A Certificate Management System (CMS) is now mandatory

Deploying a Certificate Management System is becoming mandatory for enterprises of every size. Mike Cooper, CEO of Revocent, has written an excellent article for Dark Reading about coping with the burden of 398-day certificate lifetimes mandated by browser vendors.

For those who don’t follow browser standards, Mr. Cooper does a great job of recapping events:

“In August 2019, Google introduced CA/Browser (CA/B) Forum Ballot SC22 to reduce Transport Layer Security (TLS) certificate validity periods to one year. After much discussion and thousands of comments — mostly in opposition — the ballot failed and certificate maximum lifetimes remained at two years. Or so we thought.
<…>
As a voluntary group, CA/B lacks the authority to force organizations to unilaterally accept such outcomes. In fact, the real power lies with vendors like Apple and Google. So, at the CA/B Forum meeting this past February, Apple announced that beginning Sept. 1, any new website certificate valid for more than 398 days will not be trusted by the Safari browser and instead will be rejected.”

Editorial – A case of vendor overreach

Disclosure: The following is my own opinion. I have no idea whether Mr. Cooper would agree or disagree:

In my opinion, this is a gross overreach by browser vendors, based on very strange priorities. I do PKI for a living, and I understand how critical PKI security is. At the same time, I maintain a healthy perspective on these issues. I am not aware of a single case where a legitimately issued 2-year certificate has created a genuine security problem for any enterprise or user.

If I were advising browser vendors on priorities, I would ask them why they have blocked certificates with a two year certificate lifetime before disabling flash in their browser. Flash has had a long history of much more severe security issues than PKI, but it will only be disabled after being abandoned by the vendor. More importantly, Adobe announced the transition in July 2017 – more than two years before the end of life date. By contrast, the decision to reduce SSL server certificates’ lifetime was announced in February 2020 to take effect at the end of August.

This timeline is very aggressive, especially considering how minimal the risks are to the internet at large compared to other browser security issues.

Making Lemonade from a Lemon: A CMS will help

In this otherwise cloudy development, the silver lining is the opportunity to accelerate the deployment of Certificate Management Systems. A CMS manages the much higher risk of certificate expiration caused by the reduction in certificate lifetime. Quoting Mr. Cooper again:

“When a CMS is used to create a certificate, it has all the data it needs to not only monitor the certificate for expiration but automatically provision a replacement certificate without human intervention. This frees up your infosec team from the tedium of crunching through lengthy spreadsheets so they can accomplish more value-added tasks. It also eliminates an estimated 90% of certificate-related issues.”

There are some fantastic Certificate Management Systems on the market, designed for all sizes and types of enterprises.

If your enterprise needs help to evaluate or implement a Certificate Management System, contact Credentive Security.