Cloud Key Management

Recently two different corporations asked me about rotating X.509 certificates every three months. One was told to do so by an external auditor. The other was told by their CA that is the new standard. Has anyone heard the CAs are mandating rotation every three months? Is there an underlying advisory?

Thank you for your consideration.

Cheers,
alex.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------

Google has been advocating for a 90-day maximum life for certificates on websites. The CA Browser forum has not adopted this yet, but I think most in this space think it is going to happen. 

https://www.chromium.org/Home/chromium-security/root-ca-policy/moving-forward-together/

Cheers,
Dave

------------------------------
Dave Butcher CISSP CCSP
------------------------------

Original Message:
Sent: Mar 06, 2024 07:30:27 AM
From: Alex Sharpe
Subject: Three Month Certificate Rotation?

Recently two different corporations asked me about rotating X.509 certificates every three months. One was told to do so by an external auditor. The other was told by their CA that is the new standard. Has anyone heard the CAs are mandating rotation every three months? Is there an underlying advisory?

Thank you for your consideration.

Cheers,
alex.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------