The Register: Sysadmins rage over Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts

Source URL: https://www.theregister.com/2024/10/15/apples_security_cert_lifespan/
Source: The Register
Title: Sysadmins rage over Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts

Feedly Summary: Maximum validity down from 398 days to 45 by 2027
Apple wants to shorten SSL/TLS security certificates’ lifespans, down from 398 days now to just 45 days by 2027, and sysadmins have some very strong feelings about this “nightmarish" plan. …

AI Summary and Description: Yes

Summary: Apple is proposing to shorten the lifespan of SSL/TLS security certificates from 398 days to just 45 days by 2027, a move that has evoked strong reactions from system administrators. While shorter lifespans can enhance internet security by reducing the window of opportunity for exploits, they create significant operational challenges for IT teams. The push towards automation in certificate management has been identified as a possible solution, but skepticism remains regarding its feasibility in all scenarios.

Detailed Description: Apple’s plan to reduce the maximum validity period of SSL/TLS certificates from 398 days to just 45 days by 2027 is poised to significantly impact system administrators and their workflow. This proposal not only reflects an industry trend towards tighter security measures but also raises concerns about the operational burdens on IT teams responsible for managing these certificates.

Key Points:

– **Proposal Details**:
– Apple introduced this proposal at the Certification Authority Browser Forum (CA/B Forum) meeting, with a timeline that includes intermediate reductions from 200 days after September 2025 to 45 days after April 2027.
– Google’s prior move to shorten Chrome’s certificate lifespan to 90 days adds to the momentum for these changes.

– **Security Benefits vs. Operational Burdens**:
– Shortening lifespans is meant to improve internet security by minimizing the time criminals can exploit vulnerabilities associated with expired or compromised certificates.
– However, as noted by system administrators, this change will significantly increase their workload, with concerns about manually managing renewals for multiple sites and services.

– **Community Response**:
– Many sysadmins expressed their frustrations on platforms like Reddit, highlighting the impracticalities of managing certificates for numerous domains manually.
– Some professionals pointed out that even automated solutions may not suit all environments, particularly with legacy hardware and configurations that are incompatible with automation.

– **Industry Implications**:
– The proposal and its ramifications underscore the importance of automating certificate management. Sectigo, a key proponent of the proposal, advocates for automated lifecycle management as a necessary adaptation for businesses facing these new requirements.
– Despite calls for automation, skepticism exists regarding its universality due to specific technical constraints that some systems administrators encounter.

This discussion highlights the important balance between enhancing security through reduced certificate lifespans and the operational realities faced by IT and security teams, suggesting that any implementations should consider the diverse environments in which these certificates operate. The upcoming changes may necessitate a more significant push towards seamless automation solutions and processes that accommodate both security and usability in certificate management.