01.12.2021 | André Clerc, Nishanthan Sithampary
The Elegance of Let's Encrypt in an Internal PKI
Which administrator hasn’t experienced this? An expiring TLS certificate brings down an important application and, in the worst case, paralyzes important services across the board. Error analysis proves to be difficult and time-consuming, as error messages in logs such as “Unable to connect to server” or “Service unreachable” do not say much about the actual cause of the error. Only after laborious error analysis do those involved find out that an internal TLS certificate has expired - annoying, as this could have been avoided. Renewing an expired TLS certificate is usually a manual process and can take some time depending on the availability of the PKI team, which is why the outages can sometimes take longer. Depending on the service, such avoidable failures can cause considerable damage (to property or people). But who is responsible and will pay for any damage caused? Or rather, how can such outages be prevented in the future?
In practice, internal TLS certificates are usually issued for 1 to 3 years and must be renewed regularly. In recent years, the terms of public certificates on the Internet have been gradually reduced under pressure from the major browser manufacturers (Apple, Mozilla and Google). Apple was the first browser manufacturer to announce that it would only accept TLS certificates with a maximum lifespan of 397 days in the Safari browser. The shortened lifespan of TLS certificates is primarily intended to curb abuse in the event that TLS certificates are compromised and need to be revoked. Revocation is a process that should be properly implemented. However, the reality is often different: Revocation processes are only partially or incorrectly implemented. The elegant solution with the short-lived certificates partially compensates for this omission. Nevertheless, the revocation process must not be ignored.
Public certification authorities such as SwissSign or DigiCert now only issue TLS certificates with a maximum validity period of 13 months (397 days). This practice has also become established in internal company or IoT PKIs, with an increasing risk of expiring certificates. However, the expiry of TLS certificates makes perfect sense, as it ensures regular verification of domain affiliation and clears up legacy issues. The risks associated with the expiry of certificates can be countered with a clean revocation process. This also enforces the replacement of key material in the event of a possible compromise of cryptographic algorithms and in particular their implementations. This ensures that the selected security level is maintained and does not fall.
The regular renewal of certificates requires a clean PKI operation as well as well-implemented and automated processes. Modern interfaces (e.g. ACME, EST, REST, etc.) help to implement the automation of certificate renewal in an internal company or IoT PKI. Let’s Encrypt demonstrates how the automated, regular renewal of certificates is possible with ACME on the internet. But how can these technologies be used company-wide?
One solution is modern certificate management systems that cover automated renewal as well as the complete lifecycle processes for certificates. However, the introduction of a certificate management system alone is not enough. Rather, a comprehensive PKI concept is required that covers the following points, among others:
- Evaluation of suitable PKI software and a certificate management system
- Definition of the necessary management processes, in particular the automatic renewal processes
- Triggering of timely renewal notifications by means of tickets/emails to certificate holders (subscribers)
- Definition of escalation levels for certificate holders (subscribers), PKI team, operations team, etc.
- Automated testing of the PKI interfaces
- Appropriate logging, monitoring and alerting of the entire PKI environment
Conclusion
Expiring TLS certificates are in circulation almost everywhere and must be renewed after a specified period of time. Unfortunately, renewal fails too often, which can lead to serious failures. This could actually be prevented. A holistic PKI concept, a clean implementation of lifecycle processes, a high degree of automation and the introduction of a certificate management system can prevent serious and widespread failures due to expiring certificates.
Developing PKI strategies and designing new and modern PKI environments is one of TEMET AG’s specialties. We are also happy to support you in the implementation of a PKI concept.
Public Key Infrastructure (PKI)