All posts in category Professional Services

The Case for Short-Lived Certificates in Enterprise Environments

Digital certificates, issued by an internal, private Certification Authority (CA) like Microsoft Active Directory Certificate Services (AD CS), are commonly used in enterprise environments for user and device authentication for workloads such as VPN, Wi-Fi (802.1x), System Center Configuration Manager (SCCM), IPsec, and more. But how long should a user or device authentication certificate be valid? This question is increasingly critical as organizations strive to balance security and operational efficiency. Short-lived certificates, typically valid for weeks or months rather than years, are gaining traction as a powerful tool to enhance security. By reducing the window of opportunity for attackers to exploit compromised credentials, short-lived certificates offer a proactive approach to mitigating risks while aligning with evolving security best practices and the needs of modern IT infrastructures.

What is a Certificate?

A digital certificate is a document that binds an identity to an asymmetric key pair (public key and private key). Certificates offer strong, phishing-resistant authentication that improves security and assurance for users and devices authenticating to Microsoft Active Directory (AD). When a certificate is issued, an administrator decides how long the certificate will be valid. The criticality of this setting is often overlooked.

Certificate Lifetime

Administrators must define the certificate’s validity period when creating a certificate template in AD CS or an Intune PKCS or SCEP device configuration policy. Most commonly, administrators select the default one-year validity period. However, public CAs are trending toward shorter certificate lifetimes, and strong consideration should be given to their use in private enterprise deployments.

Current Standards

Today, the maximum certificate lifetime for a publicly issued TLS certificate is 398 days (approximately 13 months). This standard is imposed by the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI). They established the 398-day certificate lifetime mainly in response to the previous decade’s plethora of SSL/TLS vulnerabilities.

Challenges

Having certificates with long lifetimes poses significant challenges for administrators when responding to key compromise events or zero-day vulnerabilities. This may necessitate urgent certificate replacement, often involving manual intervention. To address these challenges and promote automation, some public CAs like Let’s Encrypt issue certificates with much shorter lifetimes than one year.

Public CA Certificates

Shorter lifetimes for public SSL/TLS certificates have numerous positive security benefits. Short-lived certificates provide agility to update cryptography settings more rapidly than long-lived certificates. Also, the short lifetime of the certificate is beneficial if the private key is compromised because it limits the amount of time an attacker can exploit the stolen key, limiting exposure and reducing potential damage. These security benefits have driven significant changes in public CA practices, as seen in today’s standards.

47 Days

Recently, I wrote about a new directive from the CA/Browser Forum, which adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. The maximum lifetime for public TLS certificates will be gradually reduced to allow the industry to adopt short-lived certificates.

Enterprise CA Certificates

Private enterprise PKI deployments like AD CS are not required to adhere to CA/Browser Forum mandates. Organizations are free to manage their internal PKI however they choose. However, examining industry trends and ensuring that security best practices are aligned as much as possible is crucial. While public CAs set the pace, private enterprise PKI can adopt similar strategies to bolster security.

AD Authentication

As stated previously, many positive security benefits are associated with short-lived certificates, especially for authentication to Active Directory.

PKINIT

PKINIT is an extension to the Kerberos protocol that enables certificate-based authentication with Active Directory (AD). You can read about the details here, but PKINIT allows a principal (user or device) to authenticate to AD by simply demonstrating control of the private key. Thus, protecting the private key is vital.

TPM

Enrolling certificates in a Trusted Platform Module (TPM) is the best way to ensure private keys remain private. No one, including administrators, can export private keys protected by TPM. Administrators should ensure TPM enrollment for client authentication certificates whenever possible.

Guidance

Today, I recommend that my customers issue end entity user and device authentication certificates with a lifetime of no more than one year for 2048-bit RSA certificates with private keys stored on TPM. However, there are important considerations and compelling advantages to using much shorter lifetime certificates.

Best Practice

General use client authentication certificates should be enrolled to TPM without exception and have a valid lifetime of no more than one year. However, there is still value in using shorter lifetime certificates, even with TPM. For example, short-lived certificates ensure timely renewal, which can be helpful when implementing changes to certificate templates. A perfect example of this is the changes required to support KB5014754. Administrators may wish to use certificates with validity periods of less than one year to ensure timely replication of certificate settings changes and to provide more frequent key rotation.

Non-TPM

There may be scenarios where a client authentication certificate must be issued to a device without a TPM. Examples include virtual machines without TPM, VDI deployments, and legacy devices. These cases should be treated as exceptions and managed accordingly. Consider shortening the lifetime of non-TPM certificates to 90 days or less.

Privileged Users

Administrators or other privileged accounts enrolling for certificates can benefit from even shorter validity periods. Consider issuing client authentication certificates to these users with certificate lifetimes of 30 days or less.

Considerations

Short-lived certificates aren’t always ideal in all cases. For example, consider a scenario where a user or device is offline for a prolonged period, such as extended vacations, maternity or paternity leave, or sabbaticals. Users may experience issues accessing resources after returning from an extended absence. Of course, if they can re-enroll for certificates, this shouldn’t be a problem. For AD CS, it means connectivity to an enterprise issuing CA server. Intune-managed endpoints simply need Internet access to obtain a new certificate.

Automation

Working with short-lived certificates manually is infeasible. Automation is the key to success with short-lived certificates. For client authentication certificates issued on-premises, enabling certificate autoenrollment via group policy ensures that all domain-joined devices enroll and renew their certificates automatically. Certificates deployed and managed using Microsoft Intune are automated by default.

Summary

The next time you create a certificate template in AD CS or Intune, consider the certificate lifetime. Recommended best practice is no more than one year validity period for 2048-bit RSA end-entity certificates with hardware-backed key storage. However, consider shorter validity periods for those cases where it makes sense. Prioritize TPM enrollment and put additional controls in place for exceptions. Ensure automated enrollment and renewal are in place to reduce administrative overhead. Following the guidance outlined above, your organization will reduce its attack surface and limit exposure to compromised certificates.

More Information

If you’d like to learn more about implementing short-lived certificates in your organization, fill out the form below, and I’ll provide more information.

References

Digital Certificates for Strong Authentication

Digital Certificates and TPM

Drawbacks of Multifactor Authentication

Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol

Leave a comment
by Richard M. Hicks on April 28, 2025  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, CBA, Certificate Authentication, Certificate Authority, Certificate Services, Certificate-Based Authentication, certificates, Cloud PKI, Compliance, Cryptography, Enterprise, enterprise mobility, Group Policy, Infrastructure, InTune, Kerberos, Microsoft, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, PKCS, PKI, Professional Services, Remote Access, SCCM, Security, SSL, SSL and TLS, System Center Configuration Manager, TLS, TPM, Trusted Platform Module, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 28, 2025

https://directaccess.richardhicks.com/2025/04/28/the-case-for-short-lived-certificates-in-enterprise-environments/

Always On VPN SSTP and 47-Day TLS Certificates

The Secure Socket Tunneling Protocol (SSTP) VPN protocol uses Transport Layer Security (TLS) encryption and HTTP transport over TCP port 443. SSTP is easy to configure and firewall-friendly, making it an excellent choice for the Always On VPN user tunnel. Security best practices dictate using a TLS certificate issued by a public Certification Authority (CA). Today, the maximum lifetime of a public TLS certificate is 398 days (approximately 1 year). Always On VPN administrators using SSTP are familiar with the process of renewing their SSTP certificate annually. However, that’s about to change.

47 Days

In April of this year, the CA/Browser Forum, a voluntary consortium of public CAs, browser vendors, and other industry stakeholders that develop and promote security standards and best practices for digital certificates and Public Key Infrastructure (PKI), adopted a measure reducing the current maximum lifetime of public TLS certificates to 47 days. This means Always On VPN administrators using public TLS certificates must eventually update their TLS certificates monthly.

Automation

Of course, no administrator in their right mind would want to renew SSTP certificates every month. Automating this process will be crucial to ensuring reliability and reducing management overhead. I’ll provide more details later in this post.

Why Is This Happening?

The industry has been trending toward shorter certificate lifetimes for a while now. In the old days, you could purchase a certificate valid for 5 years or more. Today, a one-year certificate is all you can get. Let’s Encrypt, a public CA that issues certificates for free, issues only 90-day lifetime certificates.

Advantages

The advantage of using short-lived certificates for public TLS certificates is that they improve security and provide agility for future changes. Public TLS certificates become less secure and trustworthy over time. The longer a certificate is valid, the less trustworthy it becomes and the longer the opportunity for an attacker to leverage a certificate for which the private key has been compromised.

Why 47 Days?

A 47-day maximum certificate lifetime allows administrators to rotate their certificates monthly (a maximum of 31 days plus some margin to resolve issues).

Not So Fast

The good news for Always On VPN administrators using SSTP with public TLS certificates is that they won’t have to worry about this immediately. The reduction in maximum certificate lifetime to 47 days takes place gradually over a few years.

  • Today, the maximum public TLS certificate lifetime is 398 days
  • On March 15, 2026, the maximum public TLS certificate lifetime will be reduced to 200 days
  • On March 15, 2027, the maximum public TLS certificate lifetime will be reduced to 100 days
  • On March 15, 2029, the maximum public TLS certificate lifetime will be reduced to 47 days

Let’s Encrypt

Over the years, I’ve deployed Always On VPN with SSTP for several customers using Let’s Encrypt TLS certificates. Let’s Encrypt is a pubic CA that issues certificates with a maximum lifetime of 90 days, so automating this task is essential. Let’s Encrypt supports ACME, a standard protocol for automating the issuance and renewal of TLS certificates, which makes automating TLS certificate installation and renewal a breeze.

