Google has made it clear that they want to shorten the validity of SSL/TLS certificates to 90 days. This is now more a question of “when” rather than “if” it will happen. Improvements in quantum computing means that it’s not so far in the future that certificate validity will need to be capped at not just 90 days but much less.
Reducing certificate validity time-frames has already been done once several times in the history of the Internet, most recently in 2020 by Chrome and Safari from 27 months to just 13 months (one year plus some wiggle room) in order to improve the security of the system.
Initially set at 5 years for Domain Validation and Business Validation certificates, the SSL validity was first reduced to 4 years during the migration from SHA-1 to SHA-256 hash algorithm. Then, in 2015, it was capped at three years. In 2018, it was reduced to merely 27 months and then most recently in 2020 the above-mentioned shrinking to 398 days.
What’s it to you? Basically, the time to automate SSL/TLS certificates is now – as newer requirements to be listed in key browsers like Chrome, Edge and Safari make this no longer a want, but a need. To this end, the standard to follow is RFC8555, better known as ACME (Automatic Certificate Management Environment) and popularized by Let’s Encrypt.
Lightspeed has been an early mover in SSL automation – embracing ACME as early as 2020 when the first reference implementation of RFC 8555 began appearing. Today, we use ACME protocol exclusively for all Domain Validated (you need to prove ownership of the domain) certificates we manage – including not just HTTP validation for web properties, but also DNS validation for use in non-web or local LAN applications – and we do this regardless of which authoritative DNS hosts you choose – not just providers like ourselves who embrace Internet standards, but even “locked” DNS hosting like Cloudflare and AWS.
Existing customers almost certainly have been on-boarded to our SSL Everywhere program no later than 2021 – which covers all touch points for email, webmail and websites. New customers automatically onboard with SSL Everywhere turned on as we no longer support insecure protocols like HTTP, SMTP and IMAP, but rather only their secure counterparts like HTTPS, SMTPS and IMAPS.
Just for clarity, we support only TLS1.2 or newer, and by default we sign with Elliptic Curve Cryptographic (ECC) Signatures, although in very special circumstances we can still do RSA using SHA-256 (but absolutely not SHA-1). For those of you who don’t understand what exactly that means – it means that we’ll make that your SSL certificates are the most secure possible using current encryption technology.
Want to find out more? As always, existing customers please talk to your account manager, and prospective customers – drop us a note via the contact form on this website. You