Possible Change to SSL Certificate Rules on Servers

SSL (or really TLS these days) certificates have always been a challenge for server administrators and if the folks in charge get their way, it is set to become a bigger challenge, but also an opportunity.

Server TLS certificates expire after a certain amount of time. When they expire, they have to be renewed and then replaced on the servers where they live. For a big company with thousands of servers, that is a royal pain and one that, for the most part, has not been automated.

Most companies solution to this is to create a certificate with a really far away expiration date and hope that they remember to renew it (the certificate authorities usually send email reminders, but of course that doesn’t always work).

What does really far away mean? 2-3 years often. I have seen certificates with expiration dates of ten years.

But sometimes certificates get compromised and then every certificate that has this far away expiration date will continue to be honored for years. The industry tried to set up a revocation process for compromised certificates, but that failed miserably.

The non-profit Lets Encrypt came up with an idea. Automate the renewal process. For servers using Lets Encrypt’s certificates, the certificates expire every 90 days, but they get renewed and installed automatically, so server admins never have to worry about it. Even though there are millions of Lets Encrypt certificates, there are hundreds of millions of other certificates that have to be managed the old fashioned way – manually.

But because of certificate compromises, the folks that set the rules – the CA/Browser Forum – have proposed a mandatory expiration of no more than ONE YEAR. Assuming they don’t change their mind, this goes into effect next March.

So what should you do?

1. If you don’t already have one, create an inventory of all of your certificates with the expiration dates.

2. Create a certificate management plan so that all certificates on all servers are managed the same way.

3. Automate. Automate. Automate. That which you don’t have to touch will more likely be done correctly.

4. Figure out where your pain points are around the certificate process – those things that cause you to want to create certificates with ten year expirations and deal with them.

Even if they change their mind, setting up these processes will be good for your sanity.

Source: Dark Reading