Skip to main content

Mass certificate revocation shows why security automation matters

(Image credit: Image Credit: Geralt / Pixabay)

Digital certificate industry experts have recently discovered a flaw in the certificate generation practices of several major Certificate Authorities which has resulted in millions of estimated active TLS/SSL certificates that are non-compliant with mandatory industry standards. These standards are engineered to protect cryptographic security as well as trustworthy identity information in public certificates. The certificates to be revoked are cryptographically weaker than the minimum set by industry rules and, left unaddressed, could represent an opening for widespread attacks.

This flaw came to light in the course of vetting a new applicant to be included as a Certificate Authority (CA) in the Mozilla browser’s trusted root store. Industry watchers in charge of vetting this new applicant discovered anomalies in its certificates’ serial numbers, which led to the revelation that a large quantity of public certificates issued by a variety of CAs have suffered from the same irregularities.

Standards require that each certificate include a serial number with at least 64 bits of unpredictable number space, often referred to as entropy. However, researchers discovered that millions of certificates had been issued with noncompliant serial numbers, leading to a mass certificate revocation in recent weeks.

It turns out that CAs employing the commonly used EJBCA open source tool to generate positive numbers with 64 bits of possible combinations were getting results back that consisted of one bit set to zero (to indicate a positive number) followed by 63 random bits. Because the first bit had a predictable value, the actual size of the randomised portion of the number was actually 63 bits, cutting the de facto number space in half from the specified standard.

In addition to a number of CAs needing to fix their systems, this flaw means that a great many end-entity certificates have required revocation. A large-scale, unexpected revocation event like this one is painful for enterprises because it adds a significant number of additional tasks that are detailed, time consuming, and typically only within the capabilities of a few employees with specialised skill-sets.

But worse than the additional workload, unexpected mass certificate replacement introduces the risk of error.

Human error is a risk factor in cybersecurity which companies need to account for and manage, as a single oversight can lead to outages or other service failures for critical digital systems. In a crisis situation such as the one at hand, enterprises must make sure that the possibility of error is reduced to as low a level as possible.

Thankfully, a technology solution is available to enterprises that will allow them efficient, timely, and reliable handling of unforeseen certificate management needs like this one.

Introducing automated certificate management

This incident shines a light on the critical role of automation for enterprise certificate use. Automated capabilities allow for consistently correct maintenance, revocation, and large-scale replacement of certificates with little human intervention needed. Automation offers a multitude of benefits, which pertain  even when an organisation is not at that moment facing an immediate certificate management crisis. When one of these crises does rear its head, however, automation can mean the difference between a historic scandal (see, for example, the Equifax breach) and a contained, solvable situation.

Automated certificate management applications can help with:

Certificate discovery. By trawling a network and finding and categorising certificates, an organisation has the tools to find and fix insufficiently secured and non-compliant certificates.

Certificate replacement. Where necessary, automation can replace non-compliant certificates quickly and without error, with little human effort.

Certificate renewal. For certificates which are within 90 days from their expiration date, automated systems can simply renew rather than replace them.  For each such certificate public CAs will add the remaining validity duration to the new certificate’s lifespan, so that the enterprise can go straight to the new certificates without losing any of the valid certificate time they already have paid for.

Visibility. An automated system can present certificate results in reports or dashboards to give the IT team visibility into  the certificates under its control, and help assure them that all certificates are correct and available.

Having a reliable certificate automation platform in place has never been more important. High visibility failures such as the 2017 Equifax data breach (in which a failure in certificate management opened the door for cyber thieves to steal the personal data of 148 million Americans) and last December's outage of O2, Softbank, and other mobile providers (which affected roughly 40 million people worldwide) have owed themselves to unexpected certificate expirations.

An automated renewal system can protect against similar crises in the future. Such a system can discover, track, and manage the lifecycle of certificates in a reliable way that doesn’t depend on manual effort by individual IT professionals, ultimately upping employee productivity and reducing the risk of critical error and the undesirable consequences they bring to business, security, and public trust.

Tim Callan
Image Credit: Geralt / Pixabay

With 15 years’ experience in the SSL/PKI spaces, Senior Fellow Tim Callan contributes to standards and practices efforts, industry relations, and more at Sectigo, the largest commercial certificate authority.