Skip to main content
banner image
venafi logo

3 Reasons to Change Certificate Authorities—Even If Your Browser Doesn’t Tell You To

3 Reasons to Change Certificate Authorities—Even If Your Browser Doesn’t Tell You To

change certificate authority
September 19, 2017 | Nick Hunter

Back in March of this year, Google took the unprecedented move to distrust certificates from a major certificate authority: namely Symantec. This was a wakeup call for organizations everywhere when they quickly realized that they would soon have to find and replace any certificates issued by a certificate provider that uses the Symantec CA in order to avoid business disruption. However, the distrust of Symantec certificates was also a reminder that anything can happen to change the trust of certificates and many organizations began to wonder if they were prepared to move quickly, when they needed to.

Google’s move to distrust Symantec certificates was driven by a series of significant security errors that Google felt compromised the trust of all Symantec certificates. Over the months, we have seen a back-and-forth series of negotiations to determine the extent of that distrust as well as the ultimate timeframe. As we outlined in an earlier blog, the goal was to balance between ensuring security and avoiding industry disruption.

Finally, on September 11, Google announced a formal timeline for the distrust of Symantec certificates. Chrome 66 will begin distrusting Symantec certificates when its Beta is released on March 15, and fully distrust when Chrome is released to stable on April 17, 2018. As Symantec certificates represent over 20% of the market, this may leave many companies scrambling to find and replace all certificates issued by a provider that uses the Symantec CA before the deadline of distrust.

But a certificate authority error is not the only reason that your organization should be prepared to swap out certificates quickly. Ever since the now-infamous DigiNotar compromise of 2011, we have been on high alert for certificate authority compromises that would result in the immediate distrust of a large pool of certificates. In the event of such an event, organizations would need to swap out potentially compromised certificates at the drop of a dime.

Distributed Denial of Service (DDoS) Attacks

Just as outages can inadvertently cause business disruption in your organization, the same can happen at your certificate authority and the services they provide as well. And during that downtime, you may not be able to effectively issue, manage, and revoke your certificates. That gap in coverage could also result in gaps within certificate transparency logs, which would flag your certificates as questionable. Even worse, a cyber criminal could intentionally trigger that outage with a distributed denial of service (DDoS) attack at your internal certificate authority to take advantage of the downtime to manipulate certificates and logs without validation. To minimize damage in the aftermath of a certificate authority outage, you’ll need to quickly find and replace any certificates issued within that timeframe.

Compromised Certificate Revocation List

Certificate revocation lists (CRL) help protect your organization from trusting certificates that have been revoked due to error or compromise. But if that list is even temporarily unavailable to you, you could end up trusting a malicious certificate. This could happen through an outage at your certificate authority, a certificate authority compromise where the list is changed to facilitate malicious activity, or within your own PKI. If a cyber criminal infiltrates your organization and removes a revoked certificate from your local CRL, they can then use that certificate to perform all kinds of malicious functions—totally trusted. And this all happens behind the scenes, so it’s invisible to most. And that makes it even more difficult for you to find and replace any compromised certificates.

Compromised administrator passwords

When your PKI administrators or others within your organization request certificates, they must authenticate themselves with the certificate authority. Generally, that is done with a password. But if cyber criminals can access those credentials, you’re in trouble. They can behave as if they belong to your organization and request certificates on your behalf, that they can then use against you. Once you discover these anomalous certificates on your systems, you’ll need to quickly identify where they have been used and replace them pronto.

Google’s distrust of Symantec certificates is a rather unfriendly reminder of how much agility we need to architect into our PKIs. Security architects and network architects always design edge to core with redundancy as top of mind; but they rarely ever apply it to certificate authorities. Speed and agility in protecting machines identities – being able to issue, replace, and recover from a security incident involving keys and certificates, including CA compromise, is required now more than ever. This is an alarm that can no longer be ignored.

Are you prepared to quickly find and replace certificates impacted for any reason?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

roca factorization attacks

ROCA Risks: Are Your Keys Safe?

Are You on Krack? How Widespread Is the Latest Wi-Fi Attack?

accelerate F5 application delivery

Accelerate F5 Application Delivery with Automated Key and Certificate Management

About the author

Nick Hunter
Nick Hunter

Nick Hunter is an accomplished infosec leader with proven performance in driving revenue through successful strategy, enablement, pre-sales, and marketing. He was formerly Sr. Technical Marketing Manager and Product Manager at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat