Feb 18 2021

Automating TLS/SSL Renewals Can Help Avoid Website Disasters for Agencies

Accidental lapses can also be averted when website certificates are renewed automatically.

Digital certificates and public key infrastructure have always posed challenges for IT managers. The technology isn’t especially difficult to understand, but inconsistent design and poor operational security have made it complicated as well as expensive.

Now, the hurdles to smooth operation have grown. The big browsers — Safari, Chrome and Firefox — have decided that digital certificates may have a maximum lifetime of only 398 days, just a bit more than a year.

There are plenty of reasons for this, including problems with the certificate revocation process, aging cryptographic algorithms and a goal of increasing ­overall operational security. But for IT managers, the new reality (as of September 2020) is that every public certificate they deploy must be replaced about a year later.

Fortunately, the Automated Certificate Management Environment (ACME) — a protocol that automates the process of requesting, verifying, renewing and revoking digital certificates — is widely available for common web servers, and is beginning to migrate into other products, such as Internet of Things devices, network firewalls and load ­balancers. ACME ­completely automates all phases of the certificate management process in a nonproprietary and straightforward way. If ­certificate renewal and replacement can be ­automated, then IT managers won’t mind if it happens every 12 months, every 3 months or every Patch Thursday.

MORE FROM FEDTECH: Find out how to combat encrypted attacks on government traffic. 

How Digital Certificates Worked in the Past

IT managers who have tried to request and manage digital certificates have seen other, older protocols: Simple Certificate Enrollment Protocol (SCEP); Enrollment over Secure Transport (EST; basically, a more secure version of SCEP); and the Certificate Management Protocol (CMP).

ACME builds on years of experience with those protocols and solves a much broader problem: how to completely automate the process of certificate management between a certificate user and a certification authority — public or private.

While SCEP still has a limited ­lifetime in constrained private certification authority environments, IT managers can expect that ACME will push ­everything aside over the next few years.

ACME has over 50 different ­integrations available — a big number for ­something so new — because of a related project called Let’s Encrypt, which has created a free public ­certification authority. 

Let’s Encrypt has been wildly ­successful, with more than 200 million websites using its digital certificates.

130

The number of .gov website certificates that expired during the 2018-2019 partial ­government shutdown

Source: Netcraft, “Manufacturing.gov and White House security suffer under U.S. shutdown,” Jan. 16, 2019

However, Let’s Encrypt has a ­downside: Its certificates are only good for 90 days. This means that ­anyone who wants to use Let’s Encrypt must have an automated way to renew that certificate, or its zero cost is not worth the extra overhead.

This is why ACME, tied directly to the Let’s Encrypt project, is so successful: It’s an open-source product that lets people use free certificates and save a ton of money — not just the money they would have paid for the certificates, but also the time and money it costs to replace a certificate every time it expires.

IT managers who have existing ­relationships with other certification authorities don’t need to jump ship, however. The big public CAs are beginning to put ACME support into their products, and the CA you work with now may already have ACME available.

Why are the big CAs adopting ACME? It makes life easier for their ­customers and reduces support ­headaches related to the certificate request and renewal process.

Certifications Can Be Complicated for Agency IT Managers

Websites are the biggest market for ­public TLS/SSL digital certificates, but public certificates also go into VPN ­concentrators, email servers, network appliances, RADIUS servers, LDAP servers, wireless controllers, ­virtualization infrastructure, VoIP devices and SANs. And the list goes on.

To be honest, most of those don’t support ACME. And they may never, which means that, for these types of devices, the burden of dealing with yearly renewals for certificates is only going to get worse. For IT managers who have an extensive collection of devices that don’t support ACME, the alternative is to shift to privately issued certificates. The browsers that reject long-lived certificates are focused on public certification authorities, not enterprise-private CAs.

This means that if you have an entirely private requirement, such as VPN servers that are used only by your own staff members, then you can — if you want — use your own CA, distribute your own root certificate to your ­organization’s desktops, laptops and mobile devices, and then issue ­certificates with a longer lifetime.

For everyone else, now is a great time to jump on the automated TLS/SSL ­certificate management offered by ACME. The market is getting bigger and stronger, the technology is well supported, and the sooner you start to use automated renewals through ACME, the more time and money you’ll save.

Luca Piccini Basile/Getty Images