www.digicert.com
Open in
urlscan Pro
45.60.123.229
Public Scan
Submitted URL: https://app.updates.digicert.com/e/er?utm_source=Eloqua&utm_content=12593&utm_medium=email&mth=&s=1701211846&lid=10377&elqTrackId...
Effective URL: https://www.digicert.com/blog/avoiding-disruptions-from-revoked-certificates?utm_source=Eloqua&utm_content=12593&utm_medi...
Submission: On May 08 via manual from NL — Scanned from NL
Effective URL: https://www.digicert.com/blog/avoiding-disruptions-from-revoked-certificates?utm_source=Eloqua&utm_content=12593&utm_medi...
Submission: On May 08 via manual from NL — Scanned from NL
Form analysis
1 forms found in the DOM<form class="search-form">
<i class="search__icon search"></i>
<div class="search-form__input">
<input id="header-search-box" type="text" placeholder="Search" required="" autofocus="">
</div>
<span class="nav_dismiss close">×</span>
</form>
Text Content
* Solutions Back Digital Trust for: Enterprise IT, PKI & Identity DigiCert® Trust Lifecycle Manager Websites & Servers DigiCert CertCentral® TLS/SSL Manager DigiCert® DNS Trust Manager Code & Software DigiCert® Software Trust Manager Documents & Signing DigiCert® Document Trust Manager IoT & Connected Devices DigiCert® IoT Trust Manager Matter Initiative IoT Device Certification DigiCert® TrustCore SDK MANAGE PKI AND CERTIFICATE RISK IN ONE PLACE * Prevent outages * Certificate Lifecycle Management * Private PKI Services * Integrations & advantages MANAGE PKI AND CERTIFICATE RISK IN ONE PLACE * Prevent outages * Certificate Lifecycle Management * Private PKI Services * Integrations & advantages THE SMARTER WAY TO MANAGE CERTIFICATE LIFECYCLES * Issue & install * Inspect & remediate * Renew & automate * Assign & delegate CONTINUOUS SIGNING FOR CI/CD & DEVOPS * Assure code integrity * Automate software signing workflows * Centralize key & permission management * Simplify & enforce compliance SECURE, FLEXIBLE AND GLOBAL SIGNING * Establish crypto-unique identities * Trusted remote identity verification (RIV) * Intuitive Adobe & DocuSign integrations * Flexible workflow options TRUSTED FROM SILICON TO IN-THE-FIELD * Healthcare IoT * Home & Consumer IoT * Industrial IoT * Smart City IoT * Transportation IoT DEVICE SECURITY WITHOUT COMPROMISE * Embedded trust * Automated device management * Centralized control ACCELERATE SECURE APP DEVELOPMENT * OS- & processor-agnostic development * Flexible footprint * Any language STREAMLINED CERTIFICATE MANAGEMENT AND AUTOMATION: DELIVERING AT-SCALE UPTIME AND AVAILABILITY REGISTER NOW 2022 EDITION OF THE TLS/SSL BEST PRACTICES GUIDE DOWNLOAD NOW 2022 EDITION OF THE TLS/SSL BEST PRACTICES GUIDE DOWNLOAD NOW WEBINAR TAMING DEVICE, IDENTITY AND CERTIFICATE SPRAWL WATCH NOW HOW TO ESTABLISH A SIGNING POLICY DEVOPS WILL ACTUALLY ADOPT GET THE GUIDE GLOBAL PERSPECTIVE ON MANAGING DOCUMENT SIGNING AND REGULATIONS DOWNLOAD NOW SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE DOWNLOAD NOW SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE DOWNLOAD NOW SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE Download now SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE DOWNLOAD NOW * Buy Back TLS/SSL Certificates Single Domain BUY Buy Extended validation Buy Organization validation Multi-Domain BUY Buy Extended validation Buy Organization validation Wildcard Domain BUY DNS Authoritative DNS BUY S/MIME Email Certificates Secure Email - Individual BUY Secure Email - Business BUY Verified Mark Certificates VMC for Registered Trademarks BUY VMC for Government Seals BUY Code Signing Certificates Code Signing BUY Code Signing + KeyLocker BUY Document Signing Certificates Document Signing - Individual BUY Document Signing - Organization BUY FIND THE RIGHT TLS/SSL CERTIFICATE TO SECURE YOUR WEBSITE Compare EIDAS-COMPLIANT TRANSACTION AND WEBSITE DOCUMENT SECURITY SOLUTIONS Learn More * Insights Back * INSIGHTS * DigiCert PQC Playground * Post-Quantum Cryptography * The 4 Elements of Digital Trust * The Case for Compliance * Zero Trust: Critical to Digital Trust DIGITAL TRUST FOR THE REAL WORLD Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems. * BLOG > * PR & NEWS > * EVENTS > * WEBINARS > PONEMON INSTITUTE REPORT See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing. LEARN MORE > WEBINAR TAMING DEVICE, IDENTITY AND CERTIFICATE SPRAWL WATCH NOW * Partners Back DigiCert Partner Network DigiCert Partner Program DigiCert Partner Portal Technology Partner Program Integration Partner Directory Industry & Consortia Leadership CI+ Partnership DigiCert ONE + Oracle Cloud PARTNERSHIPS DELIVERING DIGITAL TRUST * System Integrators * Software Developers & Solution Providers * OEMs * Distributors & Resellers * Managed Service & Cloud Service Providers BUILT ON TRUST Digital trust solutions create new opportunities for Acmetek WATCH NOW PARTNERSHIP BUILT ON TRUST WATCH NOW * Support Back SUPPORT * Support * PKI Support * Contact Us -------------------------------------------------------------------------------- TOOLS * Tools: S/MIME Certificate Linter * Tools: SSL Install Diagnostic * Tools: Certificate Utility for Windows * Tools: CSR Creator * Tools: Check CSR * Tools: SSL Certificate Installation