Preparing for Google’s Proposed TLS Certificate Lifespan Reduction

October 5, 2023

In March 2023, the Google Chromium Project published a roadmap document called Moving Forward, Together, which outlines the organization’s intention to reduce TLS certificate lifespans issued from a public key infrastructure (PKI) from 13 months (or 398 days) to just 90 days.


The dramatic reduction in certificate lifespan is intended to make it much harder for cybercriminals to misuse a certificate. With the reduction in lifespan, criminals will have much less time to attack or exploit a certificate before it is replaced. This will help to prevent man-in-the-middle attacks or other data capture or exfiltration attacks. As we move toward Zero Trust security models and a post-quantum world, Machine Identity Management (MIM) will become key to organizational success and security.



Understanding TLS Certificate Lifespan Changes

While the coming changes in certificate lifespans are necessary to force evolution and tighter security compliance across the industry, these changes will dramatically increase the workload for PKI and security teams worldwide. However, the failure to renew certificates in a timely manner can have significant financial and reputational impacts on a business. Companies can experience customer service disruptions, lost revenue, security vulnerabilities, compliance violations and reputational damage—leading to millions of dollars in lost revenue and unplanned expenses. According to Gartner, a customer service disruption could cost an organization $42,000 per hour, and the Ponemon Institute has found that ransomware incidents can cost, on average, $4.6M.


For a security or PKI team that has efficient, well-documented processes, it is reasonable to assume that it will take an average of 3 hours per certificate. In a small environment with only 500 certificates, that is 1,500 hours a year or 62.5 days of work under the current lifetime maximums. Once the changes go into effect, the minimum operation load will become 6,000 hours or 250 days a year. When factoring in the additional time needed to coordinate the installation of certificates on endpoints and adhere to maintenance windows, this estimate can expand dramatically. For many companies, this will mean hiring new employees to cover this increased load or investigating the possibility of utilizing a managed service that can provide the same level of expertise.



How to Prepare

The automation functionality available in the major Certificate Lifecycle Management (CLM) software on the market today allows a security team to reduce the handling time from days to minutes. In addition, companies can leverage built-in integrations with major hardware and software vendors in the information technology and security space.


Certificate lifecycle management is no longer a nice-to-have option. Teams will require well-defined processes and policies, CLM software, and the personnel to absorb the new workload quickly.


The adoption of a CLM platform can be time-consuming. The new certificate lifespan rule is expected to go into effect by the end of 2024. Between the necessary planning, existing policy review, potential clean-up of current systems and rollout to the userbase, it is possible that the full implementation and migration to a new CLM could take several months.


Companies that have the new tooling or a managed service in place before the end of 2023 or early 2024 will have more time to prepare for the influx of requests and cases once the rule takes effect.


Schedule a brief introductory call to speak with us about your security challenges and to learn more about how we can help you stay ahead of today’s top PKI threats.

Managed PKI, Operations Manager | Optiv
Patrick has more than 25 years of IT Security experience in service delivery and direct client support. He brings a broad functional and technical background with specific expertise in cryptography and digital identity. In his current role at Optiv, Patrick is an Operations Manager and Practice Leader who is responsible for leading the Managed PKI and Managed Vulnerability offerings. He seeks to create value for his clients by leading highly skilled teams of engineers and analysts to deliver offerings that help the client to detect, manage, and secure critical resources.
VP, Technical | Optiv
Carl has more than 25 years of service delivery experience across technology and business processes. He brings a broad functional and technical background with specific expertise in business and technology transformation. In his current role, Carl is a leader in Optiv's services practice and was most recently responsible for leading the Data Governance, Privacy & Protection practice. He seeks to create value for his clients by sharing insights, experience and technical know-how to enable them to control, respect and secure sensitive data.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit