MSSP, Managed Security Services, Endpoint/Device Security, Governance, Risk and Compliance, Application security, Cloud Security, Exposure management

MSSPs are On Alert as TLS Certificate Lifespans are Set to Shrink

The CA/Browser Forum almost a year ago voted to reduce the lifespan of Transport Layer Security (TLS) certificates, a contentious decision aimed at improving security and preparing for the coming quantum computing era, but one that will create operational headaches for organizations that now need to rethink how they manage and maintain certificates.
certificates.

The first step in the three-phase approach takes effect March 15, when the maximum certificate lifetime drops from 398 to 200 days. Next year, that number will fall to 100 days, and by March 15, 2029, it will drop further to 47 days.

This won’t be an easy transition. The number of TLS certificates use continues to increase, keeping pace with the adoption of technology. According to a report by Venafi – now owned by CyberArk – 95% of security leaders said digital transformation efforts increased their use of certificates between 2023 and 2024 by an average of 36%, driving the number of TLS certificates used by the average enterprise to 3,730, a number that was expected to increase another 39% – to more than 5,000 – by this year.

There is a range of security benefits to the shorter lifespans, including minimizing the risk that outdated certifications will be exploited. According to CyberArk, 77% of security leaders say that any undiscovered machine identity is a point of compromise. With shorter certificate lifespans comes more validation.

They also improve regulatory compliance, support zero-trust architectures, and drive the adoption of automation, which will be important give that each time the lifespan shrinks, the administrative burden increases, from two times this year to eight times in 2029.

MSSPs, Automation Will Be Key

MSSPs will be central as the new timeline takes hold.

Nikhil Rajan, global vice president of strategic alliances for DigiCert – a member of the CA/Browser Forum – said strategic alliances will play an increasingly important role as the certificate lifespan shrinks and MSSPs will be one player in a three-part operating structure organizations should adopt.

MSSPs will own the day-to-day execution, Rajan wrote, adding that they “absorb operational risk by monitoring automation, validating outcomes, and managing exceptions, ensuring renewals complete successfully without constant customer oversight.”

Jessica Davis, principal analyst in Omdia’s MSP practice, echoed the need for automating certificate lifecycle management.

“For MSSPs, the priority is ensuring clients have automated discovery, monitoring, and renewal processes in place,” Davis told MSSP Alert. ”AI may help identify certificate sprawl and configuration issues, but the core requirement here is operational automation rather than new security tooling.”

Help is Needed

Kevin McGrail, cloud fellow and principal evangelist with Google Cloud security partner DitoWeb, told MSSP Alert that the “biggest thing that MSSPs need to know is that this will affect their customers and they must work on automation for the solution. ... Without automation, the shrinking window is going to cause more and more errors as people forget to do it manually. MSSPs shouldn't let that happen for their customers. Automation is the only solution.”

And many clients will need the help, McGrail said. He’s been tracking systems with no TLS rules for years.

“I have been able to see its impact on real-world email,” he said. “A surprising number of systems and banks still don't use it. They are still sending you emails in clear text over the internet.”

Tools are Available

Vendors have been rolling out automated certificate management tools for more than a year, including Sectigo and CyberArk.

For Gary Brickhouse, CISO at MSSP GuidePoint Security, the issue is about operational maturity, with those organizations manually tracking certificates and using spreadsheets feeling the most pain vs. those already embracing automation. Managed service providers will face the same challenges but also will need to carry some of their clients’ loads.

“MSSPs will feel the same pressure, except they are operating at a much larger scale, and with an increased pressure from their customers to maintain the certificate renewal process with no operational impact,” Brickhouse told MSSP Alert. “A huge key to measuring the potential impact is directly correlated to the visibility and inventory capabilities of the organization.”

It's About Certificate Governance

Brickhouse added that “with the increased usage of certificates, the distributed ownership of them, and the lack of tools and processes to provide central visibility, many organizations will need to make investments in their operational foundation in order to manage the certificates effectively.”

At this point, MSSPs need to focus on improving their certificate governance processes, particularly with visibility and automation, and pushing their clients to do the same.

“This move will likely drive both MSSPs and customers to invest more in operational support – at least in the near term – to fast-track the necessary certificate lifecycle maturity in their environment,” he said. “Ultimately, this transition will position both parties to stay secure while reducing the likelihood of any future operational outages.”

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds