SSL certificate lifetimes are going down. Dates proposed. 45 days by 2027.
Posted by isnotnick@reddit | sysadmin | View on Reddit | 725 comments
CA/B Forum ballot proposed by Apple: https://github.com/cabforum/servercert/pull/553
100 days after September 2025 200 days after September 2026 45 days after April 2027 Domain-verification reuse is reduced too, of course - and pushed down to 10 days after September 2027.
May not pass the CABF ballot, but then Google or Apple will just make it policy anyway...
mikerbiker@reddit
Internal servers need some love.
In order to provision certs for internal purposes, DNS validation is necessary. However, I don't want to put API keys to control my DNS zone on every server.
Therefore, there needs to be a widely-implemented way to offload DNS validation to a centralized server. The internal servers should only have credentials to provision exactly the certificate that they need.
To my knowledge, the only currently-developed open source projects that do this are certwarden and Netflix's lemur.
Certwarden is an individual's part-time project, and lemur requires a lot of setup. Kubernetes has the generically-named cert-manager, but it's heavily tied to kubernetes and not easily used outside kubernetes.
webprofusor@reddit
There's a few other options, at https://certifytheweb.com/ we provide a service called Certify DNS, which is an acme-dns compatible CNAME delegation service for those that don't want to run their own acme-dns linux server. If you want DNS challenge centralization we are also developing Certify Management Server which will also provide an API for this that other ACME clients can use, so you don't need privilege credentials on individual servers etc. I've not heard of any other product doing that. Our stuff is available as a mix of open source, source available and proprietary.
PlannedObsolescence_@reddit
If you are doing widespread certificate deployment internally, definitely think about running an internal CA - and deploying your root(s) via your configuration management solution (AD GPO, MDM, Ansible etc).
If you have a specific reason to use a public CA, and are using ACME - you can always just CNAME your acme-challange records to a new public DNS zone for that project, and make a service account that can only edit that zone. Then your blast radius for a (DNS API) credential compromise is just certs issued for that project.
HappyVlane@reddit
To expand on this: The time restriction is only for certificates from public CAs. All certificates signed by private CAs are valid and trusted by browsers for as long as they have been issued.
PlannedObsolescence_@reddit
With the caveat for Apple devices here
HappyVlane@reddit
Didn't even know about that. Just awful behaviour from Apple.
skywalker-11@reddit
You don't have to use DNS validation with ACME. You can also do organization validated certificates with external account binding (EAB). You basically validate your domains beforehand and can then create acme credentials that allow generation of certificates for specific fqdn for each server. While requesting the certificates you also submit the acme credentials as additional parameters. This works with the acme certbot and other clients but not all of the acme implementations. Sectigo CA supports this, not sure about other CAs or open source software though
Nu11u5@reddit
I've got network appliances that require SSL certs and can't be automated. Some of them work with systems that only support public CAs.
hyprnick@reddit
Can you share what kind of network appliance that can’t be automated? I’m used to running everything on K8s that automatically updates certs(let’s encrypt)
jstar77@reddit
This is somewhat nightmarish. I have about 20 appliance like services that have no support for automation. Almost everything in my environment is automated to the extent that is practical. SSL renewal is the lone achilles heel that I have to deal with once every 365 days.
scriptmonkey420@reddit
I have hundreds of Federation connections that we need to update yearly. We JUST got approval to get 2 year certs. Going to 45 days would KILL us.
spamster545@reddit
This will suck. My least favorite vendor manages something like 10 websites for us, and we have to provide the certs manually every time. Between live and test this is gonna suck.
Fiserv delenda est.
nightpool@reddit
So... why aren't you happy that Google and Apple are forcing them to automate cert provisioning so that you don't have to worry about it anymore? Especially if they're your least favorite vendor.
spamster545@reddit
Because they aren't automating jack and/or shit.
nightpool@reddit
They will if Firefox and Chrome tell them they have to
spamster545@reddit
Google may be able to force their hand, but we will be the ones to deal with the fallout. Credit union cores are, unfortunately, largely able to dictate whatever terms they want once you sign up with one. They always find a way to put the work off on customers whenever possible. I have full faith they will find a way to screw us with this one if the requirement for automation is followed through on.
SwiftSloth1892@reddit
I only bother replacing dev and test certs when asked. Otherwise they get pulled in when the environments refreshed. But yea....this already sucks doing it once a year. Maybe instead of asinine term lengths they build a certificate standard that works so it's not a hatchet job for every use.
CrazyEntertainment86@reddit
I really don’t understand what the F is the point other than driving insane revenue to CA’s. If a cert gets compromised, you revoke it, enforce crl checks, if your issuing CA gets comprimised you revoke it and have a few bad days. If your root ca is compromised you need a new occupation. Assuming that everything is always compromised makes no sense since you turn everything into a fire drill every day. It’s fucking stupid.
lucidrenegade@reddit
I've seen numerous comments, especially in the comments on the proposal on cabforum, from people whining that this or that software doesn't support CRLs, or doesn't do a revocation check, so we need short lifespan certs. How about instead you fix your damn apps to use a method that already exists?
FreeK200@reddit
In many cases, it's not about the app developer or system administrator. In my case, we rely on certificates generated by a DoD entity. Unfortunately, the only way to generate them is to submit a CSR to the application AFTER I've already logged in with my own PKI certificate. While I can sit and hope they update the capability to allow for some automation, it's not presently here. That's true for customers of some other CAs as well.
From my perspective, it's not terribly advanced of a task to update my stuff. A powershell script here or there to import the cert into IIS or update my SQL Server's CA thumbprint in the registry is the easy part. Unfortunately, getting the damn certificate is the hard part and I'm reliant on the CA to make my life easier. As it is now, it's a minor headache. If they don't update the process and this goes through, it's a nightmare.
elpollodiablox@reddit
This is job security for me, since none - and I mean none - of my coworkers can even wrap their heads around what a certificate does, much less how to request and install one. I say make it a daily expiration.
Please_Go_Away43@reddit
This is job security for LetsEncrypt, Cloudflare, Azure, AWS, etc. They want complete control of certificates so every certificate is issued and maintained by a huge platform, with nobody taking care of their own. This is a coup d'etat.
nightpool@reddit
The ACME protocol is pretty simple to implement if you want to roll your own https://smallstep.com/blog/private-acme-server/
Please_Go_Away43@reddit
Oh sure. There is even a C# library called ACMESharp that I used a few years ago for keeping a huge list of certs up to date (a massively multitenant SaaS web application). But the fact that it can be adapted to does not mean the motives for this change are benign.
AforAnonymous@reddit
I mean… yeah, p. much, but X.509 was one from the start, so, par for the course I suppose.
q1a2z3x4s5w6@reddit
If they make it a daily expiration I will expire myself.
arav@reddit
You just reminded me of my old company's CTO asking for the same for when there were multiple news about ransomware during covid times. He asked if we can rotate all of our certs including root certs on a configuration that he can update. If he updates the config to 1 hour, then all the certs needs to be rotated in 1 hour. Luckily, our CISO was on the call to tell him that is not something that we can and should do.
nightpool@reddit
You're saying that your org manages root certs but you cannot respond to a compromise or disclosure by invalidating and rotating them within a business-critical amount of time?
What level of downtime or exposure *do* you believe is appropriate if your root cert gets compromised? More than an hour?
arav@reddit
We already have procedures in place which are tested routinely to rotate root certs but we don’t have an option where we can give a configuration to CTO where he can change it as per his whim.
erdezgb@reddit
You have a problem working on sundays?
DejfCold@reddit
Just move to Germany. They are banning even "robot" work on Sundays in the near future.
skelleton_exo@reddit
There will always be exceptions they will involve paperwork though. Source: I and my team sometimes work on sunday in Germany.
q1a2z3x4s5w6@reddit
I can't stand working on days of the week ending in Y, I'll renew the damn cert on a day that doesn't
ApricotPenguin@reddit
Think about it more positively... you are implementing a solution to determine via crowdsourcing, if your application is still in use by users :)
Ok_Series_4580@reddit
Alive not after 10/14/2024 ;)
nightpool@reddit
Wow, that sounds like it sucks. If only there was a proposal that would require vendors and services to provide SSL automation options! Shame that will never happen though.
davy_crockett_slayer@reddit
... Seriously? I'm mildly concerned if this is the case. On Linux/Kubernetes you use OpenSSL. On Windows you use certreq.
elpollodiablox@reddit
Can use OpenSSL on Windows, too.
Yeah, trust me, it is a source of endless frustration for me, and probably why I end up being "the guy" in a lot of situations. I take time and put in effort to learn new stuff, and they seem content with their current base of knowledge and actively try to remain in their own silo.
davy_crockett_slayer@reddit
Oh, you can absolutely use OpenSSL on Windows, I just don't like it. I'm a big fan of using native tools for the problem. OpenSSL (in my opinion) is great for everything but Windows. With Windows, you can use a request.ini file to do everything for you. It's great.
Prestigious-Gas-7157@reddit
Do you have a good source on learning about SSL?
distracted_waffle@reddit
OMG same here, they just don't understand public/private keys. Tried 10 times to explain in an ELI5 way but they just don't get it.
ka-splam@reddit
One to lock, one to unlock.
dustojnikhummer@reddit
I will give you my lock. You can put it anywhere, but only my key can unlock it.
Jimi_A@reddit
This ...
I explain it to my team as: The public key, any one can get, and this is like an opened padlock. You can apply it to things and lock them. The private key, only I have this, and is the only key that can open the "public padlocks".
P10_WRC@reddit
Yeah it boggles my mind how little people know about ssl certs. They just can’t grasp the concept at all much less the differences between CAs and how they are used
zvii@reddit
You really don't even need to understand them. Just set alerts to remind you, renew the certificate with your provider or whatever, and then run through the documented commands to implement the new certificate. Thankfully I only manage a handful of cert updates, but after doing it once and documenting the commands (Linux environment), I can run through it in 30 seconds. I take more time to validate my syntax than anything.
jaymz668@reddit
so many people think they are magic and can not understand that often the whole chain needs to be applied to and endpoint, and then often it's trial and error to get it on that endpoint because it's poorly document by the vendor. This is going to be a nightmare with shorter times, we already spend half an employee keeping all our team's certs updated
bbqwatermelon@reddit
Not really, at some point you will be "aggressively invited" to document the actual steps for the less inclined to follow.
Hashrunr@reddit
Most people simply can't learn. I have recorded sessions I point to every time shit like this comes up. The technically un-inclined manager insists on a training session anyway which ends up being a complete waste of time because nobody on their team understands basic fundamentals. It's like teaching carpentry to people who don't understand why a hammer works.
elpollodiablox@reddit
Maybe if it was a different set of coworkers. The ones I have show zero interest in learning. Besides which, the platforms where certs are applied are almost exclusively in my portfolio. For those which are not, I'm called on to obtain them. Every single time I have to walk them through the process of generating the CSR, then provide them the cert and tell them where it has to go, and what other steps need to be taken to install it into whatever application. I just had a long fight trying to get someone to understand the concept of a Common Name. He refused to give me temporary admin access to the appliance interface to generate the request, and instead kept providing me ones with the incorrect CN, or with an IP as the CN. It took four tries before he finally got me a request with the proper CN, and even then he had an incorrect SAN in there. I would have done it all for him, but the thought of trying to talk him through importing the key made me want to curl up into the fetal position.
As for my manager, he has bigger fish to fry. He is only concerned that I provide the invoice so he can reconcile the expense at the end of the month. If someone went bitching to him he'd tell them to go tell it to a wall.
Accomplished_Fly729@reddit
But is it job security for a job you want to do?
mynumberistwentynine@reddit
I'm in this comment and I don't like it.
