Skip to main content
banner image
venafi logo

4 Challenges You’ll Face When Switching CAs [How to Overcome Them]

4 Challenges You’ll Face When Switching CAs [How to Overcome Them]

switching certificate authorities
March 21, 2018 | David Bisson

17 April 2018 marks the day when Google will remove trust for all Symantec-issued certificates issued prior to 1 June 2016. The decision reflects a series of security mis-steps that caused Google to lose trust in Symantec's infrastructure. Those include the issuance of certificates that did not comply with CA/Browser Forum Baseline Requirements as well as Symantec's failure to implement appropriate oversight over companies it had previously entrusted to issue certificates.

At the heart of the Symantec case is a lack of CA policies and processes that when implemented can help protect against improper actions. In the absence of such safeguards, organizations should consider switching their certificates over to another CA. By no means is that the only reason why enterprises should consider a change. Nor is it the only element that factors into their decision-making process.

Indeed, organizations face several possible difficulties when it comes to switching CAs. Those obstacles aren't insurmountable, however. With that said, here are four common challenges involved with switching to a new CA and guidelines on how to overcome them.

  1. Inventory
    When organizations are considering a switch to a new CA, they need to first find all of their certificates. They might have a running inventory of all certificates purchased through the appropriate channels, but departments sometimes go rogue and purchase certificates from other CAs without proper authorization.

    Acknowledging that possibility, it's important for organizations to use an automated tool that can find all of their certificates no matter where they are being used and create a comprehensive inventory. IT can then use those records to develop a plan for transitioning to a new CA.
  2. Issuing and Installing
    Next on organizations' list of concerns is issuing and installing certificates. Doug Beattie, VP of SSL product management at GlobalSign, explains in a webinar that this challenge consists of ordering new certificates, requesting them, verifying that their domains are validated and accounts configured, and issuing and installing all of the new certificates. This obstacle is of particular importance for organizations; they don't want to cause a service disruption.

    Fortunately, organizations can take steps to make sure issuing and installing certificates with a new CA easier. DigiCert notes that this effort begins with following best security practices such as not uninstalling a certificate until organizations have properly installed its replacement on the server, renewing certificates before expiration, and running regular scans of their encryption environment. They should also look into a platform that allows for automated issuance and installation of organization validation (OV) and extended validation (EV) certificates.
  3. Cost
    The steps above might not sound too overwhelming in practice. Even so, some organizations might worry about how much switching to a CA costs. They're already paying fees for an existing certificate agreement; their fear is that they'll need to pay more for a new agreement with less favorable terms.

    Organizations have lots of choices when it comes to the costs of switching to a new CA, however. Many Certificate Authorities offer flexible pricing plans like pay-as-you-go models as well as certificate licensing models where they can purchase thousands of certificates for one flat fee. At the same time, companies should be sure to weigh pricing as opposed to the overall value of a certificate agreement. For instance, an arrangement might include SSL management tools, a certificate management platform, and customizable options, features which could all justify higher costs for an organization.
  4. Validity
    Last but not least, organizations don't want to lose out on their certificates' existing validity. Many CAs recognize this fact and work with organizations to ensure their certificates retain the most value over the course of a transition. Towards that end, some Certificate Authorities add the remaining validity of organizations' existing certificates onto their newly purchased replacements. Such measures help organizations save money and thereby help make a transition to another CA smoother.

Certificate Management as a Core Concern

Most if not all of the challenges discussed above boil down to organizations finding a certificate management solution that maximizes flexibility, control, and security. Such a platform can help them manage their certificates regardless of which CA they ultimately choose.

Learn how to choose machine identity management that's right for your organization.

Related posts

Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more