The CA/Browser forum was created as part of an effort among certification authorities and browser software vendors to provide greater assurance to Internet users about the web sites they visit by leveraging the capabilities of SSL/TLS certificates.
The forum has had the requirement to improve security and reduce certificate lifetimes on its agenda for a while. Although the topic has been part of discussions the CA/ Browser forum has been hesitant to push the idea of reduced certificate lifetimes too quickly, because CA’s have feared that their customers will struggle to cope with the practicality of renewing certificates during a time where automation has yet to be widely adopted.
Despite the caution, at the 49th CA/Browser forum meeting held in February 2020, Apple announced its decision to change its root embedding policy by 01 September 2020. This would require all SSL/TLS certificates to have a maximum certificate validity period of 398 days (a year and month for preparation for replacement). Certificates issued on or after 01 September 2020 with a validity beyond 398 days will be distrusted in Apple products and browsers. This may result in network and application failures and prevent websites from loading. As changes will be made to Apples root embedding policy, naturally all CA’s will be required to follow suite, or stand the risk of being in breach of their browser policy.
Before you hit panic mode, understand that the move has been made for good reason, short lived certificates improve web security and here is why:
- Yearly updates to validation data will now be possible. We rely on this validation data for website assurance and to confirm that the sites we are visiting are legitimate. Validation data includes all the nitty gritty detail such as registered company, confirmed domain owner, and certificate requester info, etc.
- Fresh key pairs- many admins hit renew and paste in an old CSR as part of the CA certificate generation process and assume that they have covered all the bases to properly secure their sites until the next renewal period. It’s important to know that all this has done is change the expiry date on your certificate. By using the old CSR your updated certificate is still using its stale old private key. You need to make sure you generate a new key pair with each renewal and refrain from using old signing requests. After all the purpose of certificate renewals is to update and replace your key pairs.
- It also gives you the opportunity to regularly improve your security by supporting newer encryption requirements (for example kicking out weak algorithms and protocols such as SHA 1, TLS1.0 and 1.1 versions etc).
The problem is in theory it all makes sense, but from a practical point of view things are bound to get complicated and complex, Apples decision will impact your organisation– and here is how:
- You will no longer be able to receive a 2-year SSL/TLS certificate on or after 01 September 2020. CA’s will be limited to issuing 1-year certificates only.
- You should prepare for an increase in workload because you will be renewing certificate more frequently.
- With increased manual effort comes an increased risk of mistakes.
So where do you start? Considering that some organisations have thousands of certificates to look after, how do you avoid the admin overload and risk of errors as the frequency of certificate replacement increases and how do you maintain compliance?
The solution is – certificate consolidation and a certificate management solution that includes discovery, reporting and automation.
One of the risks to managing certificates is that organisations often have certificates that are issued across multiple certificate providers. Managing various providers places an additional burden on already stretched resources. Consolidation may not be a priority for some organisations, but when you consider the benefits of reducing admin overhead, mitigating against certificate outages and leveraging the cost savings that could be achieved by consolidating your certificates under a single provider it certainly makes sense.
Another way to manage certificates is to make use of a Certificate Lifecycle Management Solution. There are a variety of solutions available from commercial solutions to CA specific solutions to Open source solutions. It is important however when comparing the options that your solution includes:
- Certificate Discovery – Most outages are caused by a certificate which has expired which no one knows about or a missed expiry notification which was either ignored or sent to the wrong person. You need a solution that can scan your network and help you find and identify certificates across your organisations. Without this visibility it becomes increasingly difficult to manage certificate expirations, especially those you don’t know about.
- Automation – Through automation you ultimately reduce the manual effort required to create, renew and update certificates which can also eliminate mistakes.
- Reporting Tools – Excel spreadsheets aren’t going to cut it, make sure the management solution you use includes reporting for better management and includes the ability to track internal, public and certificates issued from various CA’s via a single dashboard.
Who can predict what will happen in the future, with ongoing efforts to improve web security it will come as no surprise if certificate validity periods continue to decrease. Now more than ever it’s important to consider automation and make sure you are prepared and well equipped with solutions to support certificate lifecycle processes. SSS – IT Security Solutions partners with the best in the industry and is well positioned and prepared to support you on your automation journey.
