The risks of ignoring ACME in the 90-day and 47-day SSL era

Big changes are in store for the SSL/TLS certificates of tomorrow. Escalating cybersecurity challenges have prompted the need for stronger encryption and authentication.

Shorter certificate lifespans are among the most promising strategies for strengthening cybersecurity, but these changes could also create serious challenges for businesses that are unprepared. With the imminent arrival of 90-day SSL certificates—and Apple’s proposal to reduce lifespans even further to 47 days—, enterprises could either benefit from these enhanced cybersecurity measures or become more vulnerable to outages, depending entirely on how they prepare for this inevitable shift.

Automated Certificate Management Environment (ACME) will have a powerful role in shaping the new normal of 47-day SSL certificates. Ignoring ACME could expose both vendors and organizations to significant security risks. Below, we will explain why ACME is so important in the present — and how it will certainly influence certificate management moving forward.

The shift to shorter SSL certificate lifespans

Expiration has always been a central component of the digital certificate lifecycle — arguably just as important as issuance. If certificates don't expire, the likelihood of certificate exploitation increases as new vulnerabilities enter the cybersecurity landscape.

Until recently, it was largely assumed that a sizable timeline would exist between when certificates were issued and when they needed to be renewed. That is all about to change, however. In the near future, lifespans for SSL/TLS certificates will last just 90 days. This represents a significant shift from the previous status quo, which allowed digital certificates to exist for over a year following their initial deployment.

Moreover, industry leaders are proposing to shorten certificate lifespans even further. Apple has proposed reducing SSL/TLS certificate validity periods to just 47 days by 2028. This move underscores the industry's continued commitment to enhancing security through shorter certificate lifespans.

Google's Moving Forward Together announcement and Apple’s recent announcement both highlight the need to encourage "modern infrastructures and agility," along with the importance of "preparing for a post-quantum world." Advocates believe that these priorities will be easier to pursue upon adopting shorter certificate validity periods.

Why shorter certificates are the new standard

As one of the industry's responses to escalating security concerns, the upcoming shift to 90-day—and potentially 47-day— SSL certificates aims to enhance cybersecurity measures. While this change may seem inconvenient or even frustrating from the perspective of modern enterprises and IT departments, it serves a critical purpose. Shorter certificate lifespans can dramatically improve security by reducing the time available for threat actors to exploit vulnerabilities.

The importance of ACME for SSL automation

Automated strategies promise to mitigate the potential problems brought about by shorter lifespans — particularly the increased frequency of renewals which leads to a heightened risk of certificates expiring unexpectedly. Automation provides a streamlined approach to navigating every stage of the certificate lifecycle: request and enrollment, issuance and deployment, expiration, renewal, and, if necessary, certificate revocation.

With the right solution, it is possible to carry out these key steps without requiring time-consuming and error-prone human intervention. This is not only more efficient than manually issuing managing certificates, but also, more reliable, as it prevents expirations — even when working with high volumes of SSL certificates.

What is ACME?

Automated Certificate Management Environment (ACME) is a powerful protocol that makes it possible to automate the issuance and renewal of SSL/TLS certificates. Created by the Internet Security Research Group (associated with Let’s Encrypt) and eventually published as a full-fledged internet standard, ACME was revolutionary at the time of its introduction. It is easily adopted by certificate authorities (CAs) and enterprises, not to mention, flexible and capable of addressing automation needs at scale.

Defined by a document known as RFC 8555, this protocol is robust, yet simple and straightforward. It’s used by an ACME client to request certificate issuance or revocation. The protocol facilitates communication between that client and the certificate authority while automating essentials such as the validation process — typically pursued using Domain Name System (DNS) challenges such as DNS-01.

Why ACME is crucial for 90-day and 47-day validity periods

Manual certificate processes are already impractical, but the eventual shift to shorter certificate lifespans will exacerbate their current issues. Simply put, IT departments cannot possibly keep up. With a growing volume of SSL certificates constantly approaching expiration, it will become increasingly difficult to manage these certificates effectively. ACME is a key part of the solution, however, with the protocol's automation mechanisms promising to expedite critical certificate processes.

Understanding the risks of ignoring ACME

Manual certificate management may still be common practice for many enterprises, but with shorter validity periods coming, this already suboptimal approach is about to cause even bigger problems. Ignoring the ACME protocol now poses huge risks for both enterprises and vendors.