Instruction RESOURCES * Documentation * API Documentation * Knowledgebase * FAQ * What is PKI? * What is an SSL Certificate? * What is SSL, TLS & HTTPS? * How TLS/SSL Works * What's the difference between DV, OV & EV SSL certificates? CONTACT OUR SUPPORT TEAM TECHNICAL SUPPORT CHAT > VALIDATION CHAT > SALES CHAT > * Americas * 1.866.893.6565 (Toll-Free U.S. and Canada) * 1.801.770.1701 (Sales) * 1.801.701.9601 (Spanish) * 1.800.579.2848 (Enterprise only) * 1.801.769.0749 (Enterprise only) * Europe, Middle East Africa * +44.203.788.7741 * Asia Pacific, Japan * 61.3.9674.5500 Email Sales Email Support * Contact us * Language Back CHOOSE YOUR LANGUAGE * English * Español * Dutch * Deutsch * Français * Italiano * Chinese (Simplified) * Chinese (Traditional) * Japanese * Korean * Português * Contact us * CHOOSE YOUR LANGUAGE * English * Español * Dutch * Deutsch * Français * Italiano * Chinese (Simplified) * Chinese (Traditional) * Japanese * Korean * Português × * × RECOMMENDED LINKS * Compare Certificates * DigiCert® Trust Lifecycle Manager * DigiCert® IoT Trust Manager * DigiCert® Document Trust Manager * DigiCert® Software Trust Manager * DigiCert® DNS Trust Manager * There are no items in your cart. * * × TECHNICAL SUPPORT CHAT > VALIDATION CHAT > SALES CHAT > Blog > Compliance > Avoiding disruptions from revoked certificates | DigiCert Compliance 03-22-2024 HOW TO PREVENT PROBLEMS WHEN A CERTIFICATE IS MIS-ISSUED Mike Nelson Co-authored by Jeremy Rowley The publicly trusted Certificate Authorities (CAs) that issue digital certificates are evaluated by activity community groups and root programs against requirements from groups like the Certificate Authority/Browser (CA/B) Forum. Sometimes, due to human error or bugs in code, those issued certificates don’t meet the strict compliance requirements of the root store operators. When this happens, the CA is expected to provide transparency on what happened, revoke the certificates, and help the community learn from the mistake. The revocation timeline for certificates is very short—either 24 hours or five days, depending on the nature of the problem. When a CA fails to mitigate the damage in a timely manner, as we recently saw with Entrust’s delayed revocation of nearly 25,000 EV certificates, the consequences can be massive. For organizations, improper handling of mis-issued certificates can lead to outages, uncertainty about the CA’s status, and a loss of customer trust. And for the CA that failed to revoke and replace the mis-issued certificates, it can mean web browsers move to deprecate their trust in the CA—a move that often signals the end for a CA. HOW COMPANIES CAN AVOID MISISSUANCE-RELATED BUSINESS DISRUPTIONS Bugs are common in software, so mis-issuance occurs even with very sophisticated software development lifecycles. When it happens, the CA’s primary goal should be figuring out where the mistake took place and ensuring it never happens again. In 2023, we discovered that 300 certificates issued to a global device manufacturer didn’t comply with the strict profile requirements found in the CA/B Forum’s Baseline Requirements. Per these requirements, we had five days to revoke the certificates to remain compliant with the standards—standards all CAs agree to as part of being a publicly trusted entity. There was just one problem: After discussing the issue with the customer, it was clear revoking the certificates within 5 days would cause massive disruption to critical systems that could cause consumer safety issues. Working with the customer, we determined they needed one month to replace the mis-issued certificates. Failing to follow the CA/B Forum’s rules wasn’t a viable option, but neither was revoking the certificates without properly issued replacements in place. So we consulted with the community and worked with our customers around the clock to get their new certificates up and running in time. While this experience was stressful for everyone involved, reflecting on where things went wrong helped our customer take steps to keep mis-issued certificates from becoming an ongoing problem. The advice we gave our customer is what we’d recommend for any organization that relies on certificates to stay secure: 1. USE PRIVATE TRUST CERTIFICATES WHERE APPROPRIATE. The CA/B Forum rules only apply to public trust certificates. There’s no five-day revocation timeline for privately trusted certificates. For our customer, putting public trust certificates on things that didn’t need them—in this case, connected devices—opened the door to unnecessary issues. Our advice? Examine your certificate usage and eliminate the risk of business-disrupting revocations by changing public trust certificates to private where appropriate. Here are some of the most common use cases for private trust certs: * Connected devices: Connected IoT devices use certificates to manually authenticate connections to gateways, servers, applications, or other devices. This communication commonly occurs over private networks, eliminating the need for public trust. * Internal apps and websites: Since it’s not publicly accessible, your company intranet doesn’t require public trust. * Inter-organizational communication: Partner organizations can eliminate the need for public trust by manually configuring their systems to accept one another’s private certificates. * VPNs: Using private certificates for client and server authentication ensures only trusted devices can connect to the company VPN. We also recommend running automated compliance checks on your certificates with PKILint, DigiCert’s free open-source certificate linter. 