Certificate outages are an entirely preventable disaster

These days, I wince anytime a major digital service outage makes headlines. Outages happen, of course -- and sometimes they are unavoidable. Servers crash. Cybercriminals get lucky. People make mistakes.

That’s not why I wince, though. I wince because anytime an email exchange goes down, a music service crashes, or a mobile provider loses service, I know there are good odds that the culprit is none of those things. All too often, major service outages come down to two simple words: "expired certificate."

Digital certificates increasingly underpin today’s increasingly digital ecosystem. They are used to establish digital trust between identities, whether those identities are users, devices, applications, or other entities. They are used for network authentication, remote access, document signing, process automation, code signing, and more. Digital certificates are used to verify identities and secure communications over the internet, but to work, they need to be managed effectively. As the number of certificates in use skyrockets, reliable Certificate Lifecycle Management (CLM) is becoming more important -- and the consequences of poor management are growing increasingly clear.

Why Certificate Outages Happen

Digital certificates are essential. Without a reliable way to verify that digital identities are what they claim to be, it would be impossible to establish any sort of digital trust. Modern businesses rely on countless digital processes to do things like authenticate users, grant or deny access to information, process transactions, and more. Digital certificates play an important role in every step of those processes, allowing a wide range of digital identities to talk to one another securely.

Unfortunately, this chain of trust can be broken. Digital certificates have defined lifespans, meaning that they will eventually need to be renewed or revoked. This is by design -- after all, the shorter the lifespan, the lower the odds of a bad actor compromising the private key upon which a certificate is based. When a certificate expires, it gives the organization the opportunity to rotate their private keys and take steps to remediate any known security threats that may have arisen since the certificate was first issued. Sadly, it doesn’t always happen quite so smoothly.

A decade ago, it might have been possible for an enterprise IT employee to manage an organization’s digital certificates manually, tracking expiration and renewal dates on a spreadsheet. Unfortunately, this is no longer the case. The explosion of connected devices, the shift toward widespread remote work, increased adoption of cloud environments, and other factors have sent the number of certificates in use by the average organization soaring. An organization that once managed a few dozen certificates might now manage thousands -- and even the most diligent employee would find thousands of certificates difficult to juggle.

Understanding the Consequences -- and How to Avoid Them

What happens when something slips through the cracks? Unfortunately, there are dozens of examples -- and no industry is immune. When a certificate expires, the odds are good that a chain of trust has been broken somewhere, and an essential process may be affected. Even companies at the cutting edge of technology, including Google and Microsoft, have experienced significant service outages caused by expired certificates. Perhaps the most famous outage is still the O2 incident just a few years ago, in which an expired certificate resulted in mobile network outages for millions of smartphone users in 11 different countries.   

The stakes are very high but many organizations have not yet taken the necessary steps to avoid potential catastrophe. Large enterprises like Microsoft and Google can absorb the cost of an outage without too much difficulty, most organizations cannot. How many of today’s small businesses rely on online shopping to stay afloat? How many could survive an expired certificate disrupting their ability to process transactions on Black Friday? This is not idle speculation -- just a few months ago, an expired certificate briefly took down Shopify, a popular ecommerce platform. It is impossible to gauge the full downstream effect of that outage on the businesses reliant on the platform.

These incidents are avoidable. As certificate volumes have grown and manual management has become untenable, automated CLM solutions have risen to meet the challenge, providing organizations with a more reliable way to manage the thousands, tens of thousands, or even millions of certificates in their environments. Modern organizations use certificates for a wider range of use cases than ever. They use certificates issued by a multitude of certificate authorities (CAs). They use certificates with year-long lifespans, and certificates with hour-long lifespans. Manual management isn’t difficult -- it’s impossible and irresponsible. Without reliable, CA-agnostic CLM, an outage isn’t just likely. It is inevitable.

Don’t Leave Your Business to Chance

Digital certificates have been around for decades, but the number of certificates in use has grown exponentially over the past several years. With remote work here to stay, DevOps development growing increasingly popular, and new connected devices hitting the market every day, responsible organizations will need a plan to effectively manage those certificates. Modern, automated CLM tools not only provide a scalable solution for organizations looking to manage their growing certificate volumes but a reliable one as well. Mistakes happen, but when it comes to digital certificates, those mistakes can be costly. Don’t leave your organization’s digital health at the mercy of human error -- embrace automation and make certificate-driven downtime a thing of the past.

Photo credit: Nestor Rizhniak / Shutterstock

Ed Giaquinto is CIO, Sectigo. Ed oversees IT and support, leading initiatives around change control, onboarding, proof of concept (POC), customer communications, service, and innovation in operational practices. Ed assumed the role in February 2019 following his role as Sectigo’s VP of Information Technology, where he led strategic planning and IT process development gleaned from 30 years in the IT industry.