Connect with us

Hi, what are you looking for?


Identity & Access

Machine Identity Firm Venafi Readies for the 90-day Certificate Lifecycle

Venafi introduced a 90-Day TLS Readiness solution to help enterprises prepare for Google’s proposed 90-day limit for the lifecycle of a digital certificate.

If and when Google’s proposed 90-day limit for the lifecycle of a digital certificate comes into effect, enterprises must be ready for it. Venafi has launched its own solution.

In March 2023, Google announced an intention to shorten digital certificate lifespans to 90 days. Since then, it has neither confirmed nor denied, nor provided a timescale for this proposal. However, such a move makes sense in today’s environment; and most commentators believe it will happen.

Although the Certificate Authorities (CAs) govern certificates, the browsers control them. The CAs allow certificates to remain valid for a maximum of three years. However, in 2016/2017, Apple announced that Safari would only accept certificate validity for 398 days. The other major browsers followed suit, and 398 days is the current de facto certificate lifespan.

If Google now reduces that lifespan to 90 days for Chrome, the other major browser providers will almost certainly follow just as they followed Apple some eight years ago. This would have two effects. Firstly, it would improve cybersecurity. If data thieves manage to steal a certificate or break the encryption of a certificate, they will only have access to the data protected by that single certificate (which would be limited to a span of 90 days rather than 398 days). Secondly, when future quantum computer power breaks all current certificate encryption, the transition to quantum proof certificates will either have happened or will be faster and smoother with Venafi’s lifespan solution. The quantum-related growing concept of crypto agility will further smooth any future requirement for changes to certificate encryption.

The second effect would be a dramatic rise in the complexity of enterprise certificate management. This is already a problem caused primarily in the growth of required machine identities caused by cloud migration and factory floor automation. Every single certificate will need to be updated 4.42 times more frequently than it is today – which is already problematic.

The two effects of a 90-day lifecycle limit will be better security at the cost of greater enterprise effort. To solve the latter problem, Venafi has introduced a 90-Day TLS Readiness solution. Kevin Bocek, Venafi’s chief innovation officer, explains Venafi’s automated process. 

“Being 90-days ready means that you have ownership – preferably by a team, not just one human but a team – of all individual machine identities. In this case, that’s the certificates: you know where they live and where they’re being used. Then you have procedures by which you can rotate them [replace with new]; and you have escalation procedures in case anything goes wrong.”

Most importantly, he added, you have visibility. “You must have visibility into all changes so that you know that they have been successfully implemented.” If you have all this, he continued, you have the technology to change the strategy. “I can use the technology to bring everything closer and closer together. So, whether we need to change out to be quantum proof every 15 days or every 10 days, I can do that. And if I need to change out from a certificate issued by Provider A to a certificate issued by Provider B, I can do that too.”

Advertisement. Scroll to continue reading.

When this process is automated via a platform, becoming 90-day ready actually means becoming any-day ready. “Without automation, you’ll be hard pressed to establish an accurate certificate inventory, mitigate outage risks, enhance security posture, and ensure organizational agility to swiftly adapt to changing needs and future challenges like post-quantum cryptography,” writes Benson George, Venafi’s director of products marketing, in an associated blog.

“Google’s proposal in the CA/Browser Forum to reduce TLS certificate lifespans to 90 days is an important step toward increasing the web’s responsiveness to emerging threats and technological advances, including quantum computing,” explains Ryan Hurst, advisor to SandboxAQ, Binarly and Spirl – and former head of product at Google. “This significantly decreases the risks associated with key compromises by reducing the value of a key to the attacker. Moreover, embracing automation not only enhances security but also mitigates the risk of outages, allowing organizations to reduce operational toil and free resources to work on more impactful tasks while supporting a more agile and trustworthy Web PKI.” 

Venafi’s 90-Day TLS Readiness solution enhances its existing technology to provide full, demonstrable, and visible compliance with the coming 90-day mandate; all done automatically. 

Related: Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed!

Related: Venafi Leverages Generative AI to Manage Machine Identities

Related: More Than Half of Security Pros Say Risks Higher in Cloud Than On Premise

Related: Venafi Becomes Unicorn After Investment From Thoma Bravo

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...