2. IMPLEMENT A COMPREHENSIVE CERTIFICATE MANAGEMENT SOLUTION. Many companies still use spreadsheets to track their certificates by hand. With a certificate lifecycle management (CLM) solution in place, meeting the CA/B Forum’s five-day deadline isn’t a problem. But without that solution, replacing mis-issued certificates can require a heavy manual process that may take weeks to complete. If your organization isn’t yet using a comprehensive CLM, implement a solution like DigiCert Trust Lifecycle Manager, which provides: * PKI certificate discovery * A full repository of all public and private certificates * Fine-grained visibility and operational control * Notifications to prevent certificate expiration * Vulnerability remediation * Governance across CAs and interoperability with business systems HOW THE MISHANDLING OF MIS-ISSUED CERTIFICATES LEADS TO DISTRUST The digital trust we talk so much about isn't an abstract concept—it’s objective and measurable. Organizations’ websites and digital products are either secured by trustworthy certificates, or they’re not. CAs adhere to the standards set by groups like the CA/B Forum, or they don’t. When a CA agrees to be part of a trust community, their trustworthiness is measured by their transparency and willingness to play by the rules. On its own, an issuance error doesn’t automatically lead to distrust. It’s the reason for the issue, what the CA learns from the situation, and how the CA handles the incident that matters most. THE LATEST DEVELOPMENTS IN DIGITAL TRUST Want to learn more about topics like certificate lifecycle management, digital trust, or DigiCert’s digital trust solutions? Subscribe to the DigiCert blog to ensure you never miss a story. RELATED STORIES The hidden certificates in your organization: How to find them The impact of a root certificate expiration The 3 keys to automated certificate lifecycle management FEATURED STORIES * Digital Trust 04-11-2024 Pioneering the next wave of secure digital solutions Dr. Avesta Hojjati * Compliance 04-30-2024 Why compliance is the foundation of digital trust Brenda Bernal * PQC (Post-Quantum Cryptography) 04-18-2024 Why Q-Day is closer than you think Mike Fleck SUBSCRIBE TO THE BLOG * The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions. * * * COMPANY * About * Blog * Careers * Events * PR/News * Leadership * History * Contact Us * MY ACCOUNT * KnowledgeBase * Documentation * Support * Developers * All Products * Tools * Site Seals * RESOURCES * FAQ * Media Library * Professional Services * What is PKI? * How TLS/SSL Works * What are SSL TLS & HTTPS? * What is an SSL Certificate? * What's the Difference Between DV, OV & EV SSL Certificates? * SOLUTIONS * Solutions for Matter * Solutions for Automation * Solutions for CI/CD * Solutions for Code * Solutions for Devices * Solutions for Documents * Solutions for CI-Plus * Solutions for Secure Email * Solutions for ServiceNow * * © 2024 DigiCert, Inc. All rights reserved. Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings This site uses cookies and other tracking technologies to assist with navigation and your ability to provide feedback, analyze your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties. Click here to learn more and manage your preferences. Privacy Policy Accept Cookies COOKIE SETTINGS When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the Strictly Necessary and Non-Necessary Cookies used please see below. Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Cookies Details SITE ANALYTICS Site Analytics These cookies allow us to count and monitor visits and traffic sources so we can measure and improve the performance of our site. The information collected by these cookies is aggregated or pseudo-anonymized and cannot directly identify you. Cookies Details PERSONALIZED EXPERIENCE Personalized Experience These cookies allow for a personalized experience with DigiCert, including interactions with our website and how we may communicate with you. Information collected by these cookies may be combined with information we have previously received directly from you. These cookies will not track you before or after you leave our website, nor is this information shared with other companies for other purposes. Cookies Details PERSONALIZED ADVERTISING Personalized Advertising These cookies include our advertising partners. Information collected may be used to build a profile of your interests and may uniquely identify you and/or your internet device with the purpose of showing you relevant adverts during your online experience. If you do not allow these cookies, you will still experience advertising, but it will be less targeted. Cookies Details Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices