Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

The Risk of Expiring Web Certificates

Certificate use in a variety of mediums continues to grow, but your certificate provider cannot protect against a common certificate mistake: missing expiration dates. This isn’t a major issue if you’re only using certificates for RADIUS authentication, but it can make an impact when using them for website security. Recently, a web security certificate from Sectigo expired and created a stir for many organizations, but not for the reasons many would expect.

The Importance of Web Security Certificates

The basic function of a web security certificate is to protect the communication between client and server when a user accesses a website. A user can easily tell if any given website is protected by a web security certificate by checking the URL. If the URL begins with HTTPS, it is protected by a certificate, and if it appears as HTTP, there is no certificate encrypting communications. As of 2018, 51.8% of the top 1 million websites worldwide utilize HTTPS, and this number continues to grow.

Sectigo is one of those organizations that distributes web security certificates, and these certificates do expire periodically. When one of those certificates expires and is not properly replaced or renewed, the web server reliant on the certificate will appear as invalid to any program or user that tries to access the site. They will not be able to confirm the identity of the unprotected site, and the user will likely be redirected away from the unsecured connection.

This is a relatively common issue that can affect a potentially huge number of users. For example, Amazon recently allowed an affiliate certificate to expire, and this has broad implications for their affiliate network. An example discovered by Reddit user u/mtlynch demonstrates how a lapse in certificate trust affects advertisement images on his website.

What is Certificate Trust?

The web security certificate expiration was anticipated by Sectigo and they released a warning that this particular certificate would soon be replaced. The issue was not an unexpected expiration, but with backwards compatibility.

To secure communications between the server and client, there must be a certificate chain of trust established. In this process, the server and program present their certificates and create a secure communication to vouch for validity. During the process, both certificates establish trust with a root certificate, a certificate that is trusted by your browser and vouches for the validity of other certificates.

The new Sectigo web security certificate has replaced the old and establishes a new root certificate. For those using up-to-date software, this will likely go unnoticed because it will update to also trust the new certificate. But organizations using old and outdated software run into compatibility problems.

These older programs that have not been updated will continue to rely on old root certificates that are not within Sectigo’s certificate chain of trust. This is a grave issue because these programs will then reject new root certificates as untrusted and will not be able to communicate with those servers. The newer the chain of certificate trust, the greater the chance the chain will not be trusted by older programs.

Newer certificates should always be preferred over old ones, but in the situation of Sectigo’s expiring certificate, older programs will simply not be able to communicate with the server and deny access.

Example of an identity certificate with intermediate and root

Resolving Expired Server Certificates

If your older programs are suddenly rejecting access to previously secure websites, it’s likely there is an issue on your end.

The first troubleshooting method to try would be upgrading the software you are using to connect. It’s vitally important to stay on top of upgrades and patches for security reasons, but also to ensure your programs are keeping up with updates in other programs, servers, applications, etc.

If the program is up to date, then you need to start looking externally. Consult your certificate vendor and inquire about the issue. Have they stopped updating their certificates? Do you need to consider upgrading or changing your software?

These questions are difficult because they can lead to large-scale changes within an organization, but if your software is unable to keep up with modern cybersecurity upgrades, it may be time to consider new options.

SecureW2 combats the problem of certificate expiration by providing a system in which network administrators are notified prior to certificate expiration. As the stated expiration date approaches, admins receive an email warning of the upcoming expiration and the risks involved with not replacing said certificate. Check out SecureW2’s affordable certificate solutions to see if our efficiently managed system is right for your organization.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

The Risk of Expiring Web Certificates