Without ACME support, organizations will face increased operational burdens and a higher likelihood of service outages due to expired certificates. Vendors that fail to incorporate ACME into their products leave their customers vulnerable and risk becoming obsolete. This is the perfect time to adopt automated certificate management and reap its rewards. If this shift seems intimidating, consider the risks and cost of not adopting an automated approach:

Manual certificate management and its dangers

Even if completed by IT experts, manual certificate processes are time-consuming. This can create a huge operational burden, with IT teams forced to spend far too much time discovering, renewing, and deploying certificates, rather than focusing on other technological concerns. Even without the increased potential for outages, it's easy to see why this is such a costly strategy — and those expenses will only increase as certificate lifespans shrink.

Mass revocation events

While many people think of revocation as an occasional response to an isolated digital certificate misstep, recent events have shown that mass revocations can and do occur, causing operational chaos for enterprises with poor certificate management strategies.

Mass revocation may occur due to technical or compliance issues, which are more likely when manual processes increase the risk of human error. Common problems that lead to mass revocation include compromised private keys, CA misissuance, and vulnerability exploits.

The business impact of ignoring the ACME protocol

The failure to adopt the ACME protocol could lead to significant and quantifiable losses, including everything from increased labor needs to more frequent expirations (which lead directly to more downtime). This operational inefficiency not only disrupts business activities but can also undermine the credibility of vendors who promise reliable and competitive solutions. These vendors cannot meet their lofty promises if their own compliance and security strategies appear unreliable.

Furthermore, downtime caused by expired certificates can prompt clients and customers to lose confidence, potentially leading them to reconsider their partnerships. Reputational damage from frequent outages, although less readily quantifiable, is difficult to overcome and can have lasting negative effects on an organization's success.

Threats to vendors and technology providers

A lack of support for ACME could be a huge liability for vendors and technology providers, which require streamlined and secure certificate management to ensure that their reputation remains strong and that they can continue providing exceptional services for customers and clients with high expectations.

Sticking with manual processes means not only missing out on a huge competitive advantage but also suffering a full-on competitive disadvantage. Vendors reliant on outdated manual strategies suffer considerable inefficiency compared to competitors using automated solutions. This disadvantage could even lead to vendors that don’t adopt ACME protocol becoming obsolete.

Leadership’s role in ACME support

While many IT experts advocate strongly for ACME, this is ultimately a top-down initiative that must be not only supported, but also, fully embraced by business leaders. Many now view ACME as a crucial component of risk management, given its expanded role in preventing security breaches and in safeguarding digital communication.

The risk of outages must be considered, and, when leaders prioritize ACME, they support an overall organizational culture of security and compliance. Numerous use cases demonstrate that ACME has already been adopted across sectors by a wide range of forward-thinking enterprises.

Crypto agility and the future of certificate authorities and vendors

In addition to streamlining the discovery, issuance, deployment, and renewal of SSL/TLS certificates, ACME can enhance crypto agility. This concept references how quickly and seamlessly enterprises can adjust their approach in response to new security challenges. ACME plays a huge role in this by helping organizations scale their approach to managing SSL certificates — and this makes it easier to remain flexible so that it is possible to adapt to emerging opportunities without delaying operations.

Certificate authorities and vendors that fail to embrace automation are bound to struggle in the future. They will fall even further behind as the pace of certificate renewal picks up.

Automation is the best way to bid farewell to the constant game of catch-up, and instead, proactively plan for the challenges of tomorrow.

Future-proof your SSL certificate management with Sectigo

With shorter certificate lifespans fast approaching, it's clear that certificate lifecycle management needs to take a step up. Automate key certificate processes with Sectigo Certificate Manager (SCM), a CA-agnostic platform offering full ACME support. We're committed to helping businesses navigate an increasingly complex digital landscape with ease.

SCM automates the entire SSL certificate lifecycle—from issuance and discovery to deployment and renewal—handling large volumes of SSL/TLS certificates effortlessly. With SCM's centralized dashboard, you gain real-time visibility into all your public and private certificates, eliminating manual workloads and minimizing the risk of unexpected expirations.

Prepare for the future of certificate management today by experiencing our SCM platform in action—schedule a demo or get started with a free trial.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

How businesses can prepare for the 47-day certificate lifecycle: What it means and recent updates

Google and Apple's push for shorter certificate lifecycles: what to expect before the transition

Preparing for the future: Apple’s 47-Day certificate lifespan proposal