90 Days to Shine: Why Sucuri’s SSL Certificates Are Living the Short Life (and Why That’s Awesome)

  • May 16, 2025
90 day cert renewals

Picture this: your SSL certificate is like a carton of milk in your fridge. Sure, it’s good for a while, but let it sit too long, and you’re inviting a sour situation. At Sucuri, we’ve decided our certificates deserve a fresher approach—90 days fresh, to be exact. That’s right, we’re now renewing our SSL certificates every three months, and we’re here to tell you why this is the cybersecurity equivalent of a daily kale smoothie: good for you, great for security, and honestly, pretty trendy.

Let’s unpack why we’ve embraced the 90-day SSL lifecycle, how we’re making it painless for you, and where the industry’s headed—spoiler alert: it involves quantum elephants.

What’s Changed? Certificates Are Now 90-Day Sprinters

Gone are the days when SSL certificates lounged around for a year like they were on an all-inclusive vacation. As of recently, Sucuri’s Web Application Firewall (WAF) renews SSL certificates every 90 days. Why? Because shorter certificate lifespans mean a tighter leash on potential security risks. A compromised certificate with a 3 year-long validity is like giving a hacker a 36-month Netflix subscription to your server. Ninety days? That’s barely enough time for them to pick a show.

This shift aligns with the industry’s push for agility and security, and we’re proud to be ahead of the curve, hand-in-hand with big players like Google and Let’s Encrypt. But before we pat ourselves on the back, let’s dive into the “why” behind this change.

Why the Short Leash? Google, CA/B Forum, and the Security Glow-Up

The move to shorter certificate lifespans didn’t just fall out of a coconut tree. It’s been brewing in the halls of the CA/Browser Forum (CA/B Forum), the nerdy roundtable where browser makers, certificate authorities (CAs), and security folks like us hash out the rules for SSL/TLS certificates. Back in 2019, Google floated the idea of 90-day certificates as part of its “Moving Forward, Together” roadmap, arguing that shorter lifespans shrink the window for attackers to exploit stolen keys and push organizations toward automation nirvana. The proposal didn’t pass then—Certificate Authorities grumbled about infrastructure readiness—but it lit a fire under the industry.

Fast-forward to 2023, Google doubled down, proposing 90-day certificates again to “encourage automation and the adoption of practices that will drive the ecosystem away from baroque, time-consuming, and error-prone issuance processes”. While that specific ballot didn’t make it to the CA/B Forum’s Baseline Requirements, it set the stage for Apple’s 2024 bombshell: a proposal to slash certificate lifespans to 45 days by 2027, which was negotiated to 47 days by 2029 via Ballot SC-074. The CA/B Forum’s phased plan now looks like this:

  • March 15, 2026: Certificates max out at 200 days.
  • March 15, 2027: Down to 100 days.
  • March 15, 2029: A zippy 47 days.

Why all this fuss? Shorter lifespans mean:

  • Less time for mischief: A stolen certificate expires faster, limiting damage.
  • Fresher crypto: New certificates can adopt the latest algorithms, keeping your site ahead of threats.
  • Automation or bust: Manual renewals every 90 (or 47) days are a nightmare, so automation becomes non-negotiable, reducing human error.

Let’s Encrypt, the free certificate fairy godmother, has been waving the automation flag for years, championing the ACME protocol (Automated Certificate Management Environment) to make renewals as smooth as a sunny day. Their mantra? “Automation is the only way to scale security without losing your mind”.  Sucuri’s 90-day renewals are a nod to this philosophy, and we’re not just following the cool kids—we’re setting the pace.

