Public key infrastructure (PKI) and certificate management professionals have no shortage of news this summer. From Google’s announcement of distrusting Entrust certificates to the imminent arrival of post-quantum cryptographic algorithms and even the possibility of 90-day certificate lifecycles, the need for effective PKI and certificate management is top of mind. Add the lack of skilled professionals and the fact many of them are on vacation, and you have the perfect storm of why crypto-agility is essential to modern enterprises.
DigiCert Certificate Revocation and What you Need to Know
Just recently, DigiCert announced a revocation incident for certificates issued without proper Domain Control Verification impacting approximately 0.4% of the applicable domain validations DigiCert has in effect. The CA/Browser Forum rules require certificates with domain validation issues must be revoked within 24 hours without exception. We strongly recommend following DigiCert’s guidance to see if you’re impacted and reduce the likelihood of experiencing an outage.
For Keyfactor Command customers impacted, we have more details below about the steps to reenroll/renew impacted certificates. Because DigiCert is handling revocation, that step is not necessary in Keyfactor and will be completed by DigiCert.
Keyfactor Command Customers – Follow the Steps Below:
To see where DigiCert certificates are installed, go to the Certificate Search page and view the Locations tab. Since DigiCert is revoking the certificates, you will want to focus on reenrolling/renewing the certificates with Keyfactor Command:
Right-click any certificates discovered that are impacted and click “Renew”.
This will issue a new DigiCert certificate and create a management job on the Universal Orchestrator to replace the certificate in the certificate stores where the certificate has been discovered.
- You can navigate to the Orchestrator Job Status page to see the current status of the orchestrator job
Optional: Workflows can be used, if desired, to do things after the certificate has been deployed to the certificate store like set bindings
- In order to take actions, Command has a “Certificate Entered Certificate Store” workflow that is triggered when certificates appear in a certificate store to allow you to call things like API commands to do any actions your application may need after a certificate has been updated
Crypto-agility is Essential Given the Increasing Complexity
These types of incidents are inevitable given the increasing complexity and rapid rise of certificates across digital services, cloud workloads, IoT devices, and more. Our main responsibility is to help our customers respond swiftly regardless of where the issue originates.
But incidents like this speak to a larger trend – it’s no longer just PKI that’s critical infrastructure. Crypto-agility, the ability to quickly adapt and respond to these incidents, is becoming essential to establishing and maintaining digital trust. Here are some crypto-agility essentials to better prepare your team for what’s ahead.
Crypto-agility Essentials: Start with Discovery and Inventory
Crypto-agility isn’t just about reacting quickly to incidents. It starts with going through a discovery process of cryptographic assets at your organization. In a survey of 1,200 IT professionals, we found 92% agree their organization would benefit from having more visibility into all issuing Certificate Authorities (CAs) and PKI tools. We view being CA-agnostic as a benefit to customers, as we have no bias in where certificates originate or in keeping customers tied to a CA ecosystem.
Managing CA and certificate sprawl with effective discovery and unified management of all cryptographic assets is step 1 in effectively implementing crypto-agility and reducing operational burden
Customers who previously used manual spreadsheets or disparate PKI tools deal with visibility gaps and downstream operational impacts of using multiple sources of truth. It’s common when we do discovery at prospective organizations to find hundreds if not thousands of certificates teams aren’t aware of – whether they’re from mergers & acquisitions, past employees, or short-lived initiatives. To be crypto-agile in case of revocations or other incidents, those assets need to be put into one unified inventory.
Furthermore, the certificate landscape of any organization is always changing, which is why we provide continuous insights to customers for any changes to their posture in Keyfactor Command. Having visibility of everything under management is an important first step to crypto-agility. But not the only one.
Crypto-agility Essentials: Ensure your Infrastructure is up to Task
The average organization has over 80,000 internal certificates and 7 internal issuing CAs to manage, making it a critical part of a crypto-agility strategy
More likely than not, your underlying PKI infrastructure could impact your organization’s ability to be crypto agile. On average, we found organizations have over 80,000 internal certificates and seven internal issuing CAs in use. If the summer 2024 CrowdStrike and Microsoft outages have taught us anything, it’s that infrastructure resilience is necessary for when, not if, outages occur.
While Microsoft Active Directory Certificate Services (ADCS) is a popular solution, its inability to cover modern use cases and standards make it not ideal for many organizations. We frequently hear from prospective customers rethinking their Microsoft ADCS PKI strategy cite other reasons like moving to hybrid and multi-cloud setups and lack of post-quantum cryptographic algorithm support as reasons they’re moving on from Microsoft ADCS.
Having a comprehensive PKI platform like Keyfactor’s EJBCA Enterprise that can be deployed anywhere and can scale more efficiently helps teams mitigate the risk of outages and ensure digital trust and crypto-agility.
Crypto-agility Essentials: Automate, Automate, Automate
If you have a centralized cryptographic inventory and solid underlying PKI infrastructure, it’s time to automate your existing manual processes. We work with hundreds of new customers every year to understand their current processes for certificate lifecycle management and how we can automate them. In some cases, we’ve reduced renewal times from weeks to seconds for overloaded teams.
Keyfactor Command certificate lifecycle management is CA agnostic, meaning we work with almost every CA, and integrate with many of the leading vendors in certificate workflows like F5 networks, Microsoft IIS, Java Key Store, Azure Key Vault, Hashicorp, and many more.
Workflows are a powerful way to automate existing processes and reduce the likelihood of a certificate-related outage
Workflows in Keyfactor Command are a powerful way for organizations to configure notifications and approvals as well as automate processes. Customers love them as a way to save time and ensure crypto-agility. For more details, you can read about getting started with certificate automation or get a demo to learn more.
Crypto-agility is the new Critical Infrastructure
As organizations deploy more certificates globally, being crypto agile is essential to critical infrastructure for digital trust. It’s not just your PKI and certificate lifecycle management tools that matter, but how quickly teams can act in an automated way to any incidents that impact your environment.
If you’re interested in improving your organization’s crypto-agility, we encourage you to get in touch with us.