Thought Leadership
At the end of June, Google announced that its Chrome browser would no longer trust Entrust for issuing new TLS certificates. The provider explained its decision in this blog post.
Search engine providers like Google, Apple, and Mozilla are continually raising the security requirements for Certificate Authorities (CAs). The challenge for companies is that they have no control or influence over how the decisions of Google, Apple, Mozilla, and Microsoft can impact their business operations. This news will result in unnecessary costs for replacing certificates and, in the worst case, visitors will be warned by Google and stay away out of fear of potential malware. The only way to mitigate this risk is to establish a control instance that manages machine identities such as TLS certificates. This platform should be completely independent of Certificate Authorities. Only then can security teams minimize the risks. Examples like Entrust, Symantec, and others show that such decisions are being made more frequently and the timeframes to react are becoming shorter.
According to Google’s recommendation, companies using TLS certificates from Entrust should now switch to digital certificates from other Certificate Authorities by October 31, 2024. Google made this decision because the provider repeatedly had to admit errors in issuing certificates.
Looking into the near future, it’s clear that the field of digital certificate providers will continue to evolve. The shift towards shorter certificate lifetimes and the increasing focus on automation underscore the need for flexible, proactive security strategies. Certificate agility (CA agility) is a cornerstone of crypto agility and specifically refers to the ability to quickly exchange certificates from CAs like Entrust for more trustworthy ones. Not least, the outlook on the requirements of crypto agility in a post-quantum world underlines this development.
Crypto agility is not just about responding to scenarios like the current one with Entrust, but also about proactive management of the certificate lifecycle. This includes automating certificate renewals, ensuring compliance with the latest security protocols, and having a robust process for handling misissued certificates. By integrating crypto agility into their security infrastructure, companies can reduce the risk of digital identity compromises.
Security teams should consider the following points:
- Comprehensive visibility and control: They should gain a complete overview of their certificates to understand which ones are affected, track their status, and prioritize replacement to limit service downtime.
- Automated certificate lifecycle management: They should automate the issuance, renewal, and revocation of certificates to ensure continuous policy compliance and reduce the risk of manual errors.
- Enhanced security posture: They should protect their company from risks associated with compromised certificates by ensuring all certificates meet the latest industry standards and best practices.
- Seamless integrations: They should choose a unified approach to certificate management. This ensures a smooth transition and consistent enforcement of security policies across all systems.
Conclusion
In the past, certificates have had to be exchanged and replaced. So this incident is not new, but these problems are becoming more frequent, and more security teams need automation to replace affected machine identities in a timely manner. If security teams implement these measures, they can prepare their companies and organizations for the crypto-agile future today.
