www.digicert.com
Open in
urlscan Pro
45.60.123.229
Public Scan
Submitted URL: https://app.updates.digicert.com/e/er?utm_source=Eloqua&utm_content=12593&utm_medium=email&mth=&s=1701211846&lid=10377&elqTrackId...
Effective URL: https://www.digicert.com/blog/avoiding-disruptions-from-revoked-certificates?utm_source=Eloqua&utm_content=12593&utm_medi...
Submission: On May 08 via manual from NL — Scanned from NL
Effective URL: https://www.digicert.com/blog/avoiding-disruptions-from-revoked-certificates?utm_source=Eloqua&utm_content=12593&utm_medi...
Submission: On May 08 via manual from NL — Scanned from NL
Form analysis 1 forms found in the DOM
<form class="search-form">
<i class="search__icon search"></i>
<div class="search-form__input">
<input id="header-search-box" type="text" placeholder="Search" required="" autofocus="">
</div>
<span class="nav_dismiss close">×</span>
</form>Text Content
* Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
DigiCert® Trust Lifecycle Manager
Websites & Servers
DigiCert CertCentral® TLS/SSL Manager
DigiCert® DNS Trust Manager
Code & Software
DigiCert® Software Trust Manager
Documents & Signing
DigiCert® Document Trust Manager
IoT & Connected Devices
DigiCert® IoT Trust Manager
Matter Initiative IoT Device Certification
DigiCert® TrustCore SDK
MANAGE PKI AND CERTIFICATE RISK IN ONE PLACE
* Prevent outages
* Certificate Lifecycle Management
* Private PKI Services
* Integrations & advantages
MANAGE PKI AND CERTIFICATE RISK IN ONE PLACE
* Prevent outages
* Certificate Lifecycle Management
* Private PKI Services
* Integrations & advantages
THE SMARTER WAY TO MANAGE CERTIFICATE LIFECYCLES
* Issue & install
* Inspect & remediate
* Renew & automate
* Assign & delegate
CONTINUOUS SIGNING FOR CI/CD & DEVOPS
* Assure code integrity
* Automate software signing workflows
* Centralize key & permission management
* Simplify & enforce compliance
SECURE, FLEXIBLE AND GLOBAL SIGNING
* Establish crypto-unique identities
* Trusted remote identity verification (RIV)
* Intuitive Adobe & DocuSign integrations
* Flexible workflow options
TRUSTED FROM SILICON TO IN-THE-FIELD
* Healthcare IoT
* Home & Consumer IoT
* Industrial IoT
* Smart City IoT
* Transportation IoT
DEVICE SECURITY WITHOUT COMPROMISE
* Embedded trust
* Automated device management
* Centralized control
ACCELERATE SECURE APP DEVELOPMENT
* OS- & processor-agnostic development
* Flexible footprint
* Any language
STREAMLINED CERTIFICATE
MANAGEMENT AND AUTOMATION:
DELIVERING AT-SCALE UPTIME AND AVAILABILITY
REGISTER NOW
2022 EDITION OF THE TLS/SSL BEST PRACTICES GUIDE
DOWNLOAD NOW
2022 EDITION OF THE TLS/SSL BEST PRACTICES GUIDE
DOWNLOAD NOW
WEBINAR
TAMING DEVICE, IDENTITY AND CERTIFICATE SPRAWL
WATCH NOW
HOW TO ESTABLISH A SIGNING POLICY DEVOPS WILL ACTUALLY ADOPT
GET THE GUIDE
GLOBAL PERSPECTIVE ON MANAGING DOCUMENT SIGNING AND REGULATIONS
DOWNLOAD NOW
SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE
DOWNLOAD NOW
SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE
DOWNLOAD NOW
SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE
Download now
SECURE, UPDATE, MONITOR AND CONTROL CONNECTED DEVICES AT SCALE
DOWNLOAD NOW
* Buy
Back
TLS/SSL Certificates
Single Domain
BUY
Buy Extended validation
Buy Organization validation
Multi-Domain
BUY
Buy Extended validation
Buy Organization validation
Wildcard Domain
BUY
DNS
Authoritative DNS
BUY
S/MIME Email Certificates
Secure Email - Individual
BUY
Secure Email - Business
BUY
Verified Mark Certificates
VMC for Registered Trademarks
BUY
VMC for Government Seals
BUY
Code Signing Certificates
Code Signing
BUY
Code Signing + KeyLocker
BUY
Document Signing Certificates
Document Signing - Individual
BUY
Document Signing - Organization
BUY
FIND THE RIGHT TLS/SSL CERTIFICATE TO SECURE YOUR WEBSITE
Compare
EIDAS-COMPLIANT TRANSACTION AND WEBSITE DOCUMENT SECURITY SOLUTIONS
Learn More
* Insights
Back
* INSIGHTS
* DigiCert PQC Playground
* Post-Quantum Cryptography
* The 4 Elements of Digital Trust
* The Case for Compliance
* Zero Trust: Critical to Digital Trust
DIGITAL TRUST FOR THE REAL WORLD
Explore these pages to discover how DigiCert is helping organizations
establish, manage and extend digital trust to solve real-world problems.