WraytheZ@reddit
Do you configure the certs via browser or ssh?
kukari@reddit
Put nginx in front of those appliances.
mycall@reddit
Why can't it be automated using screen scraping?
borcborc@reddit
I put what I can behind an app lb with an auto renewing certificate. The app can have a self signed cert that lasts 30 years or just listen on http.
CBITGUT@reddit
Tell me more of this app load balancer please
Hashrunr@reddit
nginx reverse proxy is a good place to start.
tsuhg@reddit
Ha proxy Nginx proxy manager Caddy
Moist_Lawyer1645@reddit
Do some research on reverse proxys, they're a front door in a sense.
pmormr@reddit
You connect to the app lb instead of the app directly.
App lb accepts TLS connections on the front, and the certificate is hooked to that.
When you connect to the TLS port on the app lb, all it does it connect to the app behind the scenes, on your behalf. It can be programmed to do this behind the scenes connection over whatever you like. Could be HTTP, could be TLS that also ignores certificate errors, etc.
Darkk_Knight@reddit
On pfsense I use HAProxy for that.
dukandricka@reddit
#BringBackPlaintext
narcissisadmin@reddit
Nginx for the win.
Ok_Series_4580@reddit
And this already sucks
narcissisadmin@reddit
You're waiting until the last day to replace them? Yikes.
lart2150@reddit
Throw it behind a load balancer that can automate the cert?
Avas_Accumulator@reddit
Cloudflare is great for this, however there are solutions where one just can't and the manual way is the only way. But if we're talking in two years time, perhaps there's been enough planning time for the solutions to have caught up.
Box-o-bees@reddit
I've actually never understood why certs just can't be set to auto renew. Is there a particular reason fo that?
tacotacotacorock@reddit
Security. When you renew you get a new cert/key. These proposed shorter times seem more like a way to take domains from people or have more potential If they lapse.
Electrical_Media_367@reddit
Technically, on a renewal, you reuse the key and cert (which is called a CSR when it’s unsigned). The CA signs your cert/CSR and gives you a signed certificate to install on your end. Typically with one or more intermediate certs. The CA should never have a copy of the key, and it should never be duplicated/sent anywhere, as that would allow a third party to impersonate your site.
narcissisadmin@reddit
I never reuse my keys.
I_Never_Sleep_Ever@reddit
Why not?
FreeK200@reddit
Same here. The whole point of refreshing the cert is to say that "the old cert is no longer valid." If I want to reuse the key, why not extend the certificate lifetime to begin with?
TheBestHawksFan@reddit
How could they take domains? SSL cert have nothing to do with domain ownership. I own a few domains that I don’t use, why would I need to put SSL certs on them if they don’t do anything?
INSPECTOR99@reddit
" more like a way to take domains from people" Please ELI5 what does CERT Renewal have to do with Domain Name "OWNERSHIP" / "RENEWAL" ? ? ?
ScannerBrightly@reddit
When you apply for a cert, they verify you own the domain by requesting a TXT record or something similar.
INSPECTOR99@reddit
O.K. so I hear you on the "VERIFY" Domain Name Ownership security communication, but that still has nothing to do /tacotacotacorock's intimation that a cert renewal "failure" would have any affect against actual Domain Name "OWNERSHIP" proper. Simply the cert renewal would fail leaving the Enterprise in scramble mode to restore net (secure) communication operations. :-(
Box-o-bees@reddit
Makes sense. If it can't be completely automated, they could at least have some simplified approval process or something if they are going to force such short expirations dates.
No-Honey8906@reddit
This is the exact reason our team is switching to eMudhra for our CA. Too much crap ahead in this space, but they seem to understand/be prepared for the future. Can't wait to leave our use of sectigo in the past.
mathmanhale@reddit
As someone who hates certs. Please explain this more to me and point me in the direction I need to learn/resources.
Brufar_308@reddit
A good place to start might be “letsencrypt” and the acme automated certificate renewal. Should give you a better understanding of the whole automated renewal process.
We looked at a product from sectigo to handle automated renewal for our handful of certs. Price was a bit more than we were expecting for our small environment. Going to stick with manual renewal for now, but if they cut lifetimes from 1 year to 45 days that workload to manage certificates increases quite a bit.
No-Honey8906@reddit
Im curious to hear what you think about eMudhra. As they are kind of disrupting the CA market right now. They have their CLM built into their whole UI.
Reverent@reddit
Have you heard of our lord and saviour caddy?
Stable, efficient, dead simple to configure. Wack it on an edge appliance or DMZ VPN and away you go. Most server configurations take 1-2 lines.
Brufar_308@reddit
Thanks. Adding this to the list of solutions to investigate
Mike22april@reddit
Doesnt the full automation with ACME only work with webcomponent servers? You would need DNS automation for any non-webserver, right?
Longjumping_Gap_9325@reddit
It all depends. Sectigo uses Organizational Validation, so as long as the domain is validated to be used in Sectigo via the DCV process, you're good to go as long as the domain is in your ACME enrollment end point (you can create multiple "account" endpoints)
This works for RFC1918 systems too if you don't want or have the infra setup for a private CA (and lack of ACME I assume most of those options have?)
Works great, BUT even 1 year DCVs as they are now absolutely BLOWS as a large org and I wish there was some sort of automated way to handle that as well
VexingRaven@reddit
You don't need to have a web component to use it, but you do need to be able to run a web server specifically for the purposes of renewing certificates. That web server can host just the ACME challenge if you want. Or you can use DNS challenge, which is what I do because IMO it's just so much better and easier.
Tetha@reddit
To be specific, the HTTP challenge works for single-domain, public web reachable, HTTP / HTTPS servers. (iirc, LE validation accepts invalid TLS certs so you can automate the setup of a server by starting up with self-signed certs first and rotating to LE-Signed certs after first challenge).
Wildcards, and things not using HTTPs? need the DNS challenge.
If you are worried that the DNS challenge opens big permissions into your DNS infrastructure, you can use aliases. So if you have a DNS setup supporting it, you can setup control for acme for records in "*.oh-no-if-you-see-this-in-a-mail-call-tetha.company.example" and CNAME the acme challenges over there. This way you can sandbox these DNS challenges if your setup allows that.
Or you can just delegate this particular zone to a provider supporting automation via acme and point CNAMES there and keep control over everything else statically.
Brufar_308@reddit
looks like I responded out of thread when the person I responded to was talking about more info on using a load balancer to resolve the issue when acme isn’t an option.
One Can get lost in these long threads at times.
No-Honey8906@reddit
All you need to know, don't use the big names right now. Theres a disrupter in the CA market called eMudhra. They will sweep the floor for issuing certs in the next 5-10 years. They have all the necessary tools to combat the crap thats ahead.
RedditNotFreeSpeech@reddit
You can use a tool like haproxy to do all the automated certs and you setup dns to go to haproxy and it can talk to your other services. I do this at home and leave everything unencrypted except for haproxy and haproxy is the only way to access anything
lart2150@reddit
I've been in aws lately so it's been a while since I've done a self hosted load balancer but look at something like HAproxy + certbot.
users would start a tls connection to haproxy. haproxy would then connect to the backend service and you would user a different cert for that connection that you issue.
nethack47@reddit
That is fine when you are exposed to the internet and have control of the domain.
The internal production services running on servers completely separated from the internet and which need a wildcard doesn't do that. We are going to have to dump the cert and go MTLS self signed.
Setting that up will be a complete mess to setup. It probably will be less secure. Worst of all, we'll probably have it flagged in pen-tests and all the scanners.
xXNorthXx@reddit
*F5/Citrix enters the chat*
awit7317@reddit
I hear that you have a large IT budget. Let me take care of that for you.
bohiti@reddit
It’s Load Balancers all the way down
bernys@reddit
Certificate management products like keyfactor / Appview-X and Venafi will happily automatically rotate certificates on these platforms.
raip@reddit
If only KeyFactor wasn't a giant piece of shit.
jflook@reddit
I second this
Mike22april@reddit
They are?
raip@reddit
At least our implementation of it, which was pretty pricy, is just a fancy web-wrapper for AD CS that fails constantly. Actually, configuring automated renewals through is painful and becomes of an issue of managing "store locations". The only feature I've actually found helpful so far is their discovery process which isn't much more robust than an nmap.
Mike22april@reddit
Oh? I thought their discovery tool was pretty cool based on what I read. So its nothing more than a port scanner?
raip@reddit
It's a little more than that since you kick it off and then it just records and onboards everything - but not worth the 800k-ish annual bill we're giving them every year.
Mike22april@reddit
How much????????? 🙈 Is that just for the scanner and the management, or also includes publicly trusted issued certs and automated enrollment? Maybe a dumb question from my side..... How many certs do they manage for you for how many end-points?
raip@reddit
KeyFactor doesn't own a Public CA.
That's for a hosted installed with an HSM backed internal CA and a 3rd party CA Gateway for HydrantID.
We've got 277 certificates issued through KeyFactor, almost all in KeyVault.
bernys@reddit
You really need to re-negotiate your pricing / change vendor. My pricing is less than a quarter of that and I don't want to tell you how many certificates we manage.
raip@reddit
Thankfully it's not my money. I'm just an Engineer that helps support the platform (IE: I wrote the KeyVault plugin for us that allows the Universal Orchestrator to login to our KeyVaults and rotate the certificates within our requirements - the baseline version doesn't support certificate based authentication with a service principal).
If it were me, I'd scrap it and throw all of our applications behind CloudFlare (which we also have...with their Total TLS offering as well).
Mike22april@reddit
Thanks for being so open about that. Seems very steep indeed.
But are those 277 all automatically enrolled as well to those end-points? Or do you deal with that (semi)manually?
raip@reddit
They're all automated. When a new application is stood up and a new cert is required - that's semi-manual as the application team needs to login to KeyFactor to enroll the new cert.
maddprof@reddit
That's interesting - our hosted implementation of keyfactor has been pretty rock solid and easy enough for us to use. Maybe it's just our small footprint overall.
Kodiak01@reddit
"What are you doing, step-balancer?"
wrs_swtrsss@reddit
“Take this cert chain”
whatupfoxxy@reddit
Kek
whythehellnote@reddit
I just use apache, but I guess I'm old
Moist_Lawyer1645@reddit
Apache and nginx, nothing else needed
anon-stocks@reddit
"Throw it behind a load balancer that can automate the cert?"
\^\^ This \^\^
Moist_Lawyer1645@reddit
Don't forget to throw a long life ssl cert between the LB and web server if you want to maintain security. Screw their lifetime rules.
zqpmx@reddit
This is the solution.
arwinda@reddit
Serious question: how are the appliances updates when there is a security problem.
bbluez@reddit
Agreed. Especially with legacy encryption - how are the vendors handling it?
Nu11u5@reddit
It's not that the systems are not receiving security updates. The vendor simply didn't design a way to automate certificate enrollment and renewal.
durkzilla@reddit
This is a vendor issue. It's not like the CA/Browser Forum has kept the plan to shorten certificate life cycles a secret, or that there is a big push in the industry towards automating certificate processing. I'd encourage sysadmins to stop yelling at the CAs and start yelling at their vendors that are still operating like it's 1999.
Flashy-Bus1663@reddit
Complaining to a vendor puts the business relationship at risk, and I am sure alot of vendors have their customers by the balls.
acdha@reddit
That’s very cynical – usually that’s an excuse to accept poor quality rather than do the work to build something better – but in that case you’d welcome the browser developers improving your security. A vendor might tell you no, but they aren’t going to say you can’t use Chrome.
Seth0x7DD@reddit
How far are we with IPv6 adoption? How long has that been a thing? Stuff moves at a glacial pace when it comes to these things. It has been just last year or so when I had the issue of downloading adoptium java with a IPv6 only machine ... it wasn't possible, the AWS storage wasn't accessible by IPv6.
