As we move through 2024, three events are causing significant disruption in the Public Key Infrastructure (PKI) landscape – the Entrust CA distrust incident, Google’s proposal for 90-day TLS certificate validity, and post-quantum cryptography (PQC) standardization. These events come with unique challenges and opportunities and are compelling organizations to rethink their approach to PKI and digital identity security. Although unrelated to each other, the events collectively point towards a critical best practice in PKI and certificate lifecycle management that most organizations are yet to follow–Crypto-Agility. This blog delves into each of these transformative trends, examining their impacts and ultimately connecting the dots to help your organization find the right direction ahead.
1. Entrust CA Distrust
On June 27, 2024, Google announced its decision to distrust public TLS certificates from Entrust, one of the leading public Certificate Authorities (CAs). The distrust stemmed from a trail of Entrust’s non-compliance issues and poor incident response handling over the past six years. Starting November 1, 2024, Google Chrome will no longer trust SSL/TLS certificates issued by Entrust or AffirmTrust. Any website or application using an Entrust certificate issued after October 31, 2024, will be treated as invalid/untrusted and will trigger security and privacy warnings on Google Chrome.
Due to these implications, businesses relying on Entrust certificates must immediately replace them by transitioning to another trusted public CA before the due date. Following Google’s suit, Mozilla, another prominent browser, recently announced its decision to distrust Entrust certificates effective November 30, 2024.
2. Google’s Proposal for 90-Day TLS Certificate Validity
In March 2023, Google announced its plans to reduce the maximum validity period for public TLS certificates from 398 days to 90 days. The change in certificate validity is intended to promote automation, enable crypto-agility, and build resilience required for PKI changes and post-quantum cryptography. Shorter validity periods ensure more frequent certificate renewals and reduce the exposure window for potential vulnerabilities.
The policy change could either be introduced as a future Google’s Chrome Root Program policy update or a CA/B Forum Ballot Proposal. Once adopted by the CA/Browser Forum, Public CAs can only issue public trust TLS with a maximum validity of 90 days.
3. Post-Quantum Cryptography (PQC) Migration
There is no denying that a large-scale quantum computer will be able to effortlessly break today’s cryptography using quantum algorithms like Shor’s within hours. Given the speed at which the quantum industry is advancing, experts predict that current prominent algorithms, such as RSA, DSA, ECDH, ECDSA, and EdDSA could become unsafe to use as early as 2029. This means that all of today’s sensitive encrypted data and communications could be exposed and compromised by quantum computers in just five years from now!
The answer to this cryptographic apocalypse lies in post-quantum cryptography (PQC) standardization – a new wave of cryptographic algorithms designed to withstand attacks from quantum computers. The goal of PQC is to ensure long-term data protection and privacy in the post-quantum era. NIST is leading the effort in developing, evaluating, and standardizing quantum-resistant algorithms with the international cryptography community. The standardization process began in 2016 and after eight years of rigorous evaluation, NIST has officially released the first set of finalized post-quantum encryption standards.
During the third round of evaluation in July 2022, NIST announced the selection of four algorithms: CRYSTALS-Kyber for key establishment and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures. Then on August 13, 2024, NIST released the first three finalized post-quantum encryption standards: Federal Information Processing Standard (FIPS) 203, FIPS 204 and FIPS 205. Now that the finalized standards have been announced, organizations should begin migrating to these new standards to avoid encryption compromises, data breaches, and compliance violations.
Set up a secure, scalable and compliant cloud-based PKI with AVX ONE PKIaaS
The One Key Takeaway from All Three Ongoing Trends
Crypto-agility is no longer optional—it’s essential. To effectively adapt and respond to emerging cryptographic threats and industry shifts, organizations must practice crypto-agility across their enterprise. Given the dynamic nature of the PKI landscape, implementing enterprise-wide crypto-agility can help businesses minimize downtime, mitigate security risks, maintain compliance, and uphold customer trust.
Where and How Crypto-Agility Helps
-
Seamless CA Migrations
Manually migrating from one Certificate Authority to another is complex, time-consuming, and resource-intensive. It requires diligent planning and coordination to avoid service disruptions, security issues, or compliance violations. For organizations with extensive IT infrastructure, identifying certificates to be replaced, setting up a new CA, provisioning certificates from the new CA, and revoking old certificates can be too difficult and error-prone when done manually.
Crypto- and CA-agility are essential to quickly switch from one CA to another and rapidly replace certificates without costly retrofitting and downtime. They help mitigate security risks and avoid the heavy lifting, operational overhead, and disruption associated with a CA distrust incident.
A CA-agnostic automated CLM solution is key to practicing crypto- and CA-agility. It helps quickly and seamlessly transition to a new CA by allowing you to automatically request, re-provision, and re-install impacted certificates (from a new CA) to the same endpoints.
CA distrust incidents are not uncommon. Over the years, we’ve seen several cases, such as CNNIC in 2015, Symantec in 2017, and TrustCor in 2022, each stemming from issues like CA compromises, non-compliance, mis-issued certificates, and poor incident handling. Despite the strict mandates and regular audits imposed by the CA/Browser Forum, human error, insufficient verification processes, and technical glitches still lead to CA distrust. To mitigate the impact of such incidents, organizations should proactively practice crypto-agility, diversify their CA portfolio, and enforce strong security practices to ensure resilience and continuity.
-
Tackling the Challenges of Shorter-Lived Certificates
Google’s proposal for 90-day TLS certificate validity has a significant impact on certificate lifecycle management. With a validity period of a mere 90 days, public TLS certificates will require renewals not once but four times a year. With organizations managing tens of thousands of certificates in their infrastructures, manually identifying expiring certificates and carrying out the renewal and provisioning process for all these certificates more than four times a year requires a massive cross-functional management effort.
With manual processes, the likelihood of missed renewals, delayed certificate issuance, and provisioning errors is very high, leading to frequent outages, vulnerabilities, and compliance issues.
The only way to effectively manage shorter-lived certificates at scale and mitigate the risk of expired, weak, and non-compliant certificates is to become crypto-agile. Building complete visibility of the certificate ecosystem, streamlining renewals with automation, and enforcing strong policies around certificate usage and management help build crypto-agility, which is essential for adapting to new changes quickly.
-
Preparing for Post-Quantum Cryptography
Preparing for post-quantum cryptography is a decade-long effort involving extensive planning, time, and resources. It is not just about adopting new algorithms but also about overhauling existing cryptographic infrastructure to ensure resilience against future quantum threats. Early adoption and experimentation with PQC will be key to achieving a successful transition.
So, it’s essential to start preparing your systems to handle the unique demands of PQC all while maintaining seamless and secure operations. Again, this is where crypto-agility will play a pivotal role. It will ensure visibility, automation, and policy control you need to assess your crypto inventory, identify high-risk instances, test suitable PQC algorithms, upgrade necessary hardware/software, and switch to PQC standards smoothly.
The PKI landscape is at the cusp of a major transformation. As it evolves, one thing is clear – a secure future belongs to those who are crypto-agile. It is the only way to adapt to new changes, stay secure, and thrive. Crypto-agility is not a set-and-forget practice, it’s a continuous work in progress, and it is best to start working on it today.
If you want to learn more about why and how you can build crypto-agility, please register for our upcoming webinar: Top 3 Reasons You Need Crypto-Agility Today
If you would like to know how AppViewX can help your organization become crypto-agile, visit Crypto-Agility and Post-Quantum Cryptography Readiness