* BLOG >
* PR & NEWS >
* EVENTS >
* WEBINARS >
PONEMON INSTITUTE REPORT
See what our global post-quantum study uncovered about where the world stands
in the race to prepare for quantum computing.
LEARN MORE >
WEBINAR
TAMING DEVICE, IDENTITY AND CERTIFICATE SPRAWL
WATCH NOW
* Partners
Back
DigiCert Partner Network
DigiCert Partner Program
DigiCert Partner Portal
Technology Partner Program
Integration Partner Directory
Industry & Consortia Leadership
CI+ Partnership
DigiCert ONE + Oracle Cloud
PARTNERSHIPS DELIVERING DIGITAL TRUST
* System Integrators
* Software Developers & Solution Providers
* OEMs
* Distributors & Resellers
* Managed Service & Cloud Service Providers
BUILT ON TRUST
Digital trust solutions create new opportunities for Acmetek
WATCH NOW
PARTNERSHIP BUILT ON TRUST
WATCH NOW
* Support
Back
SUPPORT
* Support
* PKI Support
* Contact Us
--------------------------------------------------------------------------------
TOOLS
* Tools: S/MIME Certificate Linter
* Tools: SSL Install Diagnostic
* Tools: Certificate Utility for Windows
* Tools: CSR Creator
* Tools: Check CSR
* Tools: SSL Certificate Installation Instruction
RESOURCES
* Documentation
* API Documentation
* Knowledgebase
* FAQ
* What is PKI?
* What is an SSL Certificate?
* What is SSL, TLS & HTTPS?
* How TLS/SSL Works
* What's the difference between
DV, OV & EV SSL certificates?
CONTACT OUR SUPPORT TEAM
TECHNICAL SUPPORT CHAT > VALIDATION CHAT > SALES CHAT >
* Americas
* 1.866.893.6565 (Toll-Free U.S. and Canada)
* 1.801.770.1701 (Sales)
* 1.801.701.9601 (Spanish)
* 1.800.579.2848 (Enterprise only)
* 1.801.769.0749 (Enterprise only)
* Europe, Middle East Africa
* +44.203.788.7741
* Asia Pacific, Japan
* 61.3.9674.5500
Email Sales Email Support
* Contact us
* Language
Back
CHOOSE YOUR LANGUAGE
* English
* Español
* Dutch
* Deutsch
* Français
* Italiano
* Chinese (Simplified)
* Chinese (Traditional)
* Japanese
* Korean
* Português
* Contact us
* CHOOSE YOUR LANGUAGE
* English
* Español
* Dutch
* Deutsch
* Français
* Italiano
* Chinese (Simplified)
* Chinese (Traditional)
* Japanese
* Korean
* Português
×
*
×
RECOMMENDED LINKS
* Compare Certificates
* DigiCert® Trust Lifecycle Manager
* DigiCert® IoT Trust Manager
* DigiCert® Document Trust Manager
* DigiCert® Software Trust Manager
* DigiCert® DNS Trust Manager
* There are no items in your cart.
*
* ×
TECHNICAL SUPPORT CHAT > VALIDATION CHAT > SALES CHAT >
Blog > Compliance > Avoiding disruptions from revoked certificates |
DigiCert
Compliance 03-22-2024
HOW TO PREVENT PROBLEMS WHEN A CERTIFICATE IS MIS-ISSUED
Mike Nelson
Co-authored by Jeremy Rowley
The publicly trusted Certificate Authorities (CAs) that issue digital
certificates are evaluated by activity community groups and root programs
against requirements from groups like the Certificate Authority/Browser (CA/B)
Forum.
Sometimes, due to human error or bugs in code, those issued certificates don’t
meet the strict compliance requirements of the root store operators. When this
happens, the CA is expected to provide transparency on what happened, revoke the
certificates, and help the community learn from the mistake.
The revocation timeline for certificates is very short—either 24 hours or five
days, depending on the nature of the problem. When a CA fails to mitigate the
damage in a timely manner, as we recently saw with Entrust’s delayed revocation
of nearly 25,000 EV certificates, the consequences can be massive.
For organizations, improper handling of mis-issued certificates can lead to
outages, uncertainty about the CA’s status, and a loss of customer trust. And
for the CA that failed to revoke and replace the mis-issued certificates, it can
mean web browsers move to deprecate their trust in the CA—a move that often
signals the end for a CA.
HOW COMPANIES CAN AVOID MISISSUANCE-RELATED BUSINESS DISRUPTIONS
Bugs are common in software, so mis-issuance occurs even with very sophisticated
software development lifecycles. When it happens, the CA’s primary goal should
be figuring out where the mistake took place and ensuring it never happens
again.
In 2023, we discovered that 300 certificates issued to a global device
manufacturer didn’t comply with the strict profile requirements found in
the CA/B Forum’s Baseline Requirements. Per these requirements, we had five days
to revoke the certificates to remain compliant with the standards—standards all
CAs agree to as part of being a publicly trusted entity.
There was just one problem: After discussing the issue with the customer, it was
clear revoking the certificates within 5 days would cause massive disruption to
critical systems that could cause consumer safety issues. Working with the
customer, we determined they needed one month to replace the mis-issued
certificates.
Failing to follow the CA/B Forum’s rules wasn’t a viable option, but neither was
revoking the certificates without properly issued replacements in place. So we
consulted with the community and worked with our customers around the clock to
get their new certificates up and running in time.
While this experience was stressful for everyone involved, reflecting on where
things went wrong helped our customer take steps to keep mis-issued certificates
from becoming an ongoing problem.
The advice we gave our customer is what we’d recommend for any organization that
relies on certificates to stay secure:
1. USE PRIVATE TRUST CERTIFICATES WHERE APPROPRIATE.
The CA/B Forum rules only apply to public trust certificates. There’s no
five-day revocation timeline for privately trusted certificates. For our
customer, putting public trust certificates on things that didn’t need them—in
this case, connected devices—opened the door to unnecessary issues.
Our advice? Examine your certificate usage and eliminate the risk of
business-disrupting revocations by changing public trust certificates to private
where appropriate.
Here are some of the most common use cases for private trust certs:
* Connected devices: Connected IoT devices use certificates to manually
authenticate connections to gateways, servers, applications, or other
devices. This communication commonly occurs over private networks,
eliminating the need for public trust.
* Internal apps and websites: Since it’s not publicly accessible, your company
intranet doesn’t require public trust.
* Inter-organizational communication: Partner organizations can eliminate the
need for public trust by manually configuring their systems to accept one
another’s private certificates.
* VPNs: Using private certificates for client and server authentication ensures
only trusted devices can connect to the company VPN.
We also recommend running automated compliance checks on your certificates with
PKILint, DigiCert’s free open-source certificate linter.
2. IMPLEMENT A COMPREHENSIVE CERTIFICATE MANAGEMENT SOLUTION.
Many companies still use spreadsheets to track their certificates by hand. With
a certificate lifecycle management (CLM) solution in place, meeting the CA/B
Forum’s five-day deadline isn’t a problem. But without that solution, replacing
mis-issued certificates can require a heavy manual process that may take weeks
to complete.
