Digital certificates are issued for a defined use (or uses) and a finite lifespan. Failing to renew them in this “all-digital” age has serious consequences such as security breaches, critical application outage, loss of revenue or damage to the customer relationship or brand image. So how can we prevent service outages due to digital certificate expiration?
What is a digital certificate?
A digital certificate (also known as a public key certificate) is a sort of “electronic ID card” issued by a trusted third party which guarantees its owner’s identity. The owner can be a person, server, software application, appliance or organization.
Digital certificates are used to fulfill various IT security objectives such as:
- Confidentiality through encryption
- Authentication of people and machines
- Security of communications
- Integrity and non-repudiation of electronic signatures
- Application and digital service availability
- Digital evidence and traceability
What format does a digital certificate take?
A digital certificate looks something like this:
It contains information relating to:
- A public key
- A surname, first name, domain
- A trusted third party, called a Certificate Authority (CA), which issued the certificate and a link to the CRL (Certificate Revocation List)
- A use
It is a medium-sized file in machine language. There are a variety of file formats and extensions such as .pem , .p12 , .cert and .cert.
Limited lifespan and service outage risk
From when it is created to when it expires, the digital certificate goes through several stages which are shown in the diagram below:
The average certificate lifespan is two to three years. The certificate validity period should be minimized in order to prevent security breaches involving the information system or issuing authority. For example, the lifespan of Let’s Encrypt SSL certificates is 90 days.
All digital certificates need to be monitored to make sure they are renewed before they expire in order to stave off the dreaded service outages! Many organizations learned this lesson at a high price including Microsoft (2013), LinkedIn (2019), Ericsson (2018), the FreeWifi service and even the White House.
Below is a screenshot of what users see when they go to a website with an expired certificate:
How can we protect against service outages?
Whether it is to minimize security breaches, guarantee critical application availability, avoid losing revenue or preserve the customer relationship or brand image, organizations have every reason to protect themselves from service outages due to certificate expiration. They use thousands of digital certificates on their web servers (Apache, Tomcat, IIS, DNSSEC protocol), for bank transactions, in electronic signature or archiving solutions or in their blockchain, for example.
Manually managing thousands of certificates is not only time consuming with no added value, it has potential for mistakes. To avoid service outages due to digital certificate expiration, it’s a good idea to use a digital certificate management tool to:
- Automate finding all the certificates used in the information system
- Analyze the certificates and their compliance with security policies
- Monitor non-compliance and upcoming expirations
- Respond more rapidly to security incidents or compromises
- Automatically renew certificates integrated into, and connected to, the various internal and external PKIs used in the organization
- Deploy new certificates and ensure they are effectively used by the network elements and business applications
- Generate system status reports