TIPS & BEST PRACTICE 03. SEP 2020
4 Benefits of Shorter X.509 Validity Periods for Web and Email Certificates
Certificates are the foundation of security in the digital world. Carefree surfing and especially online banking would not be possible without them. Thanks to SSL certificates, online users can tell at an instant whether they can trust the website they are visiting. A lock icon shows up in the address line of their browser.
At their core, email certificates for S/MIME encrypted communication use the same technical standard as browser certificates. Both are X.509 certificates with different entries in the ‘Key Usage’ area. Whether SSL encryption or email encryption, both must be secure. There is an automated certificate validity check in web browsers but what about the validity of email certificates? You can trust encrypted and signed emails only if the validity of the S/MIME certificate is confirmed.
Shorter validity periods for SSL/TLS certificates from September, 2020
Apple announced that TLS certificates with a validity period of more than 398 days issued from September 1, 2020, would be declared insecure in the Safari browser. Google Chrome and Mozilla Firefox will implement the same rule.
Even though the shortened validity period will only be introduced for SSL certificates. One might wonder, what about adopting the shorter validity periods for email certificates?
Advantages of shorter validity terms for x.509 email certificates
- Higher security compared to longer certificate lifetimes. With shorter validity periods, criminals have less time for attacks in the event of compromise.
- More efficient spending. With one-year S/MIME certificates, companies will potentially pay less for unused periods after employees leave.
- Greater flexibility. New requirements can be quickly implemented for an entire certificate portfolio.
- Simplified handling. A shorter validity period reduces the likelihood that certificates have to be withdrawn by trust centers. Complex processes such as the unscheduled issuance and publication of new certificates within very short periods in the event of revocation will no longer be necessary.
Simple certificate handling through automation
When certificate management is fully automated, short validity periods only bring advantages. We at Zertificon are therefore changing our range of services and our processes to the issuing of 1-year certificates. Zertificon customers will not have any additional efforts due to the more frequent certificate changes, as Z1 SecureMail Gateway automates the issuing and renewal of their own certificates. And the search for certificates of communication partners and their validation is also carried out continuously and completely in the background.
Certainly, Z1 solutions will continue to process certificates with a longer lifespan, too. Longer validity periods will still be used in companies if certificates are stored on hardware tokens. Shorter validity periods would cause effort and costs.
Do you use automation for key life cycle and certificate management? Not yet using a Z1 solution for email encryption? Contact us to learn more about the Z1 SecureMail Gateway.