Are you ready to move to short-lived SSL certificates?
Short-lived SSL certificates are creating a lot of discussion. SSL certificates, or any certificate issued by a global trusted authority that is put onto any published service (not just web pages) can be the bane of many departments. These certificates are critical not just to keep services ticking, but to reassure users and customers of the validity of the services they are accessing. As a customer facing resource, they impact users and customers opinion of your brand reputation.
I imagine most people working with IT have experienced the inconvenience and doubt caused by visiting a website or a resource (remote desktop connection, bank, service provider or more technical resources) only to be confronted by warnings that the site or service cannot be trusted or validated.
As many organisations still manage these certificates manually the temptation is to obtain certificates for as long as the provider will allow. Not long ago it was common for organisations to use public certificates with lifespans of three to five years.
Longer life certificates do pose several risks, including:
- the longer it is in service the greater the chance that it may fall into the hands of someone else by accident
- the greater likelihood that technology will advance to a point where the cryptography will be broken as it was with SHA1 and others
- it will be re-used elsewhere across the business and ownership and auditing of use will become unmanageable
- at renewal time, the process or expiry is forgotten, or everyone assumes it’s another departments responsibility
- the people that arranged and managed the certificate previous have moved on
Why the change?
There are many parties involved in the public certificate industry who influence how they are presented to users and when or what type or warning they receive, the main entities are:
- Global certificate providers
- Operating System vendors
- Browser vendors
Many individual organisations amongst these have been working towards reducing the lifespan of public certificates for a while, edging the maximum lifespan downwards. Apple has been the first organisation to announce a change which is likely to force everyone’s hand. From September 2020 any certificates issued with a lifespan of greater than 13 months will be considered insecure by Safari. This means that the next time a certificate is renewed for any services your organisation currently publishes, either internally or externally, after September 2020, if you request a certificate with a lifespan greater than 13 months, all Apple devices will reject the certificate and mark the site as insecure.
This change to short-lived SSL certificates is being implemented to improve the baseline security of all services, to raise the bar for the lowest-common-denominator if you will.
What is the risk?
As mentioned, many organisations currently manage the renewal of certificates on services through manual processes. Many IT departments perform a renewal submission to a global Certificate Authority and then work through a process to replace the certificate on all platforms, services, and devices where it is used. This can be a time-consuming activity which is offset by only needing to work through it every two years. It is also common among organisations to experience at least some form of issue relating to the renewal process resulting in service outage or interruption of some level.
Switching the manual process to occur manually doubles the administrative overhead relating to certificate renewals. Needing to follow these processes more frequently could be considered to double the risk of service interruption along with the credibility and trust repercussions of issues.
What can we do?
The first and most obvious fix is to simply move to using certificates with a maximum lifespan of less than 13 months. This will however increase the regularity of certificate change management, generating and submitting certificate requests, managing the purchasing cycle. In short, a large increase in the administrative overhead of managing each application that uses certificates and the risk that something will get overlooked resulting in an expired certificate remaining on a service.
What Silversands proposes is to take some of the costs and administrative overhead and apply that to consultancy to automate the certificate process.
Automation to the rescue
Whilst moving services to automatic certificate management will require planning and consideration for all new services using certificates, it will remove the risk and ongoing administrative overhead associated with manual certificate renewal processes.
Additionally, moving from paid public certificate authorities to services such as letsencrypt which is set up for automatic certificate management allows organisations to enrol certificates for free. The only cost is the initial consultancy to set the service up.
Microsoft has already taken steps to embrace automatic certificate management for Azure App Services. In preview as of this article is the option to create a free App Service Managed Certificate which produces a six-month lifespan certificate that automatically binds to your App Service and is kept up to date by Azure. You can also add an App Service certificate which is a costed certificate but is also generally available (GA) but with fewer restrictions or limitations that apply to the free preview service.
To discuss the options around short-lived SSL certificates and managing your service certificates automatically and how this and other automation capabilities can help your organisation reduce ongoing administrative overheads, contact your Silversands account manager.
Silversands is a Microsoft Gold Partner of over 30 years standing, which specialises in Microsoft 365 delivered across cloud (Azure) and hybrid IT infrastructures. We provide consultancy, support and user adoption services. The Covid-19 virus will make organisations seriously re-assess their business continuity plans, as well as threat protection, and we are running a series of webinars over the next few months that will be relevant to your organisation.