Firms risk outages as SSL changes near & automation lags behind

New research by CSC has found that nearly 60% of enterprises now use three or more secure sockets layer (SSL) providers, a trend that is complicating digital certificate life cycle management and increasing security risks.

The newly published report, titled "The SSL Landscape," analyses usage trends across more than 802,000 digital certificates associated with 2.4 million domains. It sheds light on how organisations handle SSL certificates and the potential impact these practices have on the integrity assurance of their online assets.

Changing SSL landscape

The report arrives as the SSL and transport layer security (TLS) sector prepares for changes mandated by the CA/Browser Forum. From 2026, SSL certificate life cycles will shrink from the current 367 days to 200 days. By 2029, this will drop further to just 47 days. Domain control validation (DCV) re-use periods will also reduce from 367 days to 10 days by 2028. According to CSC, these changes will require organisations to update their processes to renew certificates nearly eight times a year, up from approximately once annually.

Mark Flegg, Senior Director of Technology, CSC Security Products and Services, emphasised the importance of adapting to these changes. He stated,

"SSL certificates play a critical role in authenticating the legitimacy and safety of an online brand, including the validation of credentials and the encryption of the connection between a website's server and a user's browser. As the industry approaches shortened SSL certificate renewal life cycles, organizations cannot afford to delay their transitions to certificate automation or to compromise the security of their organizations with fragmented SSL management. It's concerning that 72% of respondents we surveyed were either completely unaware of or didn't know the details of the upcoming industry changes-and as many are unsure of or not ready for automation. Missed renewals could further bring down entire domains and applications that are the backbone of business operations-such as payment gateways, email, VPN, and collaboration tools for chat, video calls, and document sharing."

Certificate types and associated risks

The report shows that domain validated (DV) certificates account for 73.5% of all certificates in use, while organisation validation (OV) certificates represent 24.6%. Extended validation (EV) certificates account for less than 2% at 1.9%. The prevalence of low-cost DV certificates, which are straightforward to obtain, has been exploited by cybercriminals, who use them to create fraudulent websites that appear authentic and lure customers into compromising their information.

This trend has, according to CSC, brought the spotlight on whether IT and security departments have developed clear strategies for selecting certificates for different types of web assets.

Further analysis revealed that the top three certificate providers for the organisations studied were not enterprise-class suppliers. Collectively, these providers account for 89% of the DV certificates in use. Many of these consumer-grade providers do not supply the levels of support required for enterprises to manage the upcoming changes in SSL certificate requirements, potentially increasing exposure to risks such as service disruption and reputational damage.

Lack of centralisation and strategy

The research found a lack of centralised processes for managing SSL certificates in most organisations, with 60% using three or more providers. This fragmentation is accompanied by concerning levels of unpreparedness, given the scale of impending industry changes.

"Organisations are about to face the most transformative period for domain security," Flegg continued.

"A lack of understanding around proper certificate strategy, and the absence of urgency to effectively prepare for new certificate life cycles, will leave many online brands and digital identities playing a never-ending game of catch up. Those who prioritize automation, consolidating their certificate solutions providers, and working with enterprise-class domain partners will ensure a smoother, safer transition that minimizes the risk of costly expiration outages and security incidents."

Preparedness for upcoming changes

The report provides insight into current awareness levels around the changes set to affect SSL/TLS certificate management. It highlights that 72% of survey respondents are either unaware of or lack detailed knowledge regarding the industry changes. This lack of awareness, coupled with hesitation around adopting automation for certificate management, presents operational and security challenges.

The study indicates that delays in preparing for these changes could lead to operational disruptions, such as domain or application outages, affecting components essential for business operations like payment systems, email, virtual private networks, and collaborative communication tools.

With organisations needing to transition their processes to accommodate much shorter renewal cycles for certificates and DCV, the report concludes that prioritising automation, consolidating SSL management under fewer, enterprise-focused providers, and increasing awareness of upcoming regulatory changes will be critical for minimising risk and ensuring business continuity.