The digital certificate realm observed a tumultuous journey in the past year, resembling a thrilling roller coaster ride. Major occurrences such as Google’s choice to distrust Entrust digital certificates, the revocation incident at DigiCert, and substantial certificate failures emphasized the critical importance of overseeing and safeguarding digital certificates in today’s contemporary digital world.
As we approach 2025, it becomes crucial to ponder over these recent incidents in preparation for forthcoming identity transformations, like Apple’s proposed reduction in certificate lifespans and advancements in post-quantum cryptography.
Notable PKI Incidents Heat Up the Scene
The latter half of the previous year witnessed several significant PKI-related issues making headlines. In July, Google publicized its verdict to no longer trust Entrust digital certificates. Post October 31, 2024, Google Chrome ceased to trust any Entrust certificates, attributing this decision to compliance lapses, unmet commitments for enhancement, and the absence of “tangible progress” post-publicized incidents.
This triggered a rush among numerous businesses to replace impacted certificates promptly, aiming to prevent costly operational disruptions. Since Google Chrome holds a 65 percent share of the browsing market, entities utilizing Entrust certificates faced the risk of security alerts dissuading potential clientele and undermining trust. Additionally, transitioning to a new certificate authority (CA) posed substantial financial hurdles.
In a subsequent July incident, DigiCert encountered a certificate revocation scenario due to flawed domain control verification, affecting 0.4 percent of its certificates (approximately 216,400 certificates). Affected entities had a mere 24-hour window for replacing the revoked certificates within their PKI structure, making operational downtime almost inevitable, resulting in significant expenses and potential revenue loss for tardy organizations.
The PKI challenges of that summer persisted with a substantial certificate outage for the Bank of England in September. ServiceNow also grappled with issues due to an expired certificate. Expired certificates spell trouble for businesses, exposing them to severe operational disruptions, diminishing customer confidence, and raising concerns about effectively monitoring and managing security credentials.
Key Takeaways for Businesses from these Incidents
The summer’s PKI predicaments impart valuable lessons to businesses, underscoring the significance of meticulous scrutiny of their PKI and cryptographic infrastructure. The recurring theme across all incidents is the necessity for proactive supervision and robust safeguards to mitigate risks and steer clear of disruptions.
The paramount lesson from all four PKI episodes is the essentiality of crypto-agility in today’s and tomorrow’s modern landscape. In the context of the Entrust and DigiCert PKI incidents, it is paramount to acknowledge that errors can occur. The industry will inevitably face dilemmas regarding what to trust or distrust. With these decisions beyond the impacted entities’ purview, organizations must rely on crypto-agility to efficiently handle certificates and trust at scale, seamlessly replacing expired certificates to minimize business interruptions.
Businesses should capitalize on automation where feasible. Each organization grapples with managing and securing hundreds of thousands of digital certificates, a task bestowed upon security teams. Regardless of an organization’s security team’s size or prowess, it is impractical to manage this solely amidst a slew of other priorities requiring human attention. This holds true for various facets of cyber security, necessitating chief information security officers (CISOs) to emphasize automation wherever practicable.
The crux of the matter is that certificate outages are preventable. Businesses that leverage automation and embed crypto-agility into their machine identity management strategies can circumvent steep repercussions resulting from inadequate management and security of their PKI infrastructure. Certificate-related outages stem from inadequate visibility and governance over an organization’s certificate ecosystem. By automating certificate discovery and seamlessly effectuating changes with crypto-agility, organizations can avert certificate-related disruptions.
About Author
