With its promise of free TLS certificates for the masses, Let’s Encrypt has been a major force behind the widespread adoption of HTTPS over the past several years. Securely managing the bourgeoning population of certificates which act as machine identities for websites, however, is not free. The need for management becomes critical when a crypto-event forces organizations to quickly find and replace all their certificates—such as when Google and others distrusted millions of Symantec certificates. They needed to be replaced immediately, otherwise they would have ceased functioning and disrupted all the systems they were protecting.
Well, that day has come for several of the millions of websites that rely on Let’s Encrypt machine identities to protect their connections and communications. Next week, Let’s Encrypt will be retiring an older root certificate—the IdentTrust DST Root CA X3. What does this mean? If organizations do not replace all certificates that chain from the retiring root, the machines that use those soon-to-be invalid certificates will no longer be accessible. In most circles, that’s called an outage.
This is not an isolated problem. Pratik Savla, senior security engineer at Venafi notes that, “A root certificate is the primary critical link in the chain of trust for the keys and certificates that serve as machine identities. Root certificates are embedded in nearly every type of software and hardware used in today’s enterprise infrastructure.” This means that when a root certificate expires, it has the potential to impact a wide range of machines. “Root certificates come with much longer validity periods so when they expire the negative impact is also much larger,” warns Savla.
Granted, this will not be a problem for most systems. The lifespan of Let’s Encrypt certificates is significantly shorter than those from other certificate authorities (CAs). While the CA/B Forum currently caps certificate lifespans at a year, Let’s Encrypt certificates are only valid for 90 days. Most of the potentially impacted certificates will have been replaced by regular rotation well before the root certificate expires on September 30, 2021.
Some older devices, which do not automatically update their certificates, could be impacted when the Let’s Encrypt root certificate expires. We saw the potential impact of an expired root certificate back in May, when the AddTrust External CA Root expired and companies including Stripe, Red Hat and Roku suffered outages. But given the much broader use of Let’s Encrypt machine identities, the impact could be even greater this time around.
“At least something, somewhere is going to break,” warns security researcher Scott Helme in a recent in a blog post. This may ring particularly true for machines with embedded systems designed not to automatically update, or smartphones running on significantly older software.
How can you be sure that your organization is immune to outages caused by the expiring root certificate? “Groups/individuals tasked with managing PKI infrastructure need to understand that updating a root certificate is different from just simply updating a web-browser or OS or even a server certificate. Because root certificates have much longer validity periods of, when they expire there can have significantly larger negative impacts,” notes Savla. “To address these risks organizations, need a proper plan/strategy that includes hard requirements to ensure they can update their root store and all dependent infrastructure with the new active root before the old one expires. Such plans should also ensure that any areas potentially causing single points of failures (SPOFs) are addressed first.”
To be sure, Let’s Encrypt has taken every step possible to ensure a smooth transition to a new root certificate. Earlier this year, Let’s Encrypt transitioned to its own ISRG Root X1 certificate, which doesn’t expire until 2035. Some machines (such as older Android phones) still don’t trust this certificate, but Let’s Encrypt did obtain a cross-signature for its own certificate that’s valid for longer than the signing root. While this should mean that most devices will remain breakage-free for three more years, the best-laid plans are sometimes not enough. Only time will tell how wide the impact may be.
How could this root certificate expiration impact your organization? “Any impending root certificate expiration will always become problematic for organizations who don’t have a strategy in place to ensure their overall infrastructure is updated and synced-in to trust the newer Root” notes Savla. “It’s really worth the time required to create a plan for this scenario because we’re likely to see more root certificate expirations in the future.”
Savla advises that, “Cross-signing is a workaround that many organizations use as a temporary buffer against significant security and availability catastrophes that happen planning is insufficient. The problem is that this approach doesn’t offer a solution to expiration or revocation tracking, and this can become problematic when dealing revoking compromised certificates or stolen credentials.”
Do you know how many of the billions of Let’s Encrypt certificates your organization is using? You may be surprised how often Rogue CAs can pop up in a variety of business units. Luckily for you, Venafi can help you locate all certificates being used across your organization. Talk to an expert today to kickstart your digital transformation!