How Sucuri’s Got Your Back (and Your Certificate)

Now, you might be thinking, “Marc, 90-day renewals sound like a part-time job I didn’t sign up for.” Fear not! Sucuri’s got this wired so you can keep sipping that coffee without breaking a sweat. Here’s how we’re making 90-day renewals a breeze:

  • Seamless Automation: If your site’s A records are still pointing to Sucuri’s WAF IPs (as they should be), and you haven’t blocked the validation path /.well-known/pki-validation/ or geoblocked the US (don’t do that, folks), your certificate will renew automatically. No manual labor required. It’s like having a Roomba for your SSL—set it and forget it.
  • Token Transparency: For first-time issuances or the rare renewal that needs a nudge, we’ve exposed the validation token in our control panel at https://waf.sucuri.net/?settings&site=domain.com&panel=ssl. You can add an HTML file to your site’s code or a DNS TXT record to verify domain ownership. Pro tip: you probably won’t need this for renewals if your WAF setup is unchanged, but it’s there if you need it.
  • WAF Wizardry: Our WAF doesn’t just block bad guys; it handles certificate renewals like a pro, ensuring your site stays HTTPS-happy without outages.

We’ve taken the sting out of 90-day renewals because, frankly, we’d rather you spend your time writing witty blog posts (like this one) than wrestling with certificate expirations.

Where’s the Industry Headed? Spoiler: Even Shorter Lifespans

If 90 days feels like a sprint, buckle up—the CA/B Forum’s 47-day mandate by 2029 is basically a 100-meter dash. Google and Apple aren’t slowing down, and neither are we. Let’s Encrypt is already automating renewals for millions of domains, proving that short lifespans are not just doable but desirable. The industry’s mantra is clear: shorter is safer, and automation is king.

But it’s not just about speed. Shorter lifespans pave the way for “crypto-agility”—the ability to swap out algorithms faster than you can say “post-quantum cryptography” (more on that in a sec). Google’s been banging this drum since 2023, noting that 90-day certificates help “promote the agility required to transition to quantum-resistant algorithms quickly”. Sucuri, Google, and Let’s Encrypt are the cool kids at the crypto-agility party, and we’re inviting you to dance.

The Elephant in the Room: Quantum Computing

Let’s talk about the big, quantum-shaped elephant in the room. Quantum computing isn’t just a sci-fi buzzword—it’s a looming threat to traditional cryptography. A sufficiently powerful quantum computer could crack today’s encryption algorithms faster than you can say “Shor’s algorithm.” The CA/B Forum is already collaborating with industry leaders on post-quantum cryptography (PQC), with algorithms like CRYSTALS-Kyber and CRYSTALS-Dilithium being prepped to keep your data safe in the quantum era.

Shorter certificate lifespans are a warm-up for this quantum marathon. By renewing certificates every 90 days (and soon 47), we can adopt PQC algorithms faster, reducing the risk of your site being caught with outdated crypto when quantum computers arrive. Google’s 2023 proposal highlighted this, noting that PQC algorithms are new and may need frequent updates as vulnerabilities are discovered. Let’s Encrypt is also on board, advocating for automation to handle the rapid churn of PQC-ready certificates.

The industry’s not just reacting; we’re proactively building a quantum-resistant future. Sucuri’s 90-day renewals are a step toward that goal, ensuring you’re not left holding a cryptographic milk carton that’s gone sour when the quantum wave hits.

Wrapping Up: Sucuri’s Short, Sweet, and Secure Future

At Sucuri, we’re not just keeping up with the Joneses (or the Googles)—we’re setting the pace with 90-day SSL renewals. By aligning with the CA/B Forum’s security-first vision, Google’s automation push, and Let’s Encrypt’s ACME magic, we’re making your site safer, faster, and future-proof. Our WAF and control panel make renewals as painless as a sunny afternoon, so you can focus on running your site, not chasing certificates.

As the industry races toward 47-day certificates and quantum-resistant crypto, we’re ready to lead the charge. So, keep your A records pointed our way, don’t block that validation path, and let’s keep your SSL certificates as fresh as a newly printed meme. Got questions? Hit us up at https://waf.sucuri.net, and let’s keep the internet secure, one 90-day certificate at a time.

Stay secure, stay witty, and let’s outsmart those quantum elephants together.

Chat now

CISM CISSP Marc Kranat is Sucuri’s Enterprise Firewall Supervisor who joined the company in 2014. Marc’s main responsibilities include providing support to high-value clients. His professional experience covers over 20 years in cyber and IS security and project management. When Marc isn’t checking firewall logs and configurations, you might find him acting as an assistant to his photographer wife, or wranging his Husky. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like