Why 90-Day certificates, PQC, and crypto agility are more interconnected than you think

It can often feel like new trends emerge as isolated solutions to isolated problems. The truth is, many of these developments are interconnected, part of a broader progression in securing our digital future. This Cybersecurity Awareness Month, I’d like to unpack three key topics that are often discussed in silos but are deeply connected: the trend toward shortening digital certificate lifespans, Post-Quantum Cryptography (PQC), and crypto agility. Though they might seem unrelated at first glance, these initiatives are part of a holistic strategy to stay ahead of evolving cyber threats.

The rise of 90-day certificates: a proactive defense

One of the most noticeable trends in the world of cybersecurity has been the move to shorten the lifespan of digital certificates. Not long ago, it was common for SSL/TLS certificates to last two or even three years. Today, the shift toward 90-day certificates is gaining momentum. But why?

The reasoning is simple: shorter certificate lifespans reduce the window of vulnerability to key exposure. Certificates are a cornerstone of internet security, enabling encrypted communications between servers and clients. But if compromised, they can be exploited for nefarious purposes, such as man-in-the-middle attacks or data breaches. By limiting certificate validity to just 90 days, we reduce the risk of prolonged misuse. Should a certificate be compromised, it won’t stay valid for long, limiting the potential damage.

At first glance, this might appear to be a move driven purely by operational concerns - tightening the reigns to make cyberattacks harder to execute. But there’s a broader shift happening here, one that connects directly to PQC and crypto agility. To understand how, let’s take a step back and look at the bigger picture.

Post-Quantum Cryptography (PQC): the next frontier

While 90-day certificates address immediate security concerns, another looming threat has cybersecurity experts on high alert: quantum computing. In recent years, advancements in quantum computing have accelerated to the point where it’s no longer just a theoretical problem. One of the biggest concerns is that quantum computers, once fully realized, could break current encryption methods, such as RSA and ECC, which are widely used to secure everything from online transactions to sensitive communications.

This is where Post-Quantum Cryptography (PQC) comes into play. PQC refers to cryptographic algorithms designed to resist attacks from quantum computers. Researchers and standards organizations like NIST (National Institute of Standards and Technology) have standardizedthin these algorithms before quantum computing reaches a point where it could threaten our current encryption infrastructure.

The connection between the trend toward 90-day certificates and PQC lies in the need for agility. Shorter certificate lifespans pave the way for faster, more frequent updates, ensuring that we’re more adaptable when it comes time to implement post-quantum algorithms. Once quantum-safe cryptography becomes a necessity, having systems in place that are already accustomed to regular certificate rotation will make the transition smoother.

Crypto agility: the glue that holds it all together

This brings us to the final piece of the puzzle: crypto agility. Crypto agility is the ability to rapidly switch between cryptographic algorithms without causing major disruptions to systems or workflows. As quantum computing looms on the horizon, it’s clear that organizations need to prepare now for the eventual transition to PQC. But the reality is, PQC isn’t just a plug-and-play solution - it requires preparation, flexibility, and foresight.

By reducing certificate lifespans and fostering a culture of agility, we are preparing ourselves for the inevitable shift to quantum-resistant algorithms. Crypto agility ensures that when PQC becomes necessary, we can seamlessly update cryptographic protocols and certificate infrastructures without compromising security or causing widespread chaos. It’s not just about reacting to quantum threats; it’s about being ready for whatever comes next, whether that’s a new cryptographic vulnerability or an unexpected leap in cyberattacks.

The bigger picture: a holistic approach to cybersecurity

What’s often overlooked in the discussion of these topics is how they form a continuous narrative. Shortening certificate lifespans isn’t just about security hygiene; it’s about building a flexible, adaptive infrastructure that can respond to new threats. Post-Quantum Cryptography is part of the next chapter in this story - anticipating and preparing for the day when quantum computers are powerful enough to challenge today’s encryption. And crypto agility is the overarching strategy that connects these trends, ensuring that we have the resilience to adapt quickly to whatever challenges arise.

As we celebrate Cybersecurity Awareness Month, it’s important to recognize that these are not isolated trends. They represent a progression in how we think about and implement security in an increasingly complex digital landscape. Moving forward, it’s crucial that we discuss these topics not as standalone solutions but as interlinked components of a broader strategy. By doing so, we’ll be better equipped to stay ahead of the curve, ensuring that our systems remain secure, adaptable, and ready for the future.

Looking forward

As we continue to build a more secure digital world, it’s vital that we stay aware of the connections between the trends shaping the future of cybersecurity. The shift to 90-day certificates, the development of PQC, and the need for crypto agility are all part of the same story - a story of preparedness, resilience, and proactive defense. Let’s keep the conversation going, and continue to approach these challenges with the holistic mindset they deserve.