If your organization isn’t yet using a comprehensive CLM, implement a solution
like DigiCert Trust Lifecycle Manager, which provides:
* PKI certificate discovery
* A full repository of all public and private certificates
* Fine-grained visibility and operational control
* Notifications to prevent certificate expiration
* Vulnerability remediation
* Governance across CAs and interoperability with business systems
HOW THE MISHANDLING OF MIS-ISSUED CERTIFICATES LEADS TO DISTRUST
The digital trust we talk so much about isn't an abstract concept—it’s objective
and measurable. Organizations’ websites and digital products are either secured
by trustworthy certificates, or they’re not. CAs adhere to the standards set by
groups like the CA/B Forum, or they don’t.
When a CA agrees to be part of a trust community, their trustworthiness is
measured by their transparency and willingness to play by the rules. On its own,
an issuance error doesn’t automatically lead to distrust. It’s the reason for
the issue, what the CA learns from the situation, and how the CA handles the
incident that matters most.
THE LATEST DEVELOPMENTS IN DIGITAL TRUST
Want to learn more about topics like certificate lifecycle management, digital
trust, or DigiCert’s digital trust solutions? Subscribe to the DigiCert blog to
ensure you never miss a story.
RELATED STORIES
The hidden certificates in your organization: How to find them
The impact of a root certificate expiration
The 3 keys to automated certificate lifecycle management
FEATURED STORIES
* Digital Trust
04-11-2024
Pioneering the next wave of secure digital solutions
Dr. Avesta Hojjati
* Compliance
04-30-2024
Why compliance is the foundation of digital trust
Brenda Bernal
* PQC (Post-Quantum Cryptography)
04-18-2024
Why Q-Day is closer than you think
Mike Fleck
SUBSCRIBE TO THE BLOG
* The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and
signing solutions.
*
*
* COMPANY
* About
* Blog
* Careers
* Events
* PR/News
* Leadership
* History
* Contact Us
* MY ACCOUNT
* KnowledgeBase
* Documentation
* Support
* Developers
* All Products
* Tools
* Site Seals
* RESOURCES
* FAQ
* Media Library
* Professional Services
* What is PKI?
* How TLS/SSL Works
* What are SSL TLS & HTTPS?
* What is an SSL Certificate?
* What's the Difference Between
DV, OV & EV SSL Certificates?
* SOLUTIONS
* Solutions for Matter
* Solutions for Automation
* Solutions for CI/CD
* Solutions for Code
* Solutions for Devices
* Solutions for Documents
* Solutions for CI-Plus
* Solutions for Secure Email
* Solutions for ServiceNow
*
* © 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center
Accessibility Cookie Settings
This site uses cookies and other tracking technologies to assist with navigation
and your ability to provide feedback, analyze your use of our products and
services, assist with our promotional and marketing efforts, and provide content
from third parties. Click here to learn more and manage your preferences.
Privacy Policy
Accept Cookies
COOKIE SETTINGS
When you visit our website, we store cookies on your browser to collect
information. The information collected might relate to you, your preferences or
your device, and is mostly used to make the site work as you expect it to and to
provide a more personalized web experience. However, you can choose not to allow
certain types of cookies, which may impact your experience of the site and the
services we are able to offer. Click on the different category headings to find
out more and change our default settings according to your preference. You
cannot opt-out of our First Party Strictly Necessary Cookies as they are
deployed in order to ensure the proper functioning of our website (such as
prompting the cookie banner and remembering your settings, to log into your
account, to redirect you when you log out, etc.). For more information about the
Strictly Necessary and Non-Necessary Cookies used please see below.
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
Cookies Details
SITE ANALYTICS
Site Analytics
These cookies allow us to count and monitor visits and traffic sources so we can
measure and improve the performance of our site. The information collected by
these cookies is aggregated or pseudo-anonymized and cannot directly identify
you.
Cookies Details
PERSONALIZED EXPERIENCE
Personalized Experience
These cookies allow for a personalized experience with DigiCert, including
interactions with our website and how we may communicate with you. Information
collected by these cookies may be combined with information we have previously
received directly from you. These cookies will not track you before or after you
leave our website, nor is this information shared with other companies for other
purposes.
Cookies Details
PERSONALIZED ADVERTISING
Personalized Advertising
These cookies include our advertising partners. Information collected may be
used to build a profile of your interests and may uniquely identify you and/or
your internet device with the purpose of showing you relevant adverts during
your online experience. If you do not allow these cookies, you will still
experience advertising, but it will be less targeted.
Cookies Details
Back Button
COOKIE LIST
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices