Pressure to act is there
E3 Magazine: There is sometimes talk of an „SSL runtime shock“ in connection with certificate reductions. Is this drama justified?
Marcus Bogenstätter, Empirius: The drama is absolutely justified, as the term for new certificates was reduced from 398 to 200 days on March 15 of this year. Next year it will be 100 days and on March 15, 2029 it will finally be just 47 days. These massive reductions were announced unilaterally by browser manufacturers such as Apple and Google and the certificate authorities. Unilaterally because the industry and others were not involved. There is no question that this has or will have a massive impact. Possible economic losses included. If the study by Ponemon and Digicert is to be believed, over 60 percent of companies are already affected by losses due to expired certificates. According to the study, the risk of errors will increase exponentially by 2029 without automation.
E3: What business losses are we talking about here? Can you please give some examples?
Bogenstätter: Expired certificates put business continuity at risk. Because without the necessary certificate renewals, the IT systems simply lose the connection to the remote station, as if the network cable were pulled or the WLAN switched off. IoT applications and devices with expired certificates will no longer work, as will AI applications. Production and logistics chains can fall into a certificate trap, as can insurance, banking and tax applications. Virtually all systems running or connected via the public network or the internet can be affected by the impact of SSL certificate shortening.
E3: And SAP users, do they also have to react?
Bogenstätter: Yes, without a doubt. SAP landscapes today are highly networked - think of distributed ERP systems, intercompany processes, SAP cloud applications, HR applications or web interfaces. All of these connections are based on trust positions through certificates. If one link in the chain breaks, the business process comes to a standstill.
E3: In your opinion, have SAP users recognized the need for action when it comes to shortening certificates?
Bogenstätter: Awareness is growing, but is not yet widespread. Large service providers, some of which host over 10,000 SAP systems, are already relying on our automation solutions. However, we often still see a wait-and-see attitude among medium-sized customers. Many underestimate the effort involved when you suddenly have to manually replace certificates eight times a year instead of once a year.
E3: Why does automation play a major role in the context of certificate reductions?
Bogenstätter: At these frequencies, manual management is an incalculable compliance and operational risk. Automated Certificate Management Environment, or ACME for short, has emerged as a quasi-standard for automation, especially outside the SAP world. We integrate this protocol directly into the SAP world via our SAP Certificate Management epos app. The aim is to map the entire lifecycle - from application to installation in the system - without human intervention.
E3: What is special about the solution?
Bogenstätter: First of all, it takes into account the special features of SAP, specifically the deeply rooted, so-called PSE certificate containers and the various applications such as S/4, Java stacks, Web Dispatcher, the Hana database, the Cloud Connector and others. It also meets the criteria for a secure and comprehensive certificate lifecycle management solution. To this end, it includes powerful reporting with a complete and clear display of all certificates. The modern web interface clearly displays everything in a kind of traffic light system with „red status for certificate renewals“ and „green for everything ok“ and offers corresponding workflows. And very importantly, the solution is Rise-ready!
“Many people underestimate the effort involved when you suddenly have to manually replace certificates eight times a year instead of once a yearss.”
Marcus Bogenstätter,
Chief Technology Officer (CTO),
Empirius
E3: You mentioned PSE files. Why are these so critical?
Bogenstätter: A single SAP system often contains around 10 personal security environment files, one for each application. These PSE containers in turn contain several certificates. And when SAP landscapes with 100 or more systems are managed, the whole thing multiplies very, very quickly into a flood of certificates that can no longer be managed manually. All of our Epos automation apps are basically designed to be used by medium-sized SAP users and large SAP users.
E3: What should users do to get to grips with the issue of certificate shortening?
Bogenstätter: You will not be able to avoid automated solutions such as ACME and a certificate lifecycle management solution. This is why we recommend that you address the issue of certificate shortening promptly and evaluate solutions such as Epos. It is also important that users find themselves in the solutions. We are always asking users what is important to them and are happy to take on board customer suggestions or requests. This was also the case with our new version of the Epos app SAP Certification Management. We have always done well with this approach. That way, needs-based is really needs-based. (rk, source: Empirius)
47-day deadline
A new era of greater trust and security for web applications is to be ushered in with a kind of „phasing out“. There is a clear timetable for SSL/TLS certificates with the following reductions, in three large waves:
- since 3/2026: Reduction to a maximum of 200 days,
- 3/2027: Reduction to a maximum of 100 days,
- 3/2029: final limit of 47 days.
Apple, Google and the CA/Browser Forum are the main drivers behind this. According to Digicert, the shortenings have implications: Manual management becomes very time-consuming and error-prone. As a minimum requirement, continuous, so-called „touchless“ automation is to be used. The target vision is a more agile and secure ecosystem.
In a nutshell, it is about certificates with shorter terms in order to achieve greater security and trust. Compromised certificates should lose their validity more quickly. Furthermore, manual administration will be a thing of the past; instead, there will be automated zero-touch processes.
Advantages and disadvantages of shortening certificates
Analysis experts see it as a positive that potential damage is minimized because, for example, stolen certificates lose their effect within a few weeks, while at the same time the time window for attacks is limited.
Positive also through certificate reductions: Increasing a kind of crypto-agility. This enables the global web to switch to quantum-safe algorithms in less than 60 days. And there are also advantages in terms of data protection, as the real-time revocation controls currently in use make tracking possible, according to analysts.
On the downside, Digicert argues the following: possible increased human error. When switching from one to eight changes/renewals per year, the manual risk of generating manual errors is increased by a factor of eight. The problem is also that not all hardware firewalls and load balancers offer native ACME support. On top of this, the necessary rethink that success now depends on robust code and APIs - and that you have to say goodbye to spreadsheets or manually managed calendars - is not entirely unavoidable.
Conclusion: Certificate shortening promotes greater global web/IT security, but also a greater individual risk of self-inflicted downtime.
Continue to the partner entry:
DE 
EN 
ES 
FR 
