A digital certificate is a cryptographically verifiable method of conveying identity across the internet. Certificates are issued by a Certification Authority (CA), which is a trusted entity responsible for validating identity. The authenticity of a certificate is able to be verified through a related public and private key pair. This technology is known as public key infrastructure (PKI). The most common use of digital certificates we see are digital certificates in our web browsers. These certificates allow web browsers across all devices to determine which websites are representing themselves legitimately. These certificates allow our browsers to establish a transport layer security (TLS) connection knowing the site is not being spoofed. Certificates used to represent website are often referred to as WebPKI. The WebPKI is governed by the CA Browser Forum. A group made of the CAs that issue the certificates and the browsers that trust those certificates.
For most organizations its website is critical to staying connected to customers, suppliers, and business partners. Digital certificates are the backbone to these connections, and without the certificate, most web browsers will offer an error message to website users. Many organizations also rely on applications, in addition to web browsers, that utilize certificates in the background for TLS connections. The size of the company often dictates the size and complexity of an organization’s inventory of digital certificates. Larger organizations can have thousands of domains and thus thousands of digital certificates to manage. Managing all of these is critical and one certificate that expires can take down an entire website or system. Organizations of all sizes should seek to automate certificate management whenever possible.
Other Common Use Cases
Many organizations use certificates for client authentication to support passwords and other mechanisms of authentication. These certificates along with the key pairs can be used to identify a corporate owned device to a firewall and VPN server. These are often privately trusted certificates and the requirements are defined by the individual organization.
In addition to TLS certificates, the CA Browser Forum sets requirements for secure email certificates and code signing certificates. Secure/Multipurpose Internet Mail Extension (S/MIME) certificates are used to verify the sending email address, confirm that the contents of the email were not altered after it was sent, and encrypt an email between two email users. Code sign certificates are critical to enable an operating system to verify the origins of a piece of software. Another use for digital certificates that is growing globally are referred to as mark certificates. These certificates are used to present a verified trademark associated with an email from a given organization in the email client. Mark certificates are to help combat spoofed and phishing emails and designate legitimate emails.
Other governmental use cases allow governments to issue digital identification methods to citizens to interact with public services. European governments issue smart ID cards with digital certificates to access personal data, such as health and tax records. Accessing this personal information requires a secure method, and that is built on a secure method of authentication.
PKI is critical to securing a wide range of digital use cases. The nature of each PKI use case determines the required method of validating the identity, the content of the certificate, or the type of keys used to secure transactions. It is important to understand the risks of each use case and apply proper PKI management policies based on the risk involved. A single approach for all use cases can lead to complications, because the ever changing requirements for public trust may not fit internal use cases.
Changes Coming to WebPKI
The CA Browser Forum adopted a ballot to make major changes to TLS certificates in April 2025. The maximum allowable certificate lifespan will begin being reduced from the current 398 days to 200 days in 2026 and continuing until the lifespan is reduced to 47 days in 2029.
If your organization is managing certificates manually, a network administrator is likely spending a few hours each year to access servers, generate new key pairs, initiate a certificate signing request, and install a new certificate, for every WebPKI certificate in your inventory. The change in certificate lifespan by the CA Browser Forum means these maintenance activities will need to occur four to five times a year. The goal is to, eventually, make this a monthly process by the year 2029. The manual effort involved is set to increase significantly and the risk and consequences of an outage if a cycle is missed remain critical risk.
In addition to the certificate lifecycle considerations, there have been several events that have required mass revocation and replacement of certificates. Mass revocation events can stem from a number of issues. Some examples that lead to mass revocation are an error was discovered in the template used to create the certificate content, an error was discovered in the process used to validate control of the domain, or a serve vulnerability is discovered in the CA’s systems. These events can turn a planned maintenance activity into an urgent task that needs to be completed within 24 hours or 5 days, depending on the event that led to the need to replace the certificate. In addition to mas revocation events, we have also seen CAs in the WebPKI space distrusted. This means an organization could need to find a new partner the next time its certificate is up for renewal. Different CAs might have different methods to perform domain control validation and changes can slow down the process.
All the events in the WebPKI space make it clear automation is required to ensure an organization does not suffer a critical outage. Every CA is required to support automation within its processes for domain control validation. These automation methods are publicly available at no costs, but there will be some time to implement the automation into each unique environment. The most popular method for certificate automation tool is a protocol known as Automatic Certificate Management Environment (ACME). ACME has open source reference implementations from the Internet Security Research Group. Before implementing any new systems and methods for automation, it is recommended an organization undergo a detailed risk assessment based on the types of certificates an organization uses.
Assessing the Risk of the Organization’s Digital Certificate Landscape
The first step of any assessment is taking an inventory of the certificates within an organization. Uses of certificates do not reside only in an information systems department. Many other organizations such as operations or procurement might use them. Many organizations have a mix of various certificate use cases. Many organizations use public TLS certificates for a range of use cases within the organization, because it is easier to procure a certificate, rather than standup a private CA environment. There is a significant movement in the WebPKI environment to ensure publicly trusted TLS certificates are not used for other purposes.
The WebPKI space is constantly evolving to address the risks that face the broad and ever changing risks of the public internet. This requires the certificate users to be highly adaptable. Changes, such as certificate life span or certificate content, will not consider use cases other than TLS when implementing new requirements. These changes have had significant negative impacts on organizations that were not prepared to adapt to the change. As an example including a certificate in a hardware device that is used to check with an update server is not viable use of a TLS certificate. The frequency that TLS certificates are required to be replaced can lead to these certificates being unable to communicate with the update server.
Private PKI solutions use to require a significant investment in hardware and software and require specialized personnel to operate. These services can now be procured from major CA vendors and cloud service providers, much more affordably. These solutions allow an organization to customize everything from the root certificate, algorithms, and end use subscriber certificate content. In many cases the environment can be configured so the service provider does not have logical access to the PKI hierarchy. This method of operating a private PKI offers the high level of customization, scalability, and state of the art hardware at a fraction of the price.
CAs are offering various tools to help automated certificate lifecycle management of an organizations entire inventory of certificates. This allows an organization to track the type of certificate, expiation date, and in many cases facilitate automation of certificate lifecycle events. As the use cases for digital certificates continue to grow, being able to maintain a single source for tracking and taking action on certificates is key.
Conclusion
The steps to prepare for changes coming with shorten certificate lifecycles are the same steps organizations need to prepare for the impact in a post quantum computing environment.
- Each organization needs to undertake a manual process of inventorying the certificate use cases within the boundaries of the organization.
- Determine any use cases that can be better serve with a private CA and move away from WebPKI certificates when possible.
- Automate as much of certificate lifecycle events as possible.
Work closely with your CA to ensure they are bringing you the resources to support your current needs and ask what products they are working on to additional automation and ease.
Act now to safeguard your organization against future challenges, contact BDO’s Third Party Attestation team to help guide your organization and help ensure seamless operations in a rapidly changing digital landscape.