How Google does certificate lifecycle management
Posted by Siddharth Bhai and Ryan Hurst, Product Managers, Google Cloud
Over the last few years, we’ve seen the use of Transport Layer Security (TLS) on the web increase to more than 96% of all traffic seen by a Chrome browser on Chrome OS. That’s an increase of over 35% in just four years, as reported in our Google Transparency Report. Whether you’re a web developer, a business, or a netizen, this is a collective achievement that’s making the Internet a safer place for everyone.
The way TLS is deployed has also changed. The maximum certificate validity for public certificates has gone from 5 years to 2 years (CA/Browser Forum), and that will drop to 1 year in the near future. To reduce the number of outages caused by manual certificate enrollments, the Internet Engineering Task Force (IETF) has standardized Automatic Certificate Management Environment (ACME). ACME enables Certificate Authorities (CAs) to offer TLS certificates for the public web in an automated and interoperable way.
Simplifying certificate lifecycle management for Google’s users
These are important strides we are making collectively in the security community. At the same time, these efforts mean we are moving to shorter-lived keys to improve security, which in-turn requires more frequent certificate renewals. Further, infrastructure deployments are getting more heterogeneous. Web traffic is served from multiple datacenters, often from different providers. This makes it hard to manually keep tabs on which certificates need renewing and ensuring new certificates are deployed correctly. So what is the way forward?
- All Blogger blogs, Google Sites, and Google My Business sites now get HTTPS by default for their custom domains.
- Google Cloud customers get the benefits of Managed TLS on their domains. So:
- Developers building with Firebase, Cloud Run, and AppEngine automatically get HTTPS for their applications.
- When deploying applications with Google Kubernetes Engine or behind Google Cloud Load Balancing (GCLB), certificate management is taken care of if customers choose to use Google-managed certificates. This also makes TLS use with these products easy and reliable.
Performance, scalability, and reliability are foundational requirements for Google services. We have established our own publicly trusted CA, Google Trust Services to ensure we can meet those criteria for our products and services. At the same time, we believe in user choice. So even as we make it easier for you to use Google Trust Services, we have also made it possible across Google’s products and services to use Let’s Encrypt. This choice can be made easily through the creation of a CAA record indicating your preference.
Related Google News:
- Google Workspace Updates Weekly Recap - February 19, 2021 February 19, 2021
- Architect your data lake on Google Cloud with Data Fusion and Composer February 19, 2021
- Black History Month: Celebrating the success of Black founders with Google Cloud: Get Optimal Tech February 19, 2021
- Marian Croak’s vision for responsible AI at Google February 18, 2021
- Apple TV+ is now available on Google TV February 18, 2021
- New framework expands Google Cloud access globally February 18, 2021
- Signify chooses Google Cloud IoT Core to power Philips Hue smart lighting February 18, 2021
- New in Google Cloud VMware Engine: improved reach, networking and scale February 18, 2021