Google recently announced their intention to reduce the maximum certificate lifetime that Google Chrome will accept for website security certificates from 398 days to only 90 days at some point in the future.
When this happens, IT staff who are currently getting and installing new certificates by hand on each of their websites or other systems each year will need to start doing it four to five times per year.
This will place a large burden on university units, especially units that use a large number of certificates. It also increases the chances of a website or service outages if a certificate expires before staff replace it with a new one.
If you are currently using the InCommon Certificate Service Web Application Sign Up (WASUP) or InCommon Certificate Manager (ICM) options to obtain your TLS/SSL certificates, ITS recommends that you start switching your systems to using ACME to fully automate certificate renewals. By starting now, you can identify websites and systems that may have difficulty with ACME and have time to plan and implement solutions.
Maximum certificate lifetimes have been reduced two times before: Until 2018, certificates could be valid for up to three years. In 2018, the maximum certificate lifetime was reduced to two years. In 2020 it was reduced again to one year (398 days), and now to only 90 days.
Each time certificate lifetimes have been reduced in the past, it has affected not only certificates for websites but also for all other servers and systems. Each time, all vendors stopped offering longer-duration certificates, and all web browsers stopped accepting them, requiring the university to switch to the shorter-duration certificates.
ITS does not know when the current 398 day certificates will no longer be available and all new certificates will be valid for only 90 days, but we believe that it has a good chance of happening near the end of 2024.
If you have questions or want assistance, contact incommon-certificate-service@umich.edu.