Sample Script

I’ve published a sample PowerShell script demonstrating how to automate the enrollment process for Let’s Encrypt TLS certificates. It leverages the Posh-ACME PowerShell module and my AOVPNTools module to enroll and automatically install a TLS certificate for SSTP. This script will also work for DirectAccess. You can find the sample script here.

Note: My sample script demonstrates using the Cloudflare DNS plugin for Posh-ACME. Posh-ACME has plugins for many public DNS providers, which can be found here. Feel free to customize my script to meet your specific needs.

Act Now

Always On VPN administrators are advised to consider solutions to automate TLS certificate enrollment and renewal as soon as possible. If your public CA of choice doesn’t support some form of certificate automation like ACME, it’s time to find another provider.

Summary

Starting in March 2026, the maximum lifetime for public TLS certificates will be reduced gradually, reaching just 47 days by March 2029. Automation will no longer be optional for Always On VPN administrators using SSTP—it will be essential. Tools like the Posh-ACME PowerShell module provide a reliable solution to streamline certificate management and ensure uninterrupted connectivity. Now is the time to prepare for this industry shift by implementing automated certificate renewal solutions. If you’d like professional assistance with this task or simply want to learn more about your options, drop me a note via the contact page, and I’ll respond with more information.

Additional Information

TLS Certificate Lifetimes Will Officially Reduce to 47 Days – DigiCert

Posh-ACME PowerShell Module

Posh-ACME Documentation

Always On VPN Tools (AOVPNTools) PowerShell Module

1 Comment
by Richard M. Hicks on April 22, 2025  •  Permalink
Posted in administration, Always On VPN, AOVPN, Certificate Authority, Certificate Services, certificates, Cryptography, Deployment, encapsulation, Encryption, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PKI, PowerShell, Professional Services, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, SSL, SSL and TLS, TLS, TLS 1.3, Transport Layer Security, user tunnel, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on April 22, 2025

https://directaccess.richardhicks.com/2025/04/22/always-on-vpn-sstp-and-47-day-tls-certificates/

Windows Server 2012 and 2012 R2 End of Life

DirectAccess on Microsoft Windows

I want to remind you of a critical upcoming milestone that may affect your business. In just 60 days, we will reach the end of support for Windows Server 2012 and Windows Server 2012 R2. As of October 10, 2023, these operating systems will no longer receive security updates or technical support from Microsoft.

End of Support

End of support means your servers will be more vulnerable to security risks and potential threats. It is essential to take action now to ensure your IT infrastructure’s continued security and stability. Upgrading to newer, supported operating systems will protect your data and systems from potential cyber threats and provide access to enhanced features and performance improvements.

Don’t Wait

Now is the time to migrate those remaining workloads for those still running Windows Server 2012 and 2012 R2! Consider the following commonly deployed services that may still be running on Windows Server 2012 or 2012 R2 in your organization.

Remote Access – Windows Server Routing and Remote Access Service (RRAS) is commonly deployed to provide secure remote access for field-based workers. In addition, Absolute Secure Access (formerly NetMotion Mobility) is a widely implemented premium alternative to RRAS. Organizations may be hesitant to migrate these workloads because disrupting remote workers is painful.

DirectAccess – This remote access technology is widely deployed and extremely difficult to migrate. In addition, the complex nature of DirectAccess, with its many intricate interdependencies, poses a significant challenge to organizations migrating this role.

PKI – This is likely the most common enterprise service to be found running on Windows Server 2012 and 2012R2. Most organizations relying on Windows Active Directory Certificate Services (AD CS) to issue and manage enterprise certificates are reluctant to move this workload once it is deployed. This service is much easier to migrate than you might think! It can be done without disruption as well.

Consulting Services

We understand that upgrading might require careful planning and coordination, and our team is here to support you throughout the transition process. Don’t delay – take this opportunity to safeguard your organization’s data and systems by upgrading to the latest Windows Server version or exploring cloud-based solutions.

Get In Touch

Please don’t hesitate to contact us for further assistance or any questions regarding the upgrade process. Together, let’s ensure your business remains secure and productive. You can get started today by booking a free one-hour consultation to discuss your migration strategy. Just fill out the form below and I’ll provide more information.

Leave a comment
by Richard M. Hicks on August 14, 2023  •  Permalink
Posted in Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, Certificate Services, certificates, DirectAccess, end of life, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PKI, Professional Services, public key infrastructure, Remote Access, RRAS, Security, VPN, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 14, 2023

https://directaccess.richardhicks.com/2023/08/14/windows-server-2012-and-2012-r2-end-of-life/

« Older Posts