Wonderful_Device312@reddit
In the enterprise space? Either you buy a newer version of the product from the vendor or you buy an add on product that handles the problem or you hire a consultant that will advise you do both.
arwinda@reddit
Time for this market to be interrupted.
Azuras33@reddit
That's the neat part. You don't.
No-Honey8906@reddit
This is a big reason a lot of people are making the transition to eMudhra. Their CLM makes it so much easier. Im hoping I can convince our team to make the switch soon to them to avoid all this crap thats ahead.
narcissisadmin@reddit
Dunno, man, I would put a reverse proxy in front of the appliance and have it just ignore the certificate error.
We had a keycard system with a self-signed certificate that couldn't be replaced.
Nu11u5@reddit
One case I dealt with this week is an AV controller. It has an HTTPS API to allow third-party devices to interact with the AV systems. However some of those devices require that the SSL cert is issued by a public CA. Everything sits on the same subnet and even relies on discovery protocols but it needs public certs.
I opened a FR last year with the vendor to allow importing private CA certs but its ETA was bumped back to 2025.
TwoBigPrimes@reddit
Name names.
TwoBigPrimes@reddit
Can you be more specific?
KittensInc@reddit
Yeah, that's pretty much why they are pushing for those changes in the first place.
Time and time again CAs with security incidents try to delay invalidating old certs because there is some customer with "critical business requirements" who need "a few more days" to handle it. Companies built entire multi-month workflows around cert renewal, and end up completely unable to rapidly refresh their certs when anything unusual happens.
With a 45-day certificate validity you are forced to automate it. Having a complicated manual process is simply no longer a possibility. And because it is mandatory every appliance vendor is also forced to support automation. If they don't, nobody will buy from them.
2027 is perhaps a bit early as equipment isn't routinely retired after 36 month anymore, but we should definitely get the "not having automated renewal is a dealbreaker" message across to appliance vendors - and sooner rather than later.
lucidrenegade@reddit
Then those CAs need to be distrusted. It's been done before with Symantec years ago. This whole '45 day' thing is like performing surgery with a chainsaw instead of a scalpel.
broken-neurons@reddit
I also have a VCR that doesn’t support Netflix and only plays video cassettes.
CatoDomine@reddit
Yeah, appliance vendors need to get off their asses and build support for automated certs.
DarthPneumono@reddit
Can I ask why/how?
Nu11u5@reddit
Devices with web consoles can be automated but would need something like Selenium.
DarthPneumono@reddit
Well, yeah, that's my point. Tools exist to automate web applications too, including plain curl.
gonewild9676@reddit
I have certs on customer systems that run our software but we don't control. The only way to automate an update is to get admin rights on their systems, which we don't want.
A once every 11 months fire drill is enough.
KittensInc@reddit
If it is properly automated, it isn't a fire drill. It's a non-event, happening quietly in the background. Just like, say, log rotation or backups.
Orrrr, you add a "rotate-cert" CLI command to your software, so that the admins deploying your software can automate it for you. Alternatively, integrate it with something like LetsEncrypt so it can provision its own certificate: this is absolutely trivial for services who expose a web server to the open internet, and can also be done fairly easily if your DNS provider has an API your software can hook into.
Other software is already doing this. You have to think in terms of possible solutions, not go looking for reasons why it is impossible.
gonewild9676@reddit
Some of them have IT staffs that do automate it. Others are small mom and pop type shops that have to be manually walked through it. It is down to either a manual "check for updates" call while logged in as an admin or a pushed app that does the update. But getting admin rights for some people is like pulling teeth. I could have a windows service that logs in as an administrator do the update, but that's a security issue as well, plus it has to be updated if they change the admin password.
Either way, there is zero benefit for this change. We used to have 2 year certs.
If someone feels the need for shorter timelines then they can order them that way.
WeirdlyCordial@reddit
there are very real benefits to shorter certificate lifespans being enforced by end user devices
fadingcross@reddit
Then those network appliances will need to be updated or thrown away. If not the former, they're likely insecure anyway.
TalkNerdy2Me2Day@reddit
Yeah, that's going to be a good time alright, but at least IT and MSPs will be even more indispensable. We're in the right spot given that AI and automation are taking plenty of jobs over the next 10 years.
NGL_ItsGood@reddit
Why can't they be automated? Couldn't a simple script to check certs and send emails be implemented?
Nu11u5@reddit
We have a system that sends alerts, but that's not automation. Automation would be automatically renewing the certs without any manual action.
Merakel@reddit
Very skeptical it can't be automated, unless you have to load the certs from like a USB drive lol
PlannedObsolescence_@reddit
Now that sounds like a challange :)
I bet it's doable to automate with a networked KVM that allows you to 'connect' a virtual disk image as a flash drive.
Merakel@reddit
If it's networked it's doable haha. I run a team of automation engineers whose spend all day automating things people have said can't be automated.
khobbits@reddit
I think the point here is that there is quite a long adoption time here.
If this rule get's approved most vendors will have time to get their shit in order.
That said, if you've got a lot of legacy apps, that will realistically not see software updates, you can probably just click through the warning.
Personally, I have never put a valid SSL certificate on a server IDRAC. I'm happy to just click through the insecure warning every time.
Reverent@reddit
Also there's plenty of ways to handle this situation.
NebraskaCoder@reddit
A private CA is going to have the same limitations as a public one. They usually enforce the restrictions in the browsers.
Seth0x7DD@reddit
I don't think the adoption time will be that long. Apple essentially enforced the reduction of the time previously. It is big enough that a push from their end will bring movement.
There are ways to mitigate that but in the end, if browsers enforce a 45 day limit you will have to setup your stuff to work for endusers.
throw0101a@reddit
Not really? We're towards the end of 2024, and they want to do this in 2027, which is kind of three years away but really more like two.
Hardware refresh cycles on a lot of gear is way more than two years, and even with software updates (and if you're in 'legacy' mode, where it's only security updates and not new features), that's a big ask.
dRaidon@reddit
If they can be accessed via ssh, they can be managed with Ansible.
arav@reddit
There are tons of unknowns, even if you can put the new certs. Some older hardware I worked with required a complete restart to apply the new certs.
1esproc@reddit
No, that's a complete oversimplification. These systems could have databases of unknown formats managing their config files or any other number of things preventing simple automation. Just because something has SSH, doesn't mean you can automate it and if your vendor doesn't support you doing that, you're asking for a bad time.
I_Never_Sleep_Ever@reddit
Disagree. Ansible has plenty of modules or options to automate anything that has SSH. Lack of vendor support sucks yes, but it can be done.
xCharg@reddit
While true, access via ssh doesn't guarantee you can upload new certs there. And even if you do - it doesn't mean software will know about it and process it properly.
I've got two examples:
vCenter stores certificates in some database/registry kind of way. I'm not really competent in vmware stuff to provide more technical details but point is - it's not just text file in a directory that nginx reads, like in basic scenario. Granted - yes, vCenter does have utilities to automate "upload" of a cert into it's backend. I'm bringing vCenter as example because it's widely known product - I also have other very niche system where it also stores certs weirdly (something like sqlite database but we don't have a password for that) and only way to automate it is by using their specific commandline tool which is interactive only to upload certificate.
some time ago I've we had a firewall appliance (kerio control) that basically has readonly filesystem mounted onboot. You can ssh into it but can't do anything other than look at it. Thankfully we've got rid of that, it was crap for many reasons and that readonly thing isn't even in top20 but point is - other systems might use that or similar approach and again ssh is available but certificate update-wise is useless.
theadj123@reddit
There are multiple ways to deploy certs to/through vCenter (including making it a subordinate CA in your existing PKI, which is what many people do) and it can 100% be automated end-to-end.
Any platform that generates a CSR that you must use for the cert issuance (which vCenter is one of) due to keeping the private key is more than a 1 step 'dump a cert on the file system' process. Just because you have to pull a CSR out doesn't mean it can't be automated.
One of the many use cases for a LB/WAF, put that in front with the 'real' cert and leave a dummy cert on the device that can't be managed.
xCharg@reddit
I know, but that's beside the point. vCenter is just an example of a system that ticks both boxes:
certs stored not in a text file format
product known to pretty much everyone here
You know certificates aren't a web-exclusive technology right?
theadj123@reddit
No, that was exactly the point - if you read further in my reply. vCenter is a common example of a system that holds onto the CSR for signing purposes, which is a common thing done by many popular systems that have an interactive setup out of the box. Most of them can be automated, and all the popular ones I've used have been. Dell OME is another common example I've dealt with that is solved in the same way. There are like examples of systems that don't let you automate this, but your example isn't one of them.
Try being less condescending. You can run many protocols through the either of those, not just HTTP rendering. I have unencrypted 514 syslog traffic that is terminated on F5s, many devices don't do anything but 514 UDP for syslog. From the F5 out to anything else reading the logs its encrypted TLS traffic with certs on the F5 and the devices are none the wiser about it.
xCharg@reddit
It literally is and I provided example of one such system twice and you ignored it both times.
theadj123@reddit
vCenter has a REST API that includes commands for issuing and renewing certificates, how can that not be automated? I would know since I wrote an Ansible playbook automating this very thing using the Automation API. The certificate-manager is just one interface for cert management, it's not the only one and most major applications/platforms are similar. It's like saying "I cant automate Windows PKI because I don't have options in the MMC to do" when certutil or powershell exist.
https://developer.broadcom.com/xapis/vsphere-automation-api/latest/vcenter/certificate_management-vcenter/
I'm not ignoring your example, it's a bad example.
xCharg@reddit
What part of that are you not getting? https://i.imgur.com/WGUgxqR.png
theadj123@reddit
I get it just fine. vCenter uses its own keystore, no different than every major OS and all apps using something like jks that requires openssl to interact with a separate keystore from the OS. No app/device that requires using a locally generated CSR+key is going to let you copy/paste the cert text/file, and your provided example requires a CSR generated from the app itself. You can replace the certs on other vSphere components (Machine certs on vCenter or ESX, or the STS SSO cert on vCenter) directly via copy/paste as they don't require the key to be generated from the app/device themselves.
You also went on to say a few other related things :
As described below, this is not true as you can manage it completely over SSH. Some certs are in the VECS keystore, others are flat files - /var/lib/vmware/vmca has certs/keys/crls in it for example, along with the VECS .db file.
That is clearly incorrect, so which is it - you want to be able to copy/paste the cert or encrypted text or you think vCenter's cert management is a GUI/TUI only option? The former is rarely needed and the latter isn't true.
The 'binary tool' you mentioned is fact can be used non-interactively, via submitting a .CFG (this is the same method you use to interact with many CAs using an .INF) to generate a CSR, which you can retrieve via SSH to submit to a CA. You can submit the cert+csr back to cert-manager the same way, non-interactively. This can be done 100% with SSH/SCP and not require interaction at all.
This is also incorrect
I've already shown the API method, which will let you do this entire process via CLI (which includes SSH and meets your initial requirement), but you can directly manipulate the cert store as well. You can SSH certs onto vCenter, you need to use the vecs-cli or dir-cli commands to actually load them into the cert store (VECS) so they're recognized. That's no different than using certutil/pwsh for Windows keystores or adding a cert to an application's jks or /etc/ssl on *NIX machines/appliances using openssl.
xCharg@reddit
Duh. I'm just going to assume you are trolling.
Twice I provided an example of a separate appliance which is not vCenter, multiple times I've clarified that vCenter was used as example of a system that doesn't store certs in plaintext only and that part only. The only relevant part about vCenter was the way it stores certificates - that part only and nothing else. Many times I've mentioned that I do know that vCenter can be automated and I'm talking about other system, which is not vCenter, and unlike vCenter can not be automated. No it does not deal with CSRs. It doesn't support them, it doesn't generate them, it doesn't accept them. At all. No it doesn't have REST API. Or any API. It just doesn't. Again, it's not vCenter - it's that other system I did not name because it's a niche software which is local to my region and no one here wouldn't know about hence I never provided it's name. But it is not vCenter ffs. And vCenter's certmanager was also used as an example of interactive tool that this other system, which is not vCenter, uses and unlike vCenter can not be automated. I really do hope this is clear enough this time around.
