Information Security / Switching Certificate Authorities? Here’s what you need to know!
Switching Certificate Authorities? Here’s what you need to know!
5 September 2018
Vendor View: Mike Dodson, Global Head of Security Architects at Venafi, on the challenges of switching Certificate Authorities.
On the 23rd October 2018, Google will no longer trust any Symantec-issued certificates, as a result of several security mis-steps which caused Google to lose trust in Symantec's infrastructure. From issuing certificates that didn’t comply with Certificate Authority (CA)/Browser Forum Baseline Requirements, to its failure to conduct the necessary oversight for companies it entrusted to issue certificates, Symantec’s actions have seen an armada of browsers fighting to regain control over cybersecurity.
The Symantec situation reflects just one instance when organisations might need to switch CAs, potentially at short notice. However, it is by no means the only reason why enterprises should, or may have to, consider a change of CA. Staff at CAs making a human error when issuing or sharing details of certificates, technology malfunctions affecting the renewal of certificates, even mis-issuance due to poor internal controls can all mean businesses need to change CA. Businesses should therefore be prepared for this eventuality should the tide change against their preferred CA.
But organisations may face several challenges when it comes to switching CAs. While these obstacles aren't insurmountable, they may put organisations off changing unless absolutely necessary, and so ignoring the benefits that alternative CA’s can provide. Here are solutions to four common challenges involved when switching to a new CA:
X marks the spot – finding your certificates
Before organisations even begin to consider switching to a new CA, they firstly need to locate all of their certificates. Although businesses may have an up-to-date inventory of all certificates purchased through the appropriate channels, it is possible that certificates may have been purchased by the team or department using it, meaning it has not been tracked as per business procedures.
Given this possibility, organisations should use an automated tool to find all certificates, which can create a comprehensive inventory regardless of where these certificates are being used. The IT department can then build a plan for transitioning to a new CA once they have a complete record of their business’s certificates.
Also of interest: Motivating cyber resilience: the carrot or the stick?
Staying afloat – issuing and installing new certificates
The next concern for most organisations is the actual process of issuing and installing certificates. This consists of ordering new certificates, requesting them, verifying their domains are validated and the relevant accounts are configured, and issuing and installing these new certificates. However, it is vital for organisations to ensure issuing and installing new certificates won’t cause a disruption to the business or its customers.
There are steps organisations can take to ensure that the process of issuing and installing certificates with a new CA is as easy as possible. For example, best security practice means not uninstalling a certificate until its replacement has been properly installed on the server; renewing certificates ahead of their expiration; changing CA when there has been a breach or incident putting certificate security at risk. Organisations should consider using a platform that allows for automated issuance and installation of certificates.
Plundering the coffers – keeping the cost down
Some organisations might worry about how much it will cost them to switch to a different CA. As the organisation is already paying for the existing certificate agreement; it is understandable to fear being required to pay more for a new agreement, with potentially less favourable terms.
However, what organisations may not realise is that they have a lot of choice when it comes to the price of switching to a new CA. Many CAs offer flexible pricing and certificate licensing models which enable an organisation to purchase thousands of certificates for one fee. Companies should also consider the overall value of a certificate agreement; additional features, for instance, could justify higher costs – such as SSL management tools or customisable options.
Also of interest: Cyber breaches: are millennials to blame?
Keeping the treasure – maintaining existing certificate validity
Finally, when changing CAs, organisations want to be sure they won’t lose any of their certificates existing validity. Many CAs already recognise this and work to ensure the new certificates retain the most value over the course of the transition. To that end, some CAs will add the remaining validity of existing certificates onto the replacement certificates. This can help organisations save money, as well as making the switch to another CA smoother.
Walking the plank – prepare to take the plunge
The challenges businesses associate with switching CAs can be simplified if an organisation can find an effective certificate management solution. This solution should maximise flexibility, control, and security – ensuring an organisation can locate its certificates as well as revoking, renewing, and replacing these as appropriate, particularly when switching CAs. Such a platform will allow businesses to manage their certificates regardless of which CA they currently use, or which CA they ultimately choose.
CA’s have shown over the past few years they are as vulnerable as other organisations to issues affecting their products and services. In many cases, businesses may be forced to dive into the deep end, and revoke and replace certificates through no fault of their own. Being unable to switch CAs in a timely manner can put businesses at risk of outages, system failures, and cyberattacks. Having the ability to counter this is something organisations must be capable of doing in our increasingly connected world – those that can’t are at risk of having their customers and reputation plundered by competitors who can.