't it going to be difficult to update?" Some people say that this movement is becoming an inevitable trend for the industry as a whole.
Therefore, we will explain the background of the shortening of the validity period to 47 days, the resulting changes, and the measures that companies should take now.
Contents
- 1 Why does SSL certificate validity keep getting shorter?
- 2 What happens at 47 days?
- 3 Summary
- of measures that companies should take now4 Summary: The 47-day rule is not "far into the future", but "just around the corner"
Contents
Why does the validity period of an SSL certificate keep getting shorter?
SSL certificates are valid for many years
3 years → 2 years → 398 days → (next) to 47 days
It continues to be shortened step by step.
There are three reasons behind this:
1. Increasing sophistication of cyberattacks and the shift to "short-lived certificates"
Cyberattacks evolve over the years, and the risk of certificate theft and abuse is increasing.
Certificates with a longer validity period are
- If stolen, it will be misused for a long time
- There is a risk of being used in man-in-the-middle attacks
- Delayed encryption enhancement due to updates
Security risks increase.
On the other hand, a short-lived certificate of 47 days is
- Even if it is stolen, the exploitation period is extremely short
- Regularly replaced with the latest cryptographic technology
It is in line with modern security philosophy.
2. Google and browser vendors strongly support shortening
SSL rules are discussed in the "CA/Browser Forum", but in reality, the decisions of browsers such as Chrome and Safari are enforceable.
Just as Google and Apple introduced the "398-day rule" in 2020, the 47-day plan (TSP: Short-lived Certificates) led by Google is creating a de facto standardization trend.
In the future, 398-day certificates may be deprecated → revoked.
3. Because "automation" of certificate renewal has become a global standard
Let's Encrypt has become popular, and automatic certificate renewal with ACME is becoming commonplace.
Instead of "the person in charge renews once a year" as before, the infrastructure on the premise of automatic renewal has been established.
As a result,
"The need to extend the validity period has diminished"
"Rather short is safer"
This idea became the industry standard.
What happens when it comes to 47 days?
When the validity period reaches 47 days, there will be various operational implications.
1. Manual updates become completely impossible
Even in the current situation, it is burdensome to manually update 398 days, but when it comes to 47 days,
- Renewal 7-8 times a year
- If you operate multiple domains, it's update hell The
- risk of site downtime due to forgetting to update has skyrocketed .
It cannot be operated 100% by manpower.
i.e.
"Automatic certificate renewal" is a prerequisite
That's what it means.
2. Older servers may not be able to update
On non-ACME servers and older operating systems,
- Automatic updates don't work
- The communication protocol is outdated and the API cannot be linked .
- Manual renewal is mandatory → 47-day renewal is not practical
Problems such as this will occur.
Particular caution is required for CentOS 7, older on-premise environments, and proprietary CMS.
3. It's impossible to operate without certificate management tools
In the case of companies with multiple sites and multiple certificates, the management ledger and Excel cannot handle the 47-day renewal.
Implementing a certificate management system (e.g., DigiCert, Sectigo, Let's Encrypt management console) can be a viable option.
Summary of measures that companies should take now
The 47-day rule has not been officially confirmed "when it will be enforced", but as far as Google's direction is concerned, it is only a matter of time before it is introduced.
Therefore, it is important to consider the following measures now.
1. Fully automate SSL updates (ACME compliant)
Whatcompanies should do first is
- Implementing Let's Encrypt
- Transition to ACME-enabled paid certificates
- Using the automatic update function of the rental server
Anyway, it is to make it an operation that is not updated by people.
2. Review the server environment
Servers that cannot use automatic updates will definitely be a risk in the future.
- Legacy environments such as CentOS7 / PHP5.x
- Dedicated server with manual certificate renewal
- Large sites managing multiple subdomains
These will lead to operational bankruptcy if the 47-day rule is introduced.
3. Centralized SSL Management and Enhanced Monitoring
Even if you use ACME, if it fails, you risk expiring.
- Monitoring the operation of automatic updates
- Implementing expiration visualization tools
- Set up notifications in Google Calendar and monitoring tools
It is dangerous to think that "it is safe because it is automatically updated", and it is necessary to always visualize whether the update is successful.
4. Check the hosting company's response policy
The 47-day rule has a significant impact on the hosting industry.
- X Server
- ConoHa VPS
- Sakura Internet
- AWS, GCP, Azure
These companies are expected to expand ACME automation over time, but when to respond will vary from company to company.
It is important to check the "47-day rule response policy" now.
Summary: The 47-day rule is not "far in the future", but "right there"
The 47-day SSL certificate proposal is part of Google's security improvement measures and is very likely to become an industry standard.
And the biggest impact of this change is "companies that manually renew certificates and companies that continue to use old servers".
The following four measures will be required
in the future- Transition to operations with the assumption of automated SSL updates
- Migrating to ACME-enabled servers
- Centralization of certificate management and strengthening of monitoring system
- Check your hosting company's policy
The 47-day rule is a turning point that will greatly change the common sense of site operation.
By establishing a system now, you can not only continue to operate a secure and stable web, but also prevent problems before they occur.
