2023年7月12日

更短的壽命,更廣泛的風險缺口:準備轉移到90天的TLS證書更短的壽命,更廣泛的風險缺口:準備轉移到90天的TLS證書又來了。3月3日,穀歌宣布了一項提案,減少公共TLS證書壽命從當前的398天90天。這就像似曾相識,安全團隊,他們見證了一個越來越短的壽命在過去的幾年中。減少數字證書意味著企業的壽命真的需要水平證書管理遊戲。這意味著確保最佳的能見度迅速抓住證書到期之前成為問題和導致代價高昂的停機,停機時間。短生命周期要求更頻繁的證書管理企業在大規模發行證書,而且根據破壞的年度國家機器的身份報告,組織內的平均體積證書是256000。但更多的證書可能會導致更多的問題,如果一個公司不能管理他們。近三分之二(62%)的受訪者表示,他們不知道他們有多少證書。沒有眼光,他們不能很容易地確定誰擁有這些證書,發表了他們,或者應用程序或服務器上安裝。問題隻會加劇證書壽命較短,因為72%的人說越來越多的使用密鑰和證書將增加了他們的團隊的壓力。 It’s not certificates that are the problem. It’s just human nature. People are forgetful and can only focus their attention on so many things. That’s important to remember in the context of the lifespan of certificates decreasing and the workload to renew certificates increasing by 4-5 times. Security gain versus operational pain Google’s “Moving Forward, Together” project includes several proposed changes, and the most impactful may be the 90-day maximum certificate validity period. The intent of this change is to improve security by having the certificate available for a shorter period of time. It’s a similar concept to frequently changing your password. But there has been some debate around whether the security gain is worth the operational pain. That’s why there is a push to alleviate the operational burden by automating certificate-related tasks, like enrollment, renewal, and provisioning. While ACME can help organizations begin to embrace automation, it isn’t a catch-all solution. IT and security teams need a multi-faceted approach to automation, including the use of industry-standard enrollment protocols like ACME, SCEP, and EST, as well as certificate lifecycle automation tools, to ensure that they’re well-equipped to handle the breadth of use cases across their business. They also need to ensure that not only renewal is automated but the provisioning and installation of certificates too. That’s where we often see problems arise. An application owner will renew a certificate, but forget to install it, install it incorrectly, or simply waste hours of their time that could otherwise be spent on their priorities. Automating the end-to-end lifecycle of a certificate helps reduce these human errors and cut down, or even completely eliminate, time spent on repetitive, tedious tasks like this. Stop panicking and start preparing There is uncertainty around when – and if – the shift to 90-day certificates will happen. The change requires a vote which could take six to 12 months, followed by a transition window. Plus, the change is already facing pushback from EU antitrust laws. The only constant is change when it comes to security, and it’s just a matter of how and when that change will play out. Preparing for a change like this doesn’t happen overnight, and it takes time and careful planning. So, what steps can enterprises take to ensure preparedness? It’s the exact same actions you should already be doing for your 398-day certificates and includes: Visibility: Develop an understanding of where all the certificates live across your network. Accountability: Define certificate ownership and delegate responsibility for the lifecycle of the certificate. Policy and process: Simplify certificate requests and approvals with self-service enrollment. Automation: Automate the entire lifecycle with alerts, renewals, and provisioning. Remember, automation is more than just getting the certificate to the asset. It’s configuring the asset to use the certificate and then reporting back that the certificate has been updated and is now being used by the device. Then, if something has not gone according to plan, you’ll have time to be able to react and take remediation actions. To learn more about the impact of Google’s “Moving Forward, Together” project and how Keyfactor can help you prepare for shortened certificate lifespans, watch the on-demand webinar The Shift to 90-Day TLS Certificates: How to Prepare Industry Reports