By Ken Linscott, product director, Domains and Security Share this post
Recently, there were news articles about a large software provider who experienced a global outage due to an expired digital certificate—and this is not the first time this kind of issue has hit the news. Digital certificate outages, when an organization forgets to replace an expiring certificate for a business-critical domain name, continues to cause business disruption and security risks.
- Failure to replace a digital certificate on a business-critical domain will lead to the loss of critical services for your customers and staff.
- An outage can weaken your defenses to a cyber attack and lead to the loss of your customers’ personal data.
In a bid to increase web security, the Certificate Authority Browser Forum (CA/B Forum) has been pushing towards reducing the life cycle of digital certificates for many years.
In 2015, the CA/B Forum reduced the certificate lifetime of organization validation (OV) and domain validation (DV) certificates from four to three years. Again in March 2018, the lifetimes were further reduced to two years, in line with extended validation (EV) certificates that were already at two years, maximum. The rationale was that by having to replace certificates more frequently, businesses would increase the level of security through this recurring validation process, and be quicker to adopt more secure certificates. However, this thinking also brought with it increased administration and, ultimately, costs.
In September 2019, the CA/B Forum ballot that sought to shorten the maximum lifespan of secure sockets layer (SSL) and transport layer security (TLS) certificates to one year failed [1]. However, from September 1, 2020 onwards, all browsers will only trust certificates that are no older than a year (398 days).
How can companies manage shorter digital certificate lifetimes?
Managing digital certificates is already challenging, and the reduced lifetimes are not making things easier for companies. CSC recommends:
1. Ensure you have a full accounting of your digital certificates – Digital certificate management is challenging. On average, companies spend 225 hours manually managing 50 certificates a year[1]. About 74% of enterprises have seen system outages due to unplanned certificate expiration[2], and over 50% have a lost or rogue digital certificate[3].
As the frequency of replacing certificates increases, the risk for brand owners is that without a full accounting of their certificates, they may miss the replacement of a vital asset supporting their business operations online.
Remember, HTTPS is everywhere. Browsers like Google® (and others) are now marking webpages without certificates as “not secure,” meaning every single site and page accessed in a browser, regardless of content, needs HTTPS to be seen as secured by users. The Internet of Things (IoT) such as smart cars and door locks, means that every device connected to or communicating with the internet needs a digital certificate to encrypt data exchange, or risk being left wide open for interception.
2. Implement a digital certificate policy with CAA records – To help you manage all your digital certificates, CSC advocates consolidation with one provider and the use of Certificate Authority Authorization (CAA) records to enforce your policy decisions. A CAA record is a resource record held on a zone file that allows the domain owner to indicate which Certificate Authorities (CAs) are permitted to issue certificates for a given domain name.
| CAA record added | Digital certificate requested | Implications |
| Yes | Request matches record. | Certificate issued according to record. |
| Yes | Request does not match record. | Certificate not issued, preventing unauthorized certificates from being issued. |
| No | No record exists for matching. | Certificate issued according to requests, including unauthorized ones. |
By adding CAA records, you’re able to control the CAs that your company uses. This exercise supports the consolidation of your providers and reduces the overall cost of management that comes with multiple disparate providers, also greatly reducing the risk of an expiration.
A CAA record also ensures that only your chosen provider can issue a certificate for your domain names. This is an essential technical control allowing for policy enforcement, as employees will not be able to purchase additional certificates from non-authorized CAs. You can even create a CAA record that will report any attempted policy violations to a chosen email address.
3. Choose the appropriate security and validation level – It’s not a good practice to allow Wildcard certificates in a CAA policy, and more companies are banning its use. The reason is that Wildcard certificates allows ALL sub-domains to be included. This means that if a hacker compromises your domain name system management portal and creates a new subdomain, the certificate would cover that subdomain, lending legitimacy to the subdomain that could be fraudulent.
Digital certificates are not just designed for security. The different validation levels actually provide the consumer with different levels of confidence (or trust) in the legitimacy of the website. EV certificates can give consumers real confidence as they undergo more stringent verification processes, whereas cheaper (and sometimes free) DV certificates can easily be obtained by anyone, and hence offer less confidence that customers are visiting the authentic website.
4. Look to AUTOMATION – Throughout history, whenever mankind is challenged with increasing workloads, we look for a solution that automates the processes. Take advantage of existing automated management solutions of the entire certificate life cycle, from issue to expiration for public and private facing certificates. Now more than ever, automated certificate monitoring and renewal or replacement is ESSENTIAL to protect against unexpected expirations and the problems they can cause.
>> Contact us for a free consultation on digital certificate management.
[1] Aberdeen Group
[2] Ponemon Institute Report
[3] TechTarget