The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
The most-aggressively short timelines don’t apply until 2029. Regardless, now is the time to get serious about automation. That is going to require vendors of a lot of off-the-shelf products to come up with better (or any) automation integrations for existing cert management systems or whatever the new standard becomes.
The current workflow many big orgs use is something like:
Poor bastard application engineer/support guy is forced to keep a spreadsheet for all the machines and URLs he “owns” and set 30-day reminders when they will expire,
manually generate CSRs,
reach out to some internal or 3rd party group who may ignore his request or fuck it up twice before giving him correct signed certs,
schedule and get approval for one or more “possible brief outage” maintenance windows because the software requires manually rebinding the new certs in some archaic way involving handjamming each cert into a web interface on a separate Windows box.
As the validity period shrinks and the number of environments the average production application uses grows, the concept of doing these processes manually becomes a total clusterfuck.
I’m that poor bastard engineer at my company. This likely will be the push we need to prioritize automation. Dealing with manual renewals with Digicert has been a pain in the ass. If anyone has experience with their automated option I’d love to hear it.
ACME Directory URLs – Get certificate-level automation for Extended Validation (EV) and Organization Validated (OV) certificates. Manage multiple ACME clients, running on Windows or Linux so you can efficiently automate certificate delivery regardless of the quantity of certificates you’re managing. Improve the security of using ACME in your network through our CertCentral discovery sensors. The sensor is an extra layer of security, ensuring the ACME client doesn’t directly speak to an unsecure third party.
If you search for RFC8555 or ACME, you may find a tool you can use that may be compatible for renewing Digicert certs automatically.
I’d love to actually help, but honestly I knew the RFC offhand (correction; I was close but off) and googled the rest myself, so dragging the problem to ACME - like RFK dragging the carcass of a deer back to his sedan - is the best I can do for you today.
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.
I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
I’m relieved this post didn’t mention Ansible. It’s nice we’ve avoided the irony of mentioning Ansible in a post also mentioning ‘serious’ or ‘modern’.
the concept of doing these processes manually becomes a total clusterfuck.
But it’s a known clusterfuck compared to the scary unknown of certs (and the boulder app).
The most-aggressively short timelines don’t apply until 2029. Regardless, now is the time to get serious about automation. That is going to require vendors of a lot of off-the-shelf products to come up with better (or any) automation integrations for existing cert management systems or whatever the new standard becomes.
The current workflow many big orgs use is something like:
Poor bastard application engineer/support guy is forced to keep a spreadsheet for all the machines and URLs he “owns” and set 30-day reminders when they will expire,
manually generate CSRs,
reach out to some internal or 3rd party group who may ignore his request or fuck it up twice before giving him correct signed certs,
schedule and get approval for one or more “possible brief outage” maintenance windows because the software requires manually rebinding the new certs in some archaic way involving handjamming each cert into a web interface on a separate Windows box.
As the validity period shrinks and the number of environments the average production application uses grows, the concept of doing these processes manually becomes a total clusterfuck.
Can confirm, am poor bastard.
Can you not write a script to automate a lot of this?
Looking forward to companies hiring “Cert Engineers” who just renew certs all day.
Joking aside, it really is time to deploy automation for those that haven’t already
That was a joke? Nice try Nostradamus, I know you can see the future.
They’ll add AI to it somehow
Which will get it wrong and leave expired/unsigned certs everywhere XD
I’m that poor bastard engineer at my company. This likely will be the push we need to prioritize automation. Dealing with manual renewals with Digicert has been a pain in the ass. If anyone has experience with their automated option I’d love to hear it.
Aren’t they RFC8555-compatible?
Yep, seems so:
If you search for RFC8555 or ACME, you may find a tool you can use that may be compatible for renewing Digicert certs automatically.
I’d love to actually help, but honestly I knew the RFC offhand (correction; I was close but off) and googled the rest myself, so dragging the problem to ACME - like RFK dragging the carcass of a deer back to his sedan - is the best I can do for you today.
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.
I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
Managers.
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
LetsEncrypt also built ACME, so they’re the primary port for testing RFC8555. They’re just gonna work better at it.
But, as above, maybe Digi is still the way for you, with the right tooling glued in.
Good luck!
Exactly how it works at mine, it’s a pain 😭
I hate my life.
I’m relieved this post didn’t mention Ansible. It’s nice we’ve avoided the irony of mentioning Ansible in a post also mentioning ‘serious’ or ‘modern’.
But it’s a known clusterfuck compared to the scary unknown of certs (and the boulder app).