When you purchase something from Amazon, BestBuy or any other online retailer, how do you know to trust the website with your payment information? It is because you trust your browser, which placed its trust in the web domain’s Certificate Authority, to notify you of any misrepresentation of the domain you are browsing. Unlike humans, machines such as your laptop or mobile cannot visually identify, validate and establish trust with other machines. They need a system to help them establish trust on their behalf anywhere in the world. This makes SSL/TLS certificates the foundation of trust online and browsers will go to great lengths to uphold this trust. The most recent – and perhaps most significant – examples of this are the massive SHA1 to SHA2 migration and Symantec deprecation projects.
On Symantec’s web trust deprecation, Roxane Divol, Executive Vice President and General Manager of Symantec Website Security, believed that Google’s proposal to distrust Symantec was not in the best interest of the internet community. Though one can understand the business ramifications of such judgments, trust remediation should never be taken lightly as it is often one’s brand reputation at stake. And, Symantec deprecation will not be the last. More cipher suites will be broken and more mis-issued certificates will be identified using the Certificate Transparency program. Given the dynamic nature of the SSL/TLS certificate industry, how do you navigate these initiatives in an already complex X.509 certificate infrastructure?
The Ultimate Project Plan #1
The majority of the challenge in successfully executing deprecation projects can be overcome with an up-to-date and properly documented SSL/TLS certificate inventory. If you are not confident in your inventory and if you wish to update your certificates manually, the following six steps can help you start this project from scratch.
Step 1: Discovery of all certificates with deprecated keys
The first step is to identify SSL/TLS certificates that have a deprecated digital signature across the infrastructure. It is essential that every certificate in the chain of trust (including intermediate) with this deprecated signature is tracked down irrespective of the nature of the server (internal or public-facing).
Step 2: SSL/TLS certificate inventory assessment
Assess the certificates within the discovered inventory. Group and prioritize them according to the organization’s requirements, such as replacing deprecated certificates on mission-critical and public-facing applications before updating certificates on internal servers.
Step 3: PKI migration impact analysis
Involve every key stakeholder who might get affected by this update and keep them apprised of the progress. Once the plan is in place, the migration team should do an impact analysis to assess system compatibility with the certificates slated for an update. When dealing with cipher-suite upgrades such as SHA1 to SHA2 migration, multi-domain certificates (like wildcards) must be split into multiple certificates to support legacy applications that are incompatible with the updated signature. All external-facing legacy systems that do not support the latest PKI must be updated. In the case of legacy systems that are being used internally, choose the deprecated PKI at your own risk and schedule a clean-up at your convenience.
Step 4: PKI migration
After performing the impact analysis, update certificates in order of priority. The updated certificates can be reissued, renewed or purchased from the vendor(s) of your choice. If necessary, the intermediate certificates should also be updated to complete the trust chain. Before replacing the deprecated SSL/TLS certificates with the updated ones on your servers and in your trust stores, make a back-up of both your old and new certificates in a secure place. Manual migration can be tedious and error-prone, but make sure each step is documented and accounted for.
Step 5: Validation of migration
Once the migration is complete and you’ve rechecked your environment for old certificates, perform a detailed migration report on the whole process. Use this report to validate and ensure successful completion and share the status of the migration plan with key stakeholders.
Step 6: Enforceable policy creation
The migration team should create policies to guide the post-migration process and ensure standardized deployment across the infrastructure in the future.
Can this plan fail?
Beyond the initial success of your PKI update, there are things that can completely void your efforts.
- Using deprecated algorithms: You need to ensure that certificates with deprecated keys do not reappear in your infrastructure. Insiders may have opportunities to misuse their privilege and introduce vulnerabilities into the system.
- Not enforcing strict policies: If there are no strict policies governing individuals and restricting them from introducing deprecated certificates into the system, then the actual purpose of a PKI update is defeated. You must regularly validate your certificates to ensure success.
- Using free certificates: *Especially when dealing with cipher-suite upgrades* Free certificates can be rogue and undocumented, meaning they usually bypass your workflows and policies.
Even if you avoid the practices above, can this plan still fail?
Yes. If any of your applications still experience outages or your project goes over budget, or you fall behind the timeline, your plan could fail.
While this is one way to handle the changing dynamics of the certificate industry, this is not the most efficient or cost-effective. Here’s an alternative.
The Ultimate Project Plan #2
As previously stated, most of the challenges associated with projects like these can be overcome by building a robust SSL/TLS certificate inventory, devoid of any human error. But, how do you achieve this? The answer is through Enterprise PKI Automation tools. Almost any time you go over budget or fall behind a project deadline, unnecessary delays caused by manual human errors are to blame. By introducing PKI automation tools into your infrastructure, you can save valuable time and effort on tasks as time-consuming as keeping your inventory in-check. Once the certificates are discovered on each device in your infrastructure, the inventory is kept up-to-date automatically by syncing with all devices every day.
Every single step in the 6-step process, from identifying certificates that need replacement, to SSL certificate generation and ordering the certificate to be installed on a device, can be automated, making this an innovative single-step process for any migration. With AppViewX, all you need to do is navigate to the list of enterprise PKI automation workflows in the automation catalog and hit “Start”. A sample migration workflow is presented in the screenshot below.
AppViewX can be used as a certificate discovery tool to build an accurate list of SSL/TLS certificates in your infrastructure. Post discovery, once you hit “Start”, the platform fetches the list of deprecated certificates from the inventory, submits the CSR to the CA, receives the reissued certificates and pushes them to the respective devices automatically. Apart from this, AppViewX can also continuously monitor SSL certificates for expiry and can act as a multi-vendor certificate renewal solution. If you think this is easier said than done, you can implement these automation workflows into your infrastructure too with a free trial.
Performing a complete PKI migration is inevitable whenever a cipher suite is broken or a Certificate Authority makes an error. And, any migration project is going to be huge, complex, time-consuming and riddled with errors. This makes you, the certificate owner, the most impacted of all. However, there is no point in blaming anyone under these circumstances – this is bound to happen every now and then. However, you must be prepared to handle such unplanned, important projects in the most efficient and cost-effective way possible. As your next migration project may be just around the corner, it is time you invested your valuable time and resources wisely into PKI automation tools. Request for a Free Trial today and get started immediately.