Welcome to Consultant Corner
During this time of lockdown and remote working, many are brushing up on their extra reading and learning. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics aren’t COVID-19 specific and vary from VPN to brute-force attacks to barcodes.
You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay.
This blog is focused on changes in Certificate Lifetimes and is written by Martin Ellis.
Browser vendors and other parties have been trying for some time to get the maximum lifetime of HTTPS encryption certificates reduced in an attempt to increase security. After a couple of failed attempts to reduce certificate lifetime to one year via the Certificate Authority Browser (CA/B) forum, Apple has decided to enforce this change unilaterally. From the 1st of September 2020, Apple will no longer recognise any new certificates with a life-time above 398 days.
There have been a number of driving forces for this change, and browsers vendors have been requesting a maximum lifetime of one year since 2017. The fundamental driving forces behind this change include trying to reduce the risks inherent in the certificate revocation process, allowing client and servers to remove support for legacy certificate features, and to help ensure private key rotation. There has also been a drive in recent years to automate more of the Public Key Infrastructure (PKI), which we will talk about in more detail later in this post.
What do you need to do?
At this point no immediate change needs to be made; existing certificates will continue to be trusted by Apple products if they have a lifetime greater than 398 days as long as they are issued before the 1st September 2020.
However, when acquiring any new certificates after the 1st September 2020, you should instruct your Certificate Authority (CA) to only issues certificates for 1 year or less. The current maximum certificate set by the CA/B is 825 days (27 months). Failure to do so will result in clients using Apple products, specifically Safari, not being able to access your services.
Managing more frequent certificate changes
Whilst more frequent certificate changes may appear an overheard there have been a number changes in the PKI world of late, with the rise of services such as Let’s Encrypt, and the ACME protocol and these changes have allowed automation to take over a once very manual process. In the past, when 10-year certificates were common, managing certificates was a large fire and forget process; a certificate was requested, issued, installed, and then forgotten about. In the whole, the process “worked”, in a world where services rarely existed for more than 10 years, but as these certificates started to expire, it became clear this was not a sustainable system. Many service providers experienced significant downtime as it became apparent that no current member of staff now knew how to update the certificates used by a service.
There are many methods to automate certificate management; currently the strongest candidate, especially for small to medium size entities, seems to be the ACME protocol. Through the use of the ACME protocol and clients that support is such as certbot, it is possible to fully automate the certificate renewal process, and many organisations are dealing with frequent certificate renewals. CA support for the ACME protocol is increasing, and the following CAs are known to support the protocol at the time of writing this post:
- Let’s Encrypt
- Buypass
- DigiCert
- Entrust
- GlobalSign
- Venafi
- Sectigo
As with any changes, SureCloud recommends that these are fully tested in a non-production environment first. Incorrect encryption certificates could prevent customers accessing your services
About SureCloud
SureCloud is a provider of Gartner recognised GRC software and CREST accredited Cyber Security & Risk Advisory services. Whether buying products or services your organisation would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling seamless integration of information, taking your risk programmes to the next level.