But all you keep seeing and replying about is "by muh vCenter can be automated"...
=\
theadj123@reddit
I'm not trolling at all, your response style is not well put together and is also pretty condescending. Have a great day!
PlannedObsolescence_@reddit
Wouldn't both those examples be best served by an internal certificate authority? I can't think of a reason for wanting a public CA cert on either of those.
If you run you own internal CA, which many businesses do - you set your own rules. Sure that also means you are at the whim of your own technical competence to run a secure CA, but that's the cost of having full control of your own internal certs.
Basically the entire world trusts any certificates that a publicly trusted CA issues. There is a good reason to have more strict requirements even if they increase the burden, there is a clear security benefit to rotating public certs more often, especially with the very difficult to solve problem that is certificate revocation checks (but there is an excellent effort here recently with CRLite).
wildcarde815@reddit
because then you don't have to configure subordinate machines to see the cert as valid, it's valid by nature.
PlannedObsolescence_@reddit
Sure, but if these are corporate managed computers (eg Active Directory, or MDM) - then rolling out trust for your internal CA's root certificate is a single policy, applying to your whole fleet?
If you don't have an internal CA - as the in-house experience isn't there etc, but you do want to have full control of your certificates, you can even purchase enterprise PKI from a lot of CAs. They run a CA for you, and give you integrations for issuance etc. You still need to trust the root CA across your fleet of course, but you can have whatever certificate validity period you want.
wildcarde815@reddit
bold of you to assume access to that is granted to people outside central it. Tho I'm pretty sure they just don't have a pki configuration at all. and for myself we have to make things work with machines that aren't 100% managed, so the more transparent security is the better.
STiFTW@reddit
The problem is that browsers stop trusting certificates that exceed the (current) 13 months, and in the future 45 days. So while you can make internal CA issued certs that have longer expiration times, browsers will not trust them.
https://thehackernews.com/2020/09/ssl-tls-certificate-validity-398.html
DerpyMcWafflestomp@reddit
You might want to actually read the article you linked to try and prove your incorrect claim.
ChadTheLizardKing@reddit
iOS and MacOS both have a limit of 825 days or less for the validity period to trust any certificate. I expect other browser manufacturers to follow suit and implement similar soft caps.
https://support.apple.com/en-us/HT210176
STiFTW@reddit
I appreciate the correction, now I have something to go test today. While this should be fine for domain joined machines or an environment with a CA root certificate deployment, this would be still be problem for environments that are not able to push out trusted root CA to clients.
Crafty_Individual_47@reddit
No they won’t
PlannedObsolescence_@reddit
That article specifically says:
AnnoyedVelociraptor@reddit
There literally is a CLI for vSphere to do so.
xCharg@reddit
Read entire point, not just first word.
opti2k4@reddit
Developers 🙄
bernys@reddit
vCenter is actually great because it's a CA. If you give it a subordinate CA cert, it'll happily manage all the certs in the rest of your environment. They want to drop that down to 45 days, then, sure! Go ahead!
dRaidon@reddit
Ok, so it's not universal. But usually.
AnnoyedVelociraptor@reddit
If it has a web portal it can be scripted with puppeteer. And you don't even have to worry that something changes on the website as it is a 10 year old website on an unsupported device. Otherwise it would support backend-certificate refreshes.
corruptboomerang@reddit
For a lot of organisations, that's not an ideal solution. But granted it's an option.
wildcarde815@reddit
you might be able to do it with a mixture of certbot (or one of it's alternatives) and some ssh automation / expect scripting as long as there is a command line tool to target.
BassSounds@reddit
Yeah he could use Ansible, I imagine.
diito@reddit
If you can update it manually there is 100% a way to automate it. It's just a question of the level of effort.
Nu11u5@reddit
Sure, it could probably be done with Selenium or something.
Sneak_Stealth@reddit
Id cry
salpula@reddit
I'm curious what network appliances you use that don't support automation? This would imply that they don't give you any API or shell access which is pretty rare to not have either. In my organization we had plenty of systems that would be a pain in the butt to automate against but we can do it.
burnte@reddit
Yep, this won't pass. The real solution is to separate identity from encryption. Let any server use a self sign cert for encryption, only require a CA for ID authentication.
Stonewalled9999@reddit
yeah tons here too. If the registrars had their way they's have to renew ever 16 hours just to drive sysadmins nuts.
webprofusor@reddit
Now is probably a good time to mention that at https://certifytheweb.com we are developing a new large scale certificate management server product. It will be optimized for managing many certs across many servers etc, first release is expected in the new year and will be very cost effective compared to typical "enterprise" products in this field. With decent automation cert lifetime could be 1 week (or 1 day!) and you still shouldn't have to worry about it.
xXNorthXx@reddit
What a dumpster fire. If the application isn’t iis/apache this will be a nightmare.
admlshake@reddit
I can already read the MS marketing....
"Move all your workloads to Azure and you CAN automate this! ^(Automation requires Azure BS5 subscription. IIS Automation services requires FU9 or higher tier subscription.")
ilrosewood@reddit
I only budgeted for FU8 :(
TurnItOff_OnAgain@reddit
We've been stuck on FU6 for years due to an old critical business application requirement. The company who made it isn't even a thing anymore 😭
scriptmonkey420@reddit
Still stuck on FU2 here....
entropic@reddit
Don't worry, by the time you can afford the better Microsoft project, they will rename absolutely every product they sell and have an even more complicated and expensive licensing regime for it!
Tech88Tron@reddit
Certify The Web works GREAT with IIS. Full automatic.
xXNorthXx@reddit
Yes it does, legally in a business setting is another issue. Effectively requiring another 3rd party paid add-in is the issue.
gaysaucemage@reddit
I use Win-Acme, it doesn’t look as nice as Certify the Web but it’s free and works good enough on IIS.
archiekane@reddit
I have this on an old internal exchange that I have to keep alive.
Once every 90 days, open the port on the firewall, run win-acme, close the port. All to stop the self signed error on ECP should we ever have to use it.
Don't ask, I i don't want to talk about it. Bloody legacy annoyances.
BlackV@reddit
You could do it via DNS and never have to open a port ever
farva_06@reddit
You should use DNS challenge instead, and you won't even have to open inbound ports anymore.
The_Penguin22@reddit
Don't you need a new .txt record every time?
Darkk_Knight@reddit
Yes but that is what that tool does.
1n5aN1aC@reddit
I don't understand how this improves security though.
I do use ACME for a few things, but currently only HTTP challenge. If you use DNS challenge, don't you need to basically give all your servers permissions to update DNS records? Isn't that a bigger security issue than having certs last a little longer?
Darkk_Knight@reddit
On Cloudflare I've setup the security token to only update the DNS records on certain domains. Also I make use of IP restrictions.
Model_M_Typist@reddit
I've been moving to this and it is great.
PlannedObsolescence_@reddit
So really you should be using an internal certificate authority, but I understand if you have very little requirements for on-premesis certificates you can get away without one. Just you are now at the whims of the global CA system rather than one you control.
Why not use dns-01 if you are using ACME?
If you have example.com, and run an internal DNS zone in your AD etc for ad.example.com. Then you make a public DNS zone for ad.example.com. It'll basically stay empty all the time - but when your ACME agent needs to verify domain ownership, it adds an ACME challenge record into that public zone then deletes it when done. No need to actually expose your internal systems to the internet.
Here's a list of plugins for certbot as an example. The only real concern, is that you need to take caution with the permissions you grant the new user for this purpose in your public DNS zone's authentication system. For example I use a policy in AWS IAM that restricts the certbot IAM user to only creating / deleting resource records in the one zone ad.example.com, and only from that known outbound IP. And because this zone is not actually used for any other systems, there's no real concern of a compromise. I also have alerts if a record is ever created that isn't 'acme-challenge' in the case of a credential compromise.
TotallyNotIT@reddit
WHOOPS DELETED
Problem goes away, join us at r/ShittySysadmin
purplemonkeymad@reddit
I thought win-acme suppored pre and post renew actions, you could automate the firewall part too.
Windows-Helper@reddit
If it is local only just use a Windows CA then?
newboofgootin@reddit
I've had win-acme running on dozens of servers for years. Works very well and if you know powershell you can make it work for almost anything.
xXNorthXx@reddit
We use win-acme currently. The change would effectively turn ACME support into a required base function which doesn't exist within IIS today. The bigger fallout I could see is for all the IIS deployments SMB's that don't do scripting.
trail-g62Bim@reddit
Can you explain? Why is there a legal issue?
xXNorthXx@reddit
https://docs.certifytheweb.com/docs/faq/
"If you are using this application within a business or funded organisation (beyond a temporary evaluation) you are required to purchase a license key."
trail-g62Bim@reddit
I dont see the problem. Or do you mean using it legally without having to pay?
xXNorthXx@reddit
Correct
sleepybeepyboy@reddit
Yeah this is going to suck straight up
sryan2k1@reddit
win-acme works just as well as any other ACME client like certbot
Ziegelphilie@reddit
Been running it happily for 7 years and counting.
Zncon@reddit
Depending on the security posture, some orgs simply wont allow 3rd party software at all. They need native support.
DigitalEgoInflation@reddit
Yeah this is my go-to and I’ve been quite happy with it
spokale@reddit
I'm using IIS central certificate stores, which in theory can pull .pfx certificates from a DFS replicated directory that gets populated from letsencrypt on the loadbalancer in front of them via SFTP. The issue is that IIS central certificates feature is quirky as hell and seemingly doesn't work at random.
SelfEnergy@reddit
People still use IIS?
mb194dc@reddit
Meanwhile how many breaches will this stop ?
Zero of course 😎
MandelbrotFace@reddit
100% this! It's like, show me the evidence of major incidents caused by certificate duration of 1 or even 2 years and that doing this will have a huge impact.
KittensInc@reddit
The risk isn't the duration, the risk is that many organizations are incapable of renewing their certificates during an incident.
There have definitely been compromised CAs before, such as Diginotar and Comodo for example. In those cases fraudulent certificates were issued for major websites like GMail, and in the Diginotar case it was discovered because someone was actively using them to MitM traffic! This is obviously really really bad.
Comodo was able to adequately respond to the incident, but Diginotar wasn't. Despite knowing about the incident they did not take any action to mitigate the fallout. Clearly Diginotar could not be trusted anymore, so their root certificate had to be revoked.
But Diginotar was primarily used by a national government to secure a lot of their core systems! Revoking them immediately would mean those people would be unable to pay taxes, register a new car, or do all the other things people use governments for. In this case the national government did the right thing: they sent out a press release that those websites could not be trusted anymore and should only be used when absolutely necessary, and worked tirelessly to immediately replace all certificates with ones from another CA. It took them three days. The very next day the Diginotar root certificates were removed from the first browsers.
Now imagine what would've happened if it was a more popular CA, whose certificates were used by banks, critical infrastructure, and Fortune 500 companies. Immediate revocation means those bank's customers can't buy groceries tomorrow, but not revoking the root cert means leaving every single website vulnerable to MitM attacks. If you're a CA and JPMorgan Chase is begging you to keep a hack secret and give them 30 days to renew, what do you do?
Short cert durations solve this problem. Everyone is forced to automate certificate renewal, so everyone is now able to quickly rotate their certificates. It is pretty much a single button press, after all. A CA can easily mass-email their customers, manually call the big fish, and still have time for a game of golf until the mandatory 24-hour revocation deadline is reached.
macrohard_certified@reddit
To be honest, governments and some large corporations should be their own root CAs. They shouldn't rely on other parties.
atpeters@reddit
That is exactly what the DoD does actually for a lot of their domains.
FreeK200@reddit
The caveat to this is that for those DOD domains, you're already likely to be a DOD employee, be it civilian contractor or military. In this case, it's a lot easier to say "Hey, if you want to access my pay or some other website, you have to install these certs." And in spite of the very clear instructions on how to do so, our service desk gets caught up very frequently with customers asking how to do so.
atpeters@reddit
Yup, exactly... For something that basic that is kind of crazy.
earlgeorge@reddit
That's fine for internal traffic. You can choose to have your machines trust any CA you want. But what happens if the government or big organization you refer to needs to work with the public? You'd need everyone to do work to trust your CA. Regular people don't go trusting CAs that aren't already trusted by default by the OS they're using. And if it became common practice to jist keep adding root ca certs to your trust store for every site that decided to roll their own CA, then the whole point of it is kind of lost.
Seth0x7DD@reddit
The German government has a public CA that works like that. It isn't really used for their public websites, but for instance if you want to send encrypted mail.
The absurdity is that the CA is run by Telekom. Which is already a company that has public accredited CAs. Hell knows why that CA can't be.
https://www.bsi.bund.de/DE/Themen/Oeffentliche-Verwaltung/Moderner-Staat/Verwaltungs-PKI/Wurzelzertifizierungsstelle/StrukturundMitglieder/strukturundmitglieder_node.html
https://www.bsi.bund.de/DE/Service-Navi/Kontakt/smime.html
lucidrenegade@reddit
Seems to me like the solution is strict regulation on who can issue public certs, and frequent auditing of their operation. If they fail, they are no longer allowed to issue certs. If they are ever compromised, they are no longer allowed to issue certs. If that puts them out of business, so be it.
narcissisadmin@reddit
No they don't. Not everything can be automated and there's still the issue of the timeframe between breach and discovery.
MandelbrotFace@reddit
It's still an issue with short term durations. If it's a fraudulent cert, as you say it needs to be sorted immediately. A day 1 or even day 20 compromise on a 45 day certificate is still devastating for a bank or military contractor or whatever. They need to act and get a trusted cert in place immediately. And these things are only usually found out when the public trusted CA revokes certs and informs customers.
The other issue is having automated cert renewals on all services/hardware. It's just not there yet.
Avamander@reddit
It's kind-of difficult to prove a misuse of certificate if the method of detecting that has not yet been implemented. Our other hope is OCSP Stapling, but there isn't enough interest in it.
MandelbrotFace@reddit
Tbh, I think the main risk is theft of private keys internally. Rotating keys more frequently helps with that but... Yeah ... I'd pick a different battle myself
narcissisadmin@reddit
Exactly. Recommend it if you like, but to force it? GTFO
adrenaline_X@reddit
like patching service 2 years behind.... fml
da_chicken@reddit
That's kind of the whole point. They don't know the scope of the problem but are claiming it's a necessary fix for a security issue.
But "No it isn't" is a valid counterargument to their claims because they have a fat load of nothing to justify it.
onlyroad66@reddit
I feel like so much of modern security guidelines are based off of what is theoretically good practice rather than a practical analysis of the actual threat landscape.
This is a feel good small change that companies do to brag that they're staying with the times rather than address the actual problem of letting corporations decide that user data is an acceptable loss in exchange for further cost cutting.
petrichorax@reddit
This is why I like NIST. The guidance is practical and evidence based. It's why I adore their password rules -- Length is king, don't rotate passwords on an automatic cadence, it causes more problems than it solves.
altodor@reddit
But those rules are a small part of a complete security posture, not to be adopted in isolation.
petrichorax@reddit
They were not made in isolation. Make a strong case for scheduled password resets
altodor@reddit
NIST has ending scheduled rotations as the final bit of a comprehensive strategy. An organization needs (among other things) detection of account compromise, something checking a blacklist with each change or reset, and MFA in place everywhere the credential is used. If an organization doesn't have those in place first, the NIST recommendation to cease password rotations does not apply to them.
For the record, I'm not a fan of scheduled rotations and I'm not advocating for them to be used. But I see disabling rotations parroted on this sub all the time without the prerequisite work being mentioned.
petrichorax@reddit
If you don't have MFA already you're hopeless to begin with.
altodor@reddit
It most certainly is not. On-prem exchange, ADFS, anything using LDAP isn't forced MFA. I'm over here trying to kill those. Using Entra for auth can use MFA, but it's not forced and admins/orgs can disable it. They're stupid if they do disable it, but they can.
petrichorax@reddit
When I was a penetration tester, I never used breaches to find passwords, I'd just do '!' Fall2024!, and variations of that.
Those are the passwords you end up with littered all over your network if you do rotations.
And those can be guessed under the limits of your lockout policy.
Your take is a misrepresentation of NIST's position on the matter. They don't say you should do these things first and THEN fix your password policy, they say you should also do these things.
There is no reason to gate these things behind each other. Do them all, do them when you can, I know how hard it is being a sysadmin at a dinosaur show, I've lived it.
altodor@reddit
In NIST SP800-63-b section 5.1.1, the requirements for things like not having hints, rate limiting, and forced rotation if compromised, are all "shall". That's "follow strictly without deviation" as they define it. Disabling forced rotations is a "should not", that just means "discouraged" as they define it.
You're preaching to the choir on disabling rotations. Like, you don't need to convince me, I'm not over here going "no, fuck you, my users must rotate passwords forever because muh old school" but that seems to be what you're writing against (I am in fact, 2-3 apps away from my entire org being able to go completely MFA-based passwordless and never having to give a shit about my users' passwords again). I'm only saying the NIST docs do not start and end the story with "disable rotations", which seems to be all anyone ever remembers is in that doc, likely because they've never actually read it themselves.
petrichorax@reddit
Forced rotations is not the same thing as scheduled rotations, I think you're conflating these ideas, which is somewhat understandable because of the word 'rotation' which implies a periodicity.
Forced rotation on compromise = your password hash was found in a breach/leak, or we guessed it, change it
Scheduled rotations (aka password expiration)= change your password every X number of days
You should 100% be disabling password expirations no matter what.
Forced rotation on compromise should never be disabled.
It comes up a lot, that and dumb password complexity requirements, because it generates a shitload of tickets. The other ones do not. They're also really annoying, and we love to bitch here.
Not much to talk about with the other password recommendations. But turning off password expiration is an immediate ticket reducer.
Also, here's something that might terrify you that you might not know. If you don't have a password manager for your employees, they are likely saving them in their outlook notes, which cannot accessed easily with powershell, cmd, or graph.
At one place I work on, I asked 15 users across the org in person, and all 15 were doing this, and they were all in finance.
--
Good job on gunning for passwordless, it's nice. Hope it catches on more.
altodor@reddit
I do not have the two concepts confused. It was incredibly late at night for me (pushing 2am) and unfortunately in my stupor I picked the wrong word to write (I tend to think of scheduled as "forced" and "compromise response" as "emergency" and forgot to filter that back out). Scheduled rotation is the "discouraged but not prohibited" one nestled in with a bunch of "required and do not deviate" so I tend to read it as "finish here after doing everything else".
I have no doubts my users are doing absolutely shitty things with passwords. I have most of the "shall" requirements implemented in there preventing the worst of the worst at least, and I don't hear from my help desk that anyone is complaining or struggling with any of it. I'm trying to gently nudge the boat in the right direction, not capsize it by dragging it too fast.
RedShift9@reddit
💯💯💯💯💯💯
anothergaijin@reddit
Yes, because it is far better to be proactive than reactive when it comes to this stuff...
HotTakes4HotCakes@reddit
"Proactive" isn't a blank check to break as many things as you like in the name of hypothetical security.
anothergaijin@reddit
Should have thrown the word reasonable into there. Where there is a reasonable risk that action should be taken, being proactive is a good thing.
da_chicken@reddit
That's exactly how we got 4 week password rotation with 25 remembered passwords.
Windows_XP2@reddit
This is exactly how I feel about forcing people to change passwords every 30 days or some shit. I can't really see a good reason why it exists besides pissing off users and encouraging them to write down passwords on sticky notes, and causing dozens of other problems.
broken-neurons@reddit
More likely it reduces downtime because someone forgot to renew a certificate. I swear 50% of our incidents are simply due to our various tech teams forgetting to request a renewal of a certificate from our security team.
rabblerabble2000@reddit
Won’t this just get people used to ignoring legitimate certificate issues? Seems counterproductive honestly.
Reverent@reddit
Incorrect. Lots of modern authentication standards rely on certs, not just mTLS. The whole point of shrinking the renewal window is to force the concept of passive revocation: where if a private cert gets leaked, the window that it is useful is small enough it doesn't matter.
It also forces organisations to adopt automated renewal toolchains, which has a byproduct of forcing them to modernise their IT practices, including security.
altodor@reddit
A big one of those modernization practices is stopping small shops from buying one wildcard and shotgunning it everywhere they have a web server.
xxdcmast@reddit
If nist requires password changes only when supposed breached tls should be the same.
Dodough@reddit
No, it's definitely not the same.
A password change should be done even if "only" your hashes were breached.
In the case of certificates, you can start brute forcing the private key as soon as the public certificate is shown to you. It's as if the hashes of your passwords were instantly leaked.
My guess is that they anticipate rapid improvements in algorithm cracking methods.
xxdcmast@reddit
There has been no practical demonstration of this crack you mention. I’m sure nation state actors have the horsepower for this, maybe.
Dodough@reddit
I know that, that's just the reasoning why certs need to be rotated. Let's take advantage of the 45 days expiration to learn about automation
FakeNewsGazette@reddit
Yes, it’s called quantum computing
Avamander@reddit
No, it's not the same, but it is not as you describe.
Certificate lifetimes significantly reduce the time they can be misused (if stolen or misissued) and they force automation. The amount of incidents due to lapsed certificates is significantly higher than the amount of misused certificates, but this solves both.
Nobody is expecting RSA or EcDSA/EdDSA to be broken any time really soon. For those scenarios we have the newly standardized ML-KEM and its friends.
chicaneuk@reddit
Exactly why this pisses me off so much.
chase32@reddit
Doubt that is the purpose. More likely they want to get more of a lockdown of CAs and then have the ability to deny a new cert on a shorter timeline if they don't like your site.
lebean@reddit
All of our certs are automated so short lifetimes don't really affect us, but I'd still tend to agree with you that it's security theater. One or two year certs were totally fine.
2drawnonward5@reddit
I doubt it's about security. I think it's about pushing the tool chain so things work different. Nobody likes the classic methods either so they're at least moving away from manual.
Whether it'll be better than old school methods will depend on your needs.
steavor@reddit
Similar to "$AUDITOR said we need to disable TLS 1.0 and 1.1 immediately, it is DEPRECATED and a RED FLAG for them".
Well, if you can show me practical attacks on TLSv1.0/1.1, then sure, I might consider it. In the meantime I've got bigger fish to fry.
Heck, even SSL 3.0 (!) is vastly (and I do mean VASTLY) superior to "simply send the mail unencrypted" (opportunistic TLS for most SMTP speakers....). An attacker is not ever trying to decrypt in-transit data if he's got any chance to simply have Brian from Accounting click on a link in an email....
BuffaloRedshark@reddit
It might actually cause more due to people missing expiration or doing work arounds
HoustonBOFH@reddit
And how many will it contribute to when people turn off SSL when it is too much hassle?
bjb8@reddit
Ok now I am reminiscing about the 5 year certificates we used to use.
andrea_ci@reddit
why?
what are they worried for? stealing certificates?
oldRedditorNewAccnt@reddit
A lot of vendors charge for this. The motivation is money. It's always money.
PlannedObsolescence_@reddit
The ability to automate your certificate renewal should not come at an additional cost.
If your CA charges for this, then you should change to another CA that does not.
The CA/Browser forum baseline requirements don't currently require that a CA make automated renewal available for free, but I definitely remember a dicussion about including 'no cost ACME' in the requirements. I can't find that thread though.
ofd227@reddit
I'll save you time. It will never be offered for free
Ansible32@reddit
ACME is free. The only places it costs money are if you need EV certificates, and really EV should be retired, it doesn't provide the security it claims to. But there are still a bunch of stupid compliance rules that say you have to use EV.
TwoBigPrimes@reddit
Can you name those stupid compliance rules?
Ansible32@reddit
The rule is literally that you have to use an EV cert, and EV certs can't be automatically issued. I can't name the specific rules because they're specific but I think if you sell a web service to any financial institution they will require you use EV certificates to secure your ssl.
TwoBigPrimes@reddit
Oh - I totally agree EV is silly.
Im more interested in understanding what dishonest sales practices have been used to convince business leaders to believe commingling “validated” business registration/identity information is worthwhile in the context of establishing an encrypted connection to a server - and worse, mandating the use of that practice. Especially for internal servers.
A TLS certificate binds dnsName(s) to a public key, nothing more.
Ansible32@reddit
Financial institutions have layers upon layers of security requirements. EV certs do actually include insurance. I'm not sure that insurance could ever pay out, but it is there and for like a bank it's really kind of chump change in the grand scheme of all the weird layers of insurance and security requirements. It's not just sales, I mean alongside the EV requirement they will also usually require that you store your TLS keys in an HSM, which seems a little excessive to me but it does serve a purpose.
pixel_of_moral_decay@reddit
There’s no rule requiring device manufacturers to only ship with certain CA’s hardcoded in their firmware. And no rule allowing certain CA’s to pay for that placement instead of certain free ones.
Enterprise is shit.
isnotnick@reddit (OP)
Except the biggest CA is free. And Google offer free certs via GCP. And there's ZeroSSL, Buypass, SSL.com and more. Money isn't the motivation (Apple don't make money with this proposal anyway?!) - it's security.
AlsoInteresting@reddit
Oh come on. If you support a server app, you need to know at least how to change the cert and restart the entire app.
neoKushan@reddit
Shorter expiry times also means shorter revoke lists.
ProfessionalBee4758@reddit
revoke lists do not work
lucidrenegade@reddit
They work if they aren't ignored, which is really the problem here.
redwiresystems@reddit
Its less the list length its more the unspoken issue that the majority of vendors don't actually check for revocations but they do check for expiration's.
cloudreflex@reddit
This should be a bigger point. CRLs are my least favorite part of PKI administration.
TunedDownGuitar@reddit
I mentioned this in another comment, but I get the feeling they are stepping on the gas because of the DigiCert incident in July.
tkwillz@reddit
Or the larger Entrust issue: https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
TunedDownGuitar@reddit
Thank you for this, I wasn't aware of the breadth of this one.
wholeblackpeppercorn@reddit
Surely it's more likely due to the entrust situation. I can't imagine they're stepping in because digicert forgot to add underscores to DNS records...
blbd@reddit
That was an unnecessary CAB Forum inflicted fire drill that did not actually impact anything besides screwing users to enforce an arbitrary edge case requirement. It should not even be allowed to call it an incident.
MelonOfFury@reddit
I mean technically google was pushing for 90 day certs by this time so I’m not surprised either way
yasire@reddit
It’s preparation for quantum computing which is getting closer to being a reality. It’ll be able to break encryption in a relatively short time. 45 day ssl certs is one way to reduce that risk.
andrea_ci@reddit
anyone with access to quantum computing, today, will have no problem in cracking that specific certificate in hours - days.
if you're actually a target for that kind of attack, set your certificates expiration at 3 days. but that won't be a widespreaded requirement for decades.
drunkcowofdeath@reddit
Hell if we are automating this to prevent key cracking do it hourly. What difference does it make at this point?
Dday82@reddit
Next step is crypto encryption with algorithm update schedules.
Rare-Page4407@reddit
tz/time skew before NTP fixes the clocks
Ansible32@reddit
Current quantum computers are utterly useless, and I would actually be surprised if there's a quantum computer that can crack a modern cert in less than a month. Maybe someday, but it's not something that urgent to worry about, and it might never happen.
narcissisadmin@reddit
Are there even quantum computers that can crack encryption at all?
Ansible32@reddit
No. What I meant to say is I will actually be a little surprised if anyone ever creates a quantum computer that can crack an 1024-bit RSA key, and I don't expect it to happen in the next 10 years in any event.
andrea_ci@reddit
as Proofs of Concepts, they can. In real life? meh...
but the companies that actually have access to those, have no problems using other means to do that
Ansible32@reddit
The other means do not involve cracking keys. They just steal the keys which is why rotation is a useful thing to do, and worrying about improving the encryption is not.
There's no proof of concept for breaking any keys made with halfway decent crypto in the past 10 years. There probably won't be any such proof of concept for at least 10 years, not if you're following current best practices. If there is it won't be because of quantum computers.
andrea_ci@reddit
http://cjc.ict.ac.cn/online/onlinepaper/wc-202458160402.pdf
Only 22 bits, for now
CatDiaspora@reddit
A PDF provided by a .cn server? Nope.
narcissisadmin@reddit
Always always paste those links into https://archive.today
Last archived 20 hours ago: https://archive.today/Elyx8
andrea_ci@reddit
That's a pretty famous Chinese university...
CatDiaspora@reddit
I'm a pretty famous guy...
narcissisadmin@reddit
That's an interesting theory.
I wonder which will happen first...full scale quantum computing or a breakthrough in mathematics to quickly factor primes.
ACEDT@reddit
But isn't it a better idea to just use something like SHAKE? Computers will always get faster, and once quantum computers are practical they'll just get faster too. There's no real advantage to rotating certs more often when it's a solved problem cryptographically.
mobani@reddit
You still have to be able to hijack the traffic. Doesn't matter if I have a quantum computer at home, if i cannot get a copy of your traffic.
MrShlash@reddit
Isn’t traffic encrypted with a symmetric session key that is generated during the TLS handshake? How would that be useful in cracking the certificate?
mobani@reddit
At the moment a quantum algorithm, (can't remember its name) can reduce the security level of symmetric key encryption by half. For example, AES-128 would have its security reduced to an effective key size of 64 bits, making it vulnerable to brute-force attacks. Still AES-256 is hard, but it's a matter of time.
Issuing shorter lived certificates like 45 days, is the quivalent of pissing your pants to keep warm. The industry needs to implement better encryption standards instead of this foolish attempt to solve a problem.
MrShlash@reddit
Right but even then, capturing encrypted traffic is a threat to the symmetric key not the certificate.
mobani@reddit
Yes, that is correct.
PlannedObsolescence_@reddit
Just keep in mind, there are an incredible number of hops your traffic goes through - any of which can get a fully copy of the (encrypted) packets.
Every ISP has the ability to perform traffic mirroring, and basically every law enforcement agency has the power to instruct an ISP to mirror traffic for them.
For example here's a 'Coffee shop' scenario. Any of these can see the traffic: Anyone nearby in the coffee shop with an SDR (of course, quite targeted). The coffee shop wireless vendor. The coffee shop ISP. Any other peering ISPs between the coffee shop ISP and the destination ISP for the website. The website's ISP. The website.
Our best way of protecting against this is encryption in transit.
mobani@reddit
It's always a risk assessment, and for normal day-to-day use in a coffee shop, you would not win anything by using a 45 day SSL cert.
If you are working with highly confidential stuff, then first of all, you should not be connecting from a coffe shop, also it should not be accessed over a public exposed webservice.
pimflapvoratio@reddit
Is this going to regen the key pairs as part of the process? Just renewing the cert doesn’t buy you any protection otherwise.
PlannedObsolescence_@reddit
I believe all automated certificate renewal (eg ACME) never re-uses key material
durkzilla@reddit
Former Venafi guy here - recommendation is to always use new key material, but you can choose to re-use. Re-using private keys is considered to be acceptable if and only if you are storing that private key in an HSM.
Avamander@reddit
Heavily depends on the implementation. It's not forbidden to re-use the private key, it's just the certificate that expires.
pimflapvoratio@reddit
Thanks. I need to dig more into automation. I’m managing way too many certs by hand.
Brufar_308@reddit
A decent place to start. https://letsencrypt.org/docs/client-options/
ProfessionalWorkAcct@reddit
lol@quantum for reasoning
lightmatter501@reddit
Go look at IBM’s quantum roadmap. They already let you buy a system which totally invalidates DES.
slippery@reddit
In January 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes. ZERO quantum computing.
I can't think of one notable thing quantum computing has done yet.
billyalt@reddit
This is actually so hilarious I have to wonder if they forgot the /s
jgmachine@reddit
It’s actually not so far fetched. https://youtu.be/1_gJp2uAjO0?si=ToU0sAi7tNAxxSfp
Avamander@reddit
No, for those scenarios we have SHAKE and ML-KEM. Nobody is expecting RSA or EcDSA/EdDSA to be broken any time really soon.
Reducing certificate lifetime helps against certificate mismanagement. Lack of automation is a type of mismanagement.
0xmerp@reddit
An attacker with a quantum computer could just target the intermediates/roots instead, which change far less frequently.
TrueStoriesIpromise@reddit
The intermediate/root certificates only certify that the client certificate was issued by that intermediate/root.
In order to decrypt traffic on the fly, your quantum computer needs to break the server certificate.
0xmerp@reddit
If you could break the intermediate or root certificate, you could just forge your own server certificate and MITM the connection by decrypting it and then re-encrypting it with your forged server certificate.
TrueStoriesIpromise@reddit
Which helps IF you can be MitM. If you can only capture packets, then it's not helpful.
0xmerp@reddit
I assume if you have a quantum computer capable of breaking 2048+ bit RSA or 256 bit EC you’re a state level entity and setting up a MITM is the easy part ;)
Also if you have captured packets, you can also just save them until you break the key. That’s what the government does right now — the keys can’t be broken today, but in 30 years, maybe…
spokale@reddit
No modern cipher suite actually encrypts the transit with the certificate, instead ephemeral keys are generated through some sort of handshake like DH and then a symmetric session key is shared through that and used going forward. Certs are just used for identity validation nowadays.
itguy9013@reddit
Quantum is a long term threat I agree, but simply rotating keys (which is in effect what this is) does nothing to mitigate it.
This is a cash grab by the CA/B, pure and simple.
Avamander@reddit
No, ML-KEM and SHAKE (and similar) are a solution against quantum computing related threats. Shorter lifetimes are not addressing cryptographic issues. It's basically all about mismanagement - theft, misissuance, poor automation.
Appoxo@reddit
DOesnt matter. Save the data for cracking later. Now what? Ask the adversary every 30 days to delete your unrequested backups? /s
Tai9ch@reddit
No.
That's just a demonstration of mathematical incompetence that should get anyone who suggests it removed from these committees.
Nobody's going to burn months worth of prototype quantum computer attacking minor targets that care about these guidelines. When it matters, the attack will take hours or days.
Nik_Tesla@reddit
We finally made it so passwords are required to be changed every 60 days, and not we're gonna make certs expire even more frequently than that?
egotrip21@reddit
This is not my pool to swim in so please nobody take this seriously but I was wondering if maybe its a form of CYA for the issuing company? So bear with me but in the banking sector you are not supposed to do things that aid criminal enterprises, but every couple of years it comes out that a big bank is being penalized (usually to the tune of cents on the dollars of their profit) because they were "unknowingly" working with organized crime. So is it because the issuing companies didnt do their due diligence and issued a cert to a bad actor?
bushmaster2000@reddit
This renewal stuff needs to have automation i don't have time to refresh certs on a monthly basis. Security and Convenience are opposite sides of a seesaw, you need to balance. 45 days is too much inconvenience and i dont' believe it really improves security in any significant way.
No_Extension1983@reddit
This is bullshit.
No-Honey8906@reddit
Looks like we all need to start setting up eMudhra accounts XD
SoonerMedic72@reddit
This sounds terrible. We have many systems that have their own certificate utilities that can't be automated. One of them also breaks a part of the application when you use it and you have to reinstall that part of it after running the certificate utility. We would have to hire an entire new person just to manage certificates if it was down to 45 days.
N10do64@reddit
Sounds like you have a crappy system that should be fixed by the vendor.
Now they’ve got a reason to fix it.
And if the vendor doesn’t exist or not support it anymore, then why is it getting a public WebPKI cert
SoonerMedic72@reddit
This is funny. When you are the 3 biggest tech companies in a "not allowed to fail" sector, you don't care about rules or customer needs. You just tell them that sounds like a professional services request and give a quote that you know they can't afford.
plupien@reddit
Ugh... We need more built in ACME with Paid options. Free certs don't fly at many organizations.
durkzilla@reddit
Venafi can provide ACME enrollment of certificates from the CA of your choosing.
Disclaimer: former Venafi employee
plupien@reddit
Yes, but on Firewalls, VPN devices etc.
durkzilla@reddit
The client needs to support ACME. If it doesn't, Venafi can serve up certificates using SCEP, NDES, EST, or the device's own API if the manufacturer had the foresight to include certificate management in their API.
Mike22april@reddit
So uhm, how exactly is SCEP different from NDES? And which network devices obtain server certs using EST protocol?
durkzilla@reddit
SCEP is Cisco, NDES is Microsoft. Some minor differences in authentication methods.
EST adoption is slow, but it does exist. Vendors do no work without corresponding business to support it - discussions like this one should encourage admins to ask their vendors to support modern standards for managing security.
Lack of automation standards is a big contributor to why the shorter validity period discussion raises so much ire.
Mike22april@reddit
At what cost?
durkzilla@reddit
Talk to your Venafi rep - the platform is licensed based on the number of certificates under management, not by protocols supported.
isnotnick@reddit (OP)
Interesting - free/LE works wonderfully, so what's the rationale behind free certs not being suitable? (Genuinely asking).
plupien@reddit
Free/Open Source just doesn't fly where I work. No technical reason.
kevin_k@reddit
Why? Has there been a flood of exploits of cracked cert keys?
syncsynchalt@reddit
Because every other day the CAs add another entry to bugzilla about how they missed a revocation deadline because their Very Important Customers say they can’t possibly replace their certs in less than three months.
The people of this sub caused this situation by not automating their cert handling, and the proof is this thread.
kevin_k@reddit
Asking what it buys and asking about other ways to strengthen certs isn't automatically "whining", and there's a not-insignificant number of implementations that can't be automated
danekan@reddit
Realistically there probably will be in the next two years
kevin_k@reddit
What will make them more common in two years? Computing power? Why not just require stronger keys?
danekan@reddit
Why not both though?
kevin_k@reddit
because 45 days?!
danekan@reddit
If processes are done right it could be 5 hours and not be an issue. That's kind of the point. People NEED a kick in the ass to fix their process first.
kevin_k@reddit
... but they're not always done right, are they? The more frequently certs need to be replaced, the greater the likelihood that something - even something out of our hands - will fail, bringing potential critical communications down.
gsmitheidw1@reddit
It's a game of cat and mouse of Moores law style gains in compute for hackers versus stronger encryption.
Bigger keys means more data per transaction which means more latency and slower websites etc.
Maybe things like elliptical curve can lead to smaller keys. But I think SSL needs to be replaced entirely with something else. The fundamental design needs to improve.
kevin_k@reddit
I still haven't heard of any instances of commercial SSL certs being broken.
gsmitheidw1@reddit
No, that would be front page news if it was a big thing.
Design needs to change because it's fiddly and time consuming. Man in the middle attacks are not as much of an issue anymore. The weak points are the clients and the services ends.
Everything is switched networks now. It's not as easy to sniff traffic as it used to be. Nobody running web proxies etc anymore.
I'm not saying we should go back to plain text, but the game has moved on.
fudgemeister@reddit
I'm still fighting to get certs in place at all. If this passes, that just means I'll be fighting expired certs and no certs. I run into enough cases where I get calls because the end customer forgot about a cert...
Apple has been doing its absolute best to make me hate everything about them. The ARP change was one thing but this is just a wild grab. Google too if they're pushing it.
dustojnikhummer@reddit
So 60 minute certificates by 2035?
_BoNgRiPPeR_420@reddit
Don't joke, this is already a thing with Intune and Microsoft AlwaysOn VPN. Mind you, not public certs, but it issues your PC a 1-hour cert for login purposes.
Resident-Artichoke85@reddit
Just make them 48 hours. It all needs to be automated anyway.
Mediocre-Ad-6847@reddit
I hate to push any specific product. There are Certificate Lifecycle Management COTS products out there that will automate just about any webhost platform for certificate rotations.
I've spent nearly 10 years working with one of the most expensive/highest-rated ones. It will be a royal pain to get set up, but I'm looking forward to the challenge.
jmbwell@reddit
By 2027 this should really be a non issue in production
NetSchizo@reddit
What exactly is the goal here? This sounds like its just going to add more load and complication to systems providing the certs. To what end? What is the goal/purpose? Is jacking certs that big of a problem?
ExcitingTabletop@reddit
Money for CA's. For Google and Apple, it's more that they don't give a shit how much external burden they impose.
0xmerp@reddit
My Let’s Encrypt certificates are free. Even the paid certificates generally don’t charge extra for renewing the certificate within your validity period.
It’s probably just trying to incentivize automating renewals.
ExcitingTabletop@reddit
It does not always cover the requirements for devices.
And the devices that don't support ACME already don't care. It's not going to incentivize them.
0xmerp@reddit
CAs don’t make money off of that. Also legacy devices probably shouldn’t be directly exposed to the public internet anyways. You only really need a publicly trusted certificate for a service that will be exposed on the public internet.
ExcitingTabletop@reddit
Sigh. Yes, CA's tend to charge for certs. No, they don't currently charge for re-issue during the year long period.
I see you don't work with legacy devices or industrial equipment. We don't expose to the general public internet. But we don't run our own fiber from our plant to Germany or Japan either. We whitelist who can access what, and further secure it. Including with things like... certs.
And lastly no, some of us need to encrypt traffic between the server and client even locally. Yes, you can do self-signed local CA, if the equipment supports it. Which it doesn't always.
0xmerp@reddit
I still don’t understand why you wouldn’t just use Let’s Encrypt if you absolutely needed a publicly trusted certificate for some reason. It’s possible to use the ACME client without it automatically installing the certificate for you. The expensive certificate you buy from a commercial CA will have to be replaced every 45 days too. The only difference is one is free and one is not.
We generally have a VPN for the use case you described, it is not just exposed to the public internet, and we don’t want random stranger from outside of our company connecting to the control interfaces of our equipment. If your business own all of the endpoints that might connect to this industrial equipment, you should be able to install both a VPN client and your own root certificate.
ExcitingTabletop@reddit
Because 1) Let's Encrypt doesn't or at least didn't support the cert requirements we needed at the time, 2) the equipment often doesn't support ACME , 3) the equipment doesn't always let you add your own local CA and 4) we don't get to dictate remote access to our vendors.
We're not stupid, you know. I'm not sure if that's what you're intending to imply, but that is how it is coming across.
You should consider that it's possible that industrial automation IT is often both competent and faced with real world limitations.
Often, the equipment is built by a very narrow number of companies. You don't dictate terms to them anymore than you do to Microsoft or Apple. And it's what the business needs to make widgets, that's what we have to buy.
0xmerp@reddit
The equipment doesn’t have to support ACME for to use Let’s Encrypt, and the equipment doesn’t have to trust the local CA, just the client. Unless your equipment somehow will only let you install certificates from a hardcoded list of CAs? What do you do if the CA ever changes the root it signs your certificate to a newer one?
As far as dictating remote access… does it somehow only work if it’s assigned its own public IP address?
Not trying to imply anything! It’s just an odd set of requirements, I just found it interesting.
ExcitingTabletop@reddit
I'm giving up, as it's obvious it's like talking to a brick wall.
Yes, that is exactly the case, it has a limited number of trusted CA's. Which is true of every application. But in this case, do you think we'd include say, Iranian SSL cert providers as trusted CA's?
You're also assuming that the insurance companies, auditors, etc will allow Let's Encrypt, which is not always the case. Issue isn't money, issue is not turning a square kilometer into a large crater while keeping production running. Yes, other providers offer ACME as well, and I used plenty of them.
Everything I described is NOT an odd set of requirements. It's an exceptionally common set of requirements. Just not for office with the most complicated piece of equipment is a copier. Which also don't tend to support ACME.
mrmacedonian@reddit
The thread is fairly long so apologies if skimming through it and missed this, but why not put a reverse proxy slash simple SSL termination in front of these appliances. One per facility should be sufficient, and you can keep whatever duration certificates between the appliance itself and this termination server.
Then, you can automate a nightly certificate renewal on the termination server if you wanted, and your internal communications would be handled by your 1yr from appliance-accepted CAs/Vendors.
No malice or attempt to be a brick, just wondering why putting something in front of limited/outdated equipment isn't the obvious answer, since it has been for anything 'legacy' I've had to deal with.
p.s. Also, sadly yes, I've dealt with a lot of insurance companies telling my clients they need to access their shit through IE as recently as like 2015/2016... when they couldn't play that game they made then RDE into an interval server running IE >_< it's shameful the 'exceptionally common' practices I come across.
ExcitingTabletop@reddit
That was old job. But we did essentially that for some stuff. For other stuff, we had to comply with the manufacturer's system.
Basically so that we could sue them if they fucked up or killed anyone. To put in perspective, if the equipment seriously went bad, it could kill a couple hundred folks. I did the math on the potential damage, and it was ugly. The only saving grace is we built the facilities specifically away from populations.
The highest priority was making sure that didn't happen, at least IT wise. Next was making sure if it did happen, it wasn't our fault. And making sure we could sue the vendor to recover. The prices they charged us reflected that liability. So making sure the vendor could see the equipment and had perfect access in the manner they demanded was a high priority. And then we had to build our security onion around that. Whitelisting, SD-WAN, MFA, etc etc.
mrmacedonian@reddit
So I've never dealt with anything that could directly cause any harm to life. Certainly delay/loss of service can cause harm, esp. w/ healthcare clients, but nothing like you're talking about.
I did have a situation where I had to integrate a vendor that similarly needed a high degree of access into their equipment and it was a liability issue for the client. The client's use was physical/local control and some through vendor's servers anyway, so my recommendation to put them on their own WAN and enough firewall to limit access into the appliance from an IP range and port list, and lock down everything else. I would have preferred they VPN in, but they were unable to make that happen on their end.
It provided the vendor all the access and control over it, without adding any complexity or potential vulnerability to the client's LAN. There was some hardware cost and monthly service, but well worth it to this security minded client.
isnotnick@reddit (OP)
These are the kind of uses cases this change is (intentionally) trying to weed out and off of publicly-trusted certificates. As the other poster said, systems shouldn't be using public certs. I get they might not be 'supporting' it, but when you mention a 'limited number of trusted CAs' - that's now a bigger problem. Root stores are changing fast now, with roots likely to be cycling more often and older roots being deprecated. If these devices don't allow those stores to be updated or have private roots included, they'll find they can't get even 'publicly trusted' certificates anymore.
