Digital certificates and public key infrastructure have always posed challenges for IT managers. The technology isn’t especially difficult to understand, but inconsistent design and poor operational security have made it complicated as well as expensive.
Now, the hurdles to smooth operation have grown. The big browsers — Safari, Chrome and Firefox — have decided that digital certificates may have a maximum lifetime of only 398 days, just a bit more than a year.
There are plenty of reasons for this, including problems with the certificate revocation process, aging cryptographic algorithms and a goal of increasing overall operational security. But for IT managers, the new reality (as of September 2020) is that every public certificate they deploy must be replaced about a year later.
Fortunately, the Automated Certificate Management Environment (ACME) — a protocol that automates the process of requesting, verifying, renewing and revoking digital certificates — is widely available for common web servers, and is beginning to migrate into other products, such as Internet of Things devices, network firewalls and load balancers. ACME completely automates all phases of the certificate management process in a nonproprietary and straightforward way. If certificate renewal and replacement can be automated, then IT managers won’t mind if it happens every 12 months, every 3 months or every Patch Thursday.
MORE FROM FEDTECH: Find out how to combat encrypted attacks on government traffic.
How Digital Certificates Worked in the Past
IT managers who have tried to request and manage digital certificates have seen other, older protocols: Simple Certificate Enrollment Protocol (SCEP); Enrollment over Secure Transport (EST; basically, a more secure version of SCEP); and the Certificate Management Protocol (CMP).
ACME builds on years of experience with those protocols and solves a much broader problem: how to completely automate the process of certificate management between a certificate user and a certification authority — public or private.
While SCEP still has a limited lifetime in constrained private certification authority environments, IT managers can expect that ACME will push everything aside over the next few years.
ACME has over 50 different integrations available — a big number for something so new — because of a related project called Let’s Encrypt, which has created a free public certification authority.
Let’s Encrypt has been wildly successful, with more than 200 million websites using its digital certificates.