Over the last few years, software makers have begun cracking down on certificates that do not expire soon enough. Most browsers will reject any SSL certificate with a lifetime longer than 39 months. This may seem like a long time, but it pales in comparison to the average lifespan of root certificates used in private CAs, where they can be set for 20 to 30 years.
This is of course a convenience issue; you don’t want your root certificate to expire before the chain does, so admins like the extra buffer room. But when you think about it, 20 years is a long time. Especially in the technology world. If your car was that old, you could register it as a collectible in some states. 20 years is certainly enough time for technology to make encryption standards obsolete.
Of course CAs can be replaced at any point, but without some forward planning, it can be painful. So any sudden compromise hurts worse. And with a 20 year root certificate, it will end up being budgeted out between intermediate certificates lifespans that are far too long. You just can’t predict what security policies you’ll need that far out.
Just think of how rapidly they have shifted in the last five years:
- 2005 and 2007 NIST recommended moving from 1024 to 2048 bit RSA certificates by 2010.
- The public CAs have already been reissued under the same names but with longer keys
- MD5 certificates were (finally!) phased out starting around 2010, long after operating systems stopped validating them
- SHA1 certificates are being sunsetted. Microsoft has announced they will not be accepting them after 2016.
Cloud computing is one of the newest threats to the predicted depreciation rates. Keys designed to withstand Moore’s law don’t quite hold up against the cheap and accessible power available on the internet. A secure certificate is lucky to not be obsolete within half of its expected lifetime. In 2007, it was expected that a 1024-bit key wouldn’t be cracked for 10 years. It was broken in only 3.
If your organization has any serious investment in a Public Key Infrastructure, 20 years is likely a bad number. 30 years definitely is. Shorter certificate lifecycles will mean more work, but it will also lead to leaner certificate chains. Right now, about half of all organizations have no accountability for the ones the already have.
Next Generation Certificate Management
For organizations unaccustomed to managing client level certificates, the toughest part is getting new certificates onto user devices and establishing the trust chain correctly on those devices. Root certificates form the backbone of security. But they are also the toughest part for users, especially in BYOD environments.
This is why JoinNow is so essential for secure organizations: it presents a clean and simple alternative to deploying client certificates on a large scale, without any manual work or the heavy management associated with AD domain membership. Administrators are able to update the root as needed, and users will be able to configure the new certificates on their own. Suddenly, shorter CA lifetimes become very practical.
Things you can do with JoinNow
- Streamline client certificate deployment with an automated client app
- Add flexibility to your CA, letting it grow with the organization
- Use Intermediate certificates in addition to a root to support PKI best practices
- Match users to specific certificate chains or even CAs based on roles and policy
In addition, JoinNow has the most advanced system for distributing and managing device certificates for organizations interested in TLS-based authentication. Use SecureW2 Connector to support different use cases:
- Connector acts as a bridge between client and CA while providing policy options not available with a CA alone
- Expand the reach of Domain CA to include non domain devices.
Have you taken a look at JoinNow yet? You should.