eBook

Don’t Delay: 5 Steps

to Prepare for 90-Day
TLS/SSL Certificates
Cross these off of your to-do list today.
Table of Contents

3 Shorter Certificate Lifespans:Safer, but a LOT More Work

9 Bottom Line: Crypto Agility Vital for Business Continuity

10 A Trusted Certificate Management Partner

11 How can we help?

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 2

Shorter Certificate Lifespans

Shorter Certificate Lifespans:

Safer, but a LOT More Work
The question arises: Can you (or
should you) expand your staff
There’s been a lot of talk about how shorter certificate lifespans reduce the risk of
fivefold (or tenfold) to manually
compromise, but handling a higher volume of certificates also heightens the risk of
manage the surge? But who has that
outages caused by missed renewals. As 45-day and 90-day TLS lifespans loom, the
challenge of handling more renewals intensifies. Since best practices recommend
kind of luxury?
renewing certificates 30-days prior to expiration, every certificate with a shortened
lifespan will require at least five annual renewals. 1. Implement continuous discovery and
inventory
The only practical way forward is to use automated certificate lifecycle management
to keep your TLS certificates valid and safe. 2. Automate renewal processes

5 Immediate Actions to Brace for the Shift to Shorter Certificate Lifespans 3. Configure global policies and workflows

The ever-shortening trajectory of certificate lifespans drives home the need to 4. Integrate with DevOps tools
automate certificate lifecycles for survival. So, why wait? Embrace automated
workflows today and be ready before certificate lifespans shrink to 90 days or lower. 5. Set up real-time monitoring and reporting

Automation empowers you to seize control of your renewals and ensure no

certificate is neglected, sparing you unnecessary pain and toil. Read on to explore
five ways automation can simplify your current operations and future-proof your TLS
certificate lifecycle management.

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 3

5 Immediate Actions

1. Implement Continuous
Discovery and Inventory
Understanding your certificate landscape is paramount. A complete
3X machine identities by 2025
inventory, including who owns each certificate, where it is installed
and when it expires, is required. Given the daily or even hourly
changes with short-lived certificates, manual tracking can’t keep up.

ACTION SOURCE: Venafi CIO Study: Automation Vital to Address Shorter Lifespans and Massive Growth of TLS/SSL Certificates

You’ll need a robust certificate lifecycle management solution that

continuously automates discovery and maintains your network’s
dynamic TLS/SSL certificate inventory. This visibility is crucial to
ensuring business continuity and preserving security.

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 4

Shorter Certificate Lifespans

Organizations hit by certificates-related

2. Automate outages in the past 12 months

Renewal Processes
After pinpointing the locations and owners of your TLS/SSL
certificates, you could set up a series of alerts for expiring 83%
certificates. However, as certificate lifespans shorten, relying on
manual renewal becomes impractical and risky, and you’re forced to
spend days and weeks manually following up with certificate owners.
Organizations experienced security incidents
involving compromised TLS/SSL certificates

ACTION
When you automate renewals, you’re not just saving time—you’re
57%
making sure your certificates stay up to date, avoiding downtime
caused by expired ones. But automation is not one-size-fits-all. You
need a certificate lifecycle management solution that allows you to
automate with ACME, APIs, SDKs, agents and more.

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 5

 Shorter Certificate Lifespans

3. Configure Global Policies

and Workflows
To ensure your certificates use the most stringent attributes,
you must adopt global policies and workflows. Automating these
Organizations use fragmented solutions for safeguards through self-service prevents business units from going
certificate lifecycle management rogue with unauthorized or non-compliant certificates.

64%
ACTION
Start by setting up centralized policies and workflows that enforce
compliance for the new, shorter certificate lifespans. This way, it’s
easier for certificate owners to request and manage certificates. Also,
don’t forget to set the right validity periods for new certificates and to
make sure the renewal process matches up with the shorter lifespans.

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 6

Shorter Certificate Lifespans

4. Integrate with
DevOps Tools CI/CD PIPELINE INTEGRATION REMAINS DIFFICULT

Your DevOps teams likely consume the largest number

of certificates, especially in CI/CD environments. And for 73%
them, time is of the essence. So, if you are viewed as a
bottleneck in handling certificate requests, these teams CIOs believe it is hard for security teams to meet developer-driven machine
might start cutting corners or finding shortcuts, which puts identity requirements for cloud native workloads
the business at risk.

ACTION
Make life simpler for your developers by integrating the
certificate lifecycle management solution with their existing
tools. Turnkey, API-driven integrations enable automated
SOURCE: The Impact of Machine Identities on the State of Cloud Native Security in 2023
provisioning of certificates in continuous deployment
environments, ensuring strict adherence to the validity periods
for certificates used in both new and existing applications.

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 7

Shorter Certificate Lifespans

5. Set Up Real-Time
Monitoring and Reporting
Navigating 90-day certificate lifespans requires you to
juggle a continuous flow of short-lived certificates. So,
it’s vital you can immediately detect anomalies or when
certificate use deviates from expected behavior.

ACTION
By setting up continuous monitoring and reporting, you
can ensure all certificates comply with the new, shortened
lifespans and organizational policies. Regular, real-time
audits help identify and rectify deviations, reducing the risk of
security breaches or non-compliance penalties. This proactive
approach ensures your certificate landscape stays secure,
compliant and aligned with best practices.

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 8

Insert Chapter Title Here

Bottom Line: Crypto Agility

Vital for Business Continuity
The TLS certificates you need to effectively run your business are
in constant motion.

Algorithms change. Applications change. Lifespans change.

Keeping pace requires a certificate lifecycle management Simple, automated TLS/SSL

solution that enables you to turn on a dime with crypto agility. certificate lifecycle management
As we face an uncertain future, you’ll find that the ability to
rapidly update certificates in bulk is not just good to have—it’s
a business necessity.

TLS Protect Delivers the Crypto Agility Needed to

Thrive Amidst Shorter Certificate Lifespans

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 9

A Trusted Certificate Management Partner

A Trusted Certificate
Management Partner
Southwest Airlines has partnered with Venafi, a CyberArk company,
for nearly a decade.

Today Venafi supports security and efficiency at Southwest thanks

to the automation of processes the airline was previously managing
on a spreadsheet!
Through automation we’ve cut
the time of the lifecycle, the
time of installation, and the
number of resources needed to
manage those certificates.
Michael Flanders

Senior Cybersecurity Engineer

Southwest Airlines

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 10

Insert Chapter Title Here

How can we help?

Learn how we can help automate your TLS/SSL certificate lifecycle
management, no matter how many certificates you have.

About CyberArk

CyberArk (NASDAQ: CYBR) is the global leader in Identity Security. Centered on privileged access management, CyberArk provides themost comprehensive
security offering for any identity – human ormachine– across business applications, distributed workforces, hybrid cloud workloads and throughout the
DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets. To learnmore about CyberArk, visit https://www.
cyberark.com, read the CyberArk blogs or follow on X (Formerly Twitter) via @CyberArk, LinkedIn or Facebook.
© Copyright 2024 CyberArk Software. All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk Software. CyberArk®, the CyberArk
logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective

Don’t Delay: 5 Steps to Prepare for 90-Day TLS/SSL Certificates 11