Digital certificates (“X.509 Certificates” sometimes known as SSL/TLS Certificates), and other cryptographic materials (or cryptographic keys) are all around us. From websites to mobile apps, to IoT devices and of course as the foundation for machine identities (i.e. servers, endpoints, containers, etc.).
These digital certificates or machine identities are critical as they allow us to establish digital trust in the digital world. Without them, we wouldn’t be able to trust that say, google.com, is in fact Google’s website. Or if some applications are trusted (i.e. with the use of code signing). As such, they are absolutely required to help forge digital trust, and allow us to enjoy all of the good (and I suppose the bad) that the connected world has to offer (i.e. online banking, mobile apps, websites, eCommerce, eGov services, gaming, and yes, social media!).
Now, one could guess that with digital certificates acting as this foundational layer of the connected world….there must be a lot of certificates, right? Well yes, there are plenty of them! And they are indeed all around us. For many of you that are IT leaders, you are surrounded by all kinds of certificates. A number of them you are likely aware of…but perhaps there are many unknown certificates that are lurking around (i.e. self-signed certificates on printers, or other devices and/or software).
With so many just hanging around, and given how critical they are for trust, shouldn’t these certificates be managed? Monitored? Treated with care? Well yes, they should be! In fact Gartner recommends that you should have the people, process and technology in place for X.509 certificate, and machine identity management when dealing with at least 100 or more certificates. (See our research for more insight here)
So, why am I writing this blog…well not to remind you to take your vitamins and exercise (well you should do that as well!); but because I was triggered to write this based on a number of recent developments in the digital certificate space.
The recent events that highlight the importance of digital certificates and machine identity management in no particular order are:
- Microsoft Expired certificate relating to MS Teams
From Ars Technica:
I really like their headline
“No cert, no authentication, no service”. Yea, well that sums it up!
As the article points out:
“Microsoft acknowledged on Twitter that the outage was the result of an expired SSL certificate. Approximately an hour later, they had secured a replacement certificate and began deploying it in production, with service widely restored by Monday afternoon.”
- Let’s Encrypt, free SSL/TLS provider had to revoke ~3 Million certificates
From The Register: https://www.theregister.co.uk/2020/03/03/lets_encrypt_cert_revocation/
Let’s Encrypt has risen to become a popular CA (certificate authority). Yet, with so many now relying on this CA; this is clearly problematic.
- Apple requiring that Certificates expire after one year
“SSL Certificate Validity Will be Limited to One Year By Apple’s Safari Browser”
Now there are some nuances here, but overall, it points to the fact that there could be a movement towards digital certificates with shorter validity periods. Meaning that you need to renew your certificates more often!
So what does all this mean. Well, to sum it up…
- Certificates Are Critical Infrastructure for Digital Business, and our Digital Lives
- Certificates Expire and thus can cause significant downtime if not managed properly
- Cryptographic issues/failures happen. Whether it is an issue with the Certificate authority, or a vulnerability in the wild; you must practice Crypto-Agility (see our foundational research here)
- Shorter life cycles will put more pressure on your ability to manage the people, process and technology that relate to your PKI, and certificate management approach.
So, ignoring certificate and machine identity management is rapidly becoming risky. Simple advice, invest in the people, process and technology to help tackle certificate management and avoid downtime, and potential brand damage.
For those of you that want to dive in further on this topic, here are some links to some related Gartner research notes: