In France, public sector organizations and certain companies subject to the General Security Requirements (Référentiel Général de Sécurité, RGS) are faced with the dual challenge of automating the management of their digital certificates, while complying with strict security standards.
Digital certificates: towards an ever-shorter lifespan
Since November 2024, RGS-certified certification authority Certigna has reduced the lifetime of its SSL/TLS and eIDAS certificates to 90 days. This decision is part of a global industry initiative to strengthen the security of online exchanges:
- Apple plans a lifetime of just 45 days in 2027, after a first stage of 200 days in 2025 and then 100 days in 2026.
- In March 2023, Google announced its intention to reduce the maximum validity of public TLS certificates from 398 days to 90 days.
- Mozilla is also considering reducing the lifetime of certificates for its Firefox browser.
For organizations, this drastic reduction in certificate lifespan means a multiplication of renewals: with certificates valid for only 45 days, companies will have to renew their certificates around 8 times a year for each domain, compared with once every 13 months at present.
The challenge of automating RGS-compliant certificates
Meanwhile, the General Security Reference System (RGS) requires public organizations, trusted service providers and organizations supplying security products to use digital certificates with Organization Validation (OV) or Extended Validation (EV).
As a reminder, digital certificates, issued by certification authorities (CAs), are of three types:
- DV (Domain Validation): validation that the owner of a website has administrative control over the domain.
- OV (Organisation Validation): validation of an organization’s identity in addition to domain validation.
- EV (Extended Validation): extended organization validation, which provides the highest level of SSL security.
In this context, organizations that are subject to RGS face the challenge of reconciling the automation of SSL/TLS certificate management, with its increasingly short lifespan, and high security requirements.
This is why Certigna has launched a new portal that supports the ACME protocol and complies with the CAB Forum, eIDAS and RGS standards. This protocol automates the renewal of certificates, which now have a lifetime of 90 days. By combining the ACME protocol with an organization validation that is valid for 12 months, Certigna offers automatic certificate renewal 4 times a year. Clients of this certification authority who do not use the ACME protocol will have to make an OV validation, with all the necessary supporting documents, every 3 months in their existing interface.
Note that the ACME protocol is based on interaction between an ACME client and a certification authority (CA) such as Let’s Encrypt, which is popular with many organizations because it issues certificates free of charge. However, this CA only provides certificates with domain validation (DV), which are therefore not RGS-compliant. ANSSI is working on a set of requirements to solve this headache. This initiative, supported by a BPI call for projects, aims to develop RGS-compliant ACME client and server solutions.
With certificate lifespans becoming shorter and shorter, and security requirements becoming more stringent, a purely manual approach to certificate management is no longer recommended. Too time-consuming, it generates numerous risks: unsecured processes, risk of service interruption, etc.
BerryCert: certificate management and RGS compliance
With its BerryCert CLM, Digitalberry responds to these requirements, positioning itself as an ACME server to organizations’ internal machines, and an ACME client to certification authorities. This architecture makes ACME compatible systems that do not natively support it, such as Microsoft’s internal PKI (ADCS), thus meeting a crucial need for interoperability in the complex environments of large organizations.
BerryCert automates certificate management and now integrates with the Certigna certification authority via the ACME protocol, enabling automatic certificate retrieval, with two distribution options:
- Direct availability to owners via the interface, with notifications and downloads in various formats
- Extensive automation to machines and applications using automation protocols, ACME or others, without necessarily exposing the machines to the Internet.
This flexibility addresses the diverse certificate management needs of organizations.
By positioning itself as an intelligent proxy, BerryCert extends the services offered by Certigna, which cannot automate all their requests directly via ACME. The CLM manages both automatic and manual requests, and enables organization validation to be renewed only every 12 months, while certificates are renewed every 3 months via the ACME protocol.
This centralized approach not only enables efficient management of different types of request, but also automates renewal for machines which, for security or architectural reasons, cannot be exposed directly to the Internet. In other words, BerryCert offers a robust and secure solution for complete certificate lifecycle management in constrained environments.
