In May 2022, Megaphone, one of the largest podcast hosting platforms in the world, experienced a major service disruption that prevented listeners on Spotify, Google, and Apple Podcasts from accessing their favorite shows for over eight hours. The cause of this massive outage was simple: Spotify, which had recently acquired Megaphone, failed to renew one of its Secure Sockets Layer (SSL) digital certificates.
Often unnoticed, digital certificates provide foundational trust to the Internet by authenticating human and machine identities and enabling secure data communication. As a result of the explosion of online eCommerce and other internet-enabled business functions, most companies of scale now have thousands of certificates spread throughout their organizations.
As such, certificate management has become a huge responsibility for IT teams. Each of these certificates must be renewed every year, with each renewal typically requiring more than an hour to complete. Many IT departments manage this process in a very low-tech way, typically using a spreadsheet to keep track of their organization’s certificates. However, a major change is coming that will make certificate management exponentially more difficult and leave unprepared IT departments at risk.
Google Shakes Things Up
In March 2023, Google updated its “Moving Forward, Together” roadmap, announcing its intention to drastically shorten the lifespan of public SSL certificates from 398 days to 90 days. Once this change goes into effect, it will more than quadruple the certificate management work of IT departments as what was once an annual responsibility becomes necessary four or more times per year.
If a single expired certificate can cause a global disruption to the largest digital brands on the planet when it only has to be renewed once a year, what problems will enterprises face when they have to renew all their certificates over four times a year?
It is clear businesses can no longer afford the ad hoc approach of managing certificates via spreadsheet. Facing increasingly more complicated cybersecurity risks such as phishing, deepfakes, data poisoning, and ransomware, the last thing that IT managers should be doing is spending five or six times the hours renewing digital certificates. 90-day certificate renewal demands that businesses take steps now to automate their certificate management.
Automating the Management of Digital Certificates
Manual processes are prone to mistakes, such as misconfiguration or missing a renewal deadline, which can result in cybersecurity outages and breaches. Automated Certificate Lifecycle Management (CLM) can help ensure all digital certificates across a network are deployed correctly and critical tasks such as key rotation, certificate renewal and installation, and certificate revocation are performed promptly and without error to eliminate related vulnerabilities.
The transition to automated certificate management isn’t always a smooth one, but IT managers can ensure an orderly and well-managed process by following some key steps:
1) Inventory Your Certificates: As seen with Megaphone and Spotify, you can’t leave any stone unturned when it comes to digital certificate management. A single expired certificate can cause a cascade of disruptions across your enterprise. In your organization, there are likely certificates that individuals or third parties have deployed that you and your team may be unaware of.
2) Know Where Your Certificates Come From: When organizations deploy potentially thousands of certificates, it is very likely they do not all come from the same issuing CA. In that case, you will have to make sure that whichever CLM you select is CA agnostic, meaning the CLM can manage and provision certificates from a broad range of popular public and private CAs, making it more likely that you can automatically obtain and manage the specific certificates you desire to use.
3) Be Aware of Rogue Certificates: IT managers may have a blind spot due to “rogue certificates,” which are certificates that are seemingly valid and issued by a trusted CA but are either compromised or issued to the wrong entity. This can create a gap in your digital security leaving your organization open to hackers.
The Need for Automation
90-day digital certificates are a fast-approaching reality. While they will bring security benefits for businesses and help ensure digital trust across the web, they will also be a burden for unprepared IT managers.
Google made this announcement early to give businesses time to adapt and optimize their efficiency, and introduce automation. In fact, a core pillar in the “Moving Forward, Together” roadmap focuses on automation and specifically mentions methods of automating digital certificate issuance and management, such as The Automatic Certificate Management Environment (ACME). Automation creates reliable and consistent processes for the entire lifecycle of certificates. Smart IT managers are taking steps now to identify and implement the right automated solution that will reduce the workload of IT teams and minimize enterprise risk.
Tim Callan is the Chief Experience Officer at Sectigo.