Side-issue, too, but if there's kind of crater-causing or life-risking things at play, most of the CAs have that carved out as a 'do not do this' in their CP/CPS and contracts. I hope there's some exaggeration here!
0xmerp@reddit
Feels like there’s some degree of “it’s always been done that way” and people in that situation might be resistant to change (which I guess is reasonable… no one wants to be responsible for changing a process, and now it doesn’t work…) unless forced to change.
isnotnick@reddit (OP)
Exactly. This is the process that forces that change, given no-one wants to voluntarily move to better, safer solutions. Stick vs carrot.
ExcitingTabletop@reddit
Not really. Basically imagine large natural gas pipes. And a building that is a hundred thousand square feet. Turn off burners, turn on natural gas, wait X, turn on burner. You want 10:1 natural gas, so call it 9,100 cubic feet of gas. At 3.9 million joules per cubic foot, that's 35.5 billion joules. Divided by 4000 to convert to TNT equiv in grams, and divide by 1000 to make a kilo. That's 8,872.5 kilos of TNT equivalent.
While not the hair raising number of a fertilizer plant energy potential, that's still not good.
I concur, certs are a shit show as a tech. But it's what we have, so we have to make the best of what we do have.
isnotnick@reddit (OP)
Jesus. None of that should be anywhere near the web PKI. I can but hope these changes force these things to change and use appropriate technology.
0xmerp@reddit
I haven’t called you an idiot once. That was you who kept saying that. I can’t do anything about your own insecurities. ¯\_(ツ)_/¯
khobbits@reddit
I'm pretty sure it's the opposite.
It's making most CA's redundant.
The CAs that are built around automation like letsencrypt are free.
This should be one more death knell for those shitty companies that sell certificates for hundreds or thousands of currency and provide no value, and mostly make their money from confusing people into buying a product that has been free for years.
narcissisadmin@reddit
Namecheap has them cheap and they're still ridiculously costly if you know the first thing about openssl.
Delyzr@reddit
How ? We currently buy our certs in 5 year contracts and we renew 'free' every year (automated through acme). The renewal is included in the contract. Even if we have to renew every 30 days it won't cost us anything more.
Cyber_Faustao@reddit
The goal I believe is forcing everybody to automate certs, which is basically the correct way of doing this, everything else kinda sucks.
boli99@reddit
shush. dont ask questions. just keep feeding the giant megacorps, and make sure that you use only sanctioned certificate authorities for your systems.
everything will be fine.
look. squirrels!
TechIncarnate4@reddit
I can only assume it is because certificate revocation checks are a joke. At least if the certificate has expired people will see an error. I suppose it is so that stolen or revoked certificates aren't in place very long.
oldRedditorNewAccnt@reddit
A lot of vendors charge for this. The motivation is money. It's always money.
anna_lynn_fection@reddit
Sure. Stop recommending the stupid password expires, but lets put one on certs.
FostWare@reddit
I work with multi-layered organisations and it’s hard enough to get people to organise their own certs to pass back up the hierarchy to the central reverse proxy. Meanwhile the users of the service blame our devices for the cert outage, despite the fact that a) we don’t have DNS access to clients (nor should we) and b) the upstream reverse proxy is already doing LE so HTTPS is out of the question.
Yes we run Ansible and LE (or AWS/ACM/R53/CDK for hosted)
PlannedObsolescence_@reddit
You might find this reply useful.
TL;DR: many NGFW vendors support ACME, but you don't even need a public cert as you control all the end-user machines anyway.
FostWare@reddit
I know you can automate NGFW (even Palo) with Ansible, you can push device certs from an internal CA and MDM, and that certificates are not that difficult, but given some of the third-party situations I've dealt with this is above their mental faculties.
Luckily I'm dealing with the on-prem a lot less these days
Longjumping_Gap_9325@reddit
Dang, I thought Googles 90 push was going to be rough
The DCV part is the worst. The cert life time dropping wouldn't be so bad but the DCVs? That's going to be beyond a pain in the ass
When do we get to the point the Roots and intermediates are only valid for 90 days because hey, if they're compromised we're all screwed, right?
isnotnick@reddit (OP)
Roots and intermediates are dropping in duration, yes - not quite that low, though. Users should never expect roots or ICAs to remain the same, they should simply expect a trusted cert. Of course software will need to keep up to date with a trusted root store, which doesn’t happen in some places.
DCV is a pain - time to get a DNS provider with better automation.
goferking@reddit
Hopefully OS and devices will let us be able to update them.
Speaking of that still angry at Samsung for not including the cert used by incommon/eduroam.
lywyu@reddit
Make them last 24 hours. Because why not? /s
goferking@reddit
I liked the person suggesting a femtosecond
isnotnick@reddit (OP)
I know there's the '/s' in there, but the honest answer is...they can be, and in some cases...are. But for most use-cases that involve consumers and browsers, clock-skew is still a thing.
dustojnikhummer@reddit
I wonder if LetsEncrypt would complain about much increased demand. Those certificates cost a few cent to issue.
dustojnikhummer@reddit
24 hours? Hah! 10 minutes!!
Tau-is-2Pi@reddit
10 minutes? 1 new cert per request!!!!
This_guy_works@reddit
Hey how about we find an alternate to certificates?
Steve----O@reddit
And automation will increase security? No. It’s the opposite.
Acheronian_Rose@reddit
This is fucking stupid, all this is going to be is a huge PITA for sysadmins
HorrimCarabal@reddit
No kidding. Love the ‘just use automation’ answer except when you are 1 IT guy supporting 100’s of users and dozens of servers.
amsams@reddit
Some of the comments here are the exact reason why long-lived certificates are a terrible idea.
I know there's always edge cases, but if you need a publicly-trusted certificate for something either automate it or offload your TLS termination to something you can automate.
r3setbutton@reddit
Look, not everybody works somewhere that's managed by functioning adults.
rybl@reddit
People keep bringing up IIS, which is valid, but at least there are 3rd party work arounds. I'm trying to figure out what we would do with all of our physical network devices that don't support ACME.
Ludwig234@reddit
FYI: This doesn't affect internal PKIs.
sparky8251@reddit
Sure, but what about network load balancers that have to have the public certs for the sites they are balancing? Got almost a hundred different certs I have to manage over the course of a year backed by such things. Also have about a 1/10th of them being domains I dont own (and therefore cannot automate) and the client gives us the new cert manually annually...
ThatGuyMike4891@reddit
Cool. Can't wait to spend my entire day fixing certs on all our non-automatable business-critical systems every 45 days.
stormcynk@reddit
Should be good business justification to start automating them if this passes...
ThatGuyMike4891@reddit
If they were automatable I would have already done so.
circling@reddit
If you think something is un-automatable, you're not trying hard enough.
ThatGuyMike4891@reddit
Ok. Example. Our wireless enrollment system. A linux black-box. No shell SSH access. The only way to import our wildcard certificate is via a web interface. Asked the vendor. Literally, login, navigate to import, click upload, click import. Where exactly can I automate this process? I don't get shell access. I don't get SSH access. The web interface does not allow me to do anything other than upload a DER encoded certificate.
Please enlighten me on how I can automate a process that has no room for automation and no access to the system.
circling@reddit
Firstly, if you have physical access to the device, you can get root and enable ssh.
If you don't want to do that for whatever reason, then you can use something like Power Automate or Playwright to automate webpage interactions.
jaymz668@reddit
OK, so this is where it breaks right here. Nope, no access to the device or software
circling@reddit
That's cool, you can move to the second line – they're independent options!
Also, you're not the same account, which is weird.
jaymz668@reddit
Nope, different account. And the second line doesn't help either, as we also don't have access to the administrative systems. A 3rd party manages the sites while we manage the certs
circling@reddit
Oh that's even better then, because it's not your problem! Automate the cert creation and wipe your hands of it.
dustojnikhummer@reddit
And break a) warranty b) contract
What if the device is a loaner?
meditonsin@reddit
Probably don't even need to mess around with webpage interactions. Just hit F12 and look at the payload and response for login and cert upload, then write a script that mimics those. That'd be like 10 lines or whatever in Python, probably.
_IBlameYourMother_@reddit
Yeah, that's gonna work great with webpages behind sso with 2nd factor.
meditonsin@reddit
There's obviously cases where this is not the easier route. Doesn't mean it's never.
Avamander@reddit
It's very likely doable with just a few "Copy as cURL" clicks in developer tools (minimum just one for the login, one for the certificate upload).
Then you paste that into cURL-to-your-favourite-language converter, boom you've got a script that uploads the certificate. Now you just have to do the challenge automatically and that's it.
spanhol90@reddit
I really thought you were giving an example of how you tried harder and used puppeteer or selenium to automate it. It's like 30 minutes of coding, and I'm sure that web interface is not changing for another 10 years.
Fridge-Largemeat@reddit
I mean I have a Mitel phone system that we can't get to work with LetsEncrypt automation and the vendor who supports it couldn't give me a straight answer ether. It fails on the DNS validation. I did everything I could think of short of breaking things and the vendor didn't have any answers.
ITaggie@reddit
As in the ACME DNS challenge, or the phone system can't validate its own DNS?
Fridge-Largemeat@reddit
I'm sorry I lied, it's doing HTTP validation
Something on the different controllers, one was always unable to validate.
ITaggie@reddit
Usually that's due to security settings not allowing the cert provider to read the data in the /.well-known/acme-challenge/ directory, or if you're running the web server on any ports besides 80 and 443. You could always try the DNS validation, it's much easier and more consistent to automate as long as your DNS provider allows for API access and works for probably 80% of enterprise use cases.
Fridge-Largemeat@reddit
Unfortunately it's kinda locked behind a GUI and I can only do HTTP. Maybe you're right about the security though, it's Mitel.
isnotnick@reddit (OP)
The other thing might be to look at if it needs a publicly-trusted certificate at all. These changes will weed out places where regular old public 'SSL' has just been used for convenience for years rather than a better solution. If it's not browsers from unmanaged devices hitting the thing, then it's not likely to need a public certificate.
ThatGuyMike4891@reddit
So credentials should be sent plaintext to authenticate. No SSL = No Encrypted Communication of Credentials.
TheFumingatzor@reddit
If it can be done.
ThatGuyMike4891@reddit
Thanks. I'm truly appreciating all these other comments from people who seem to think that just because all their systems can be automated that means that if I am unable to automate it I must either be lazy or incompetent.
I don't get to make the business decisions as to what systems we use. I do, however, have to keep them working. So all these people making it out to be no big deal are truly pissing me off. This is going to be a lot of work for literally 0 benefit.
jaymz668@reddit
Hell, we have vendor systems we do not control, but they insist that we supply them the cert to host a website someone is marketing has contracted with them to host. They send us a CSR that we then input into our SSL platform and then we send them the cert back
Sure, it might be automatable, but that would require we punch a hole in the our firewall somehow to allow them to request certs automatically. Assuming they know how
zz9plural@reddit
I'll switch those over to an internal CA.
Might be tempted to do the same for automatable systems just for the sake of not having to support and document two processes.
ThatGuyMike4891@reddit
No non-trivial way to get non-organizationally owned devices (BYOD) an internal CA root certificate so that those sites are trusted.
There's no one-size fits all situation here, sadly.
zz9plural@reddit
Fortunately, we don't do BYOD. And I'm very glad that I never even had to advocate against it.
ThatGuyMike4891@reddit
I would die a happy man if I could get rid of BYOD.
YKINMKBYKIOK@reddit
Companies with unlimited funds that can afford unlimited labor demanding small companies spend the same money.
SenTedStevens@reddit
Hell, Microsoft and Apple can't even keep their certs from expiring. How's an SMB or even large enterprise going to handle it?
neoKushan@reddit
I manage to keep my certs from expiring in my homelab, I dare say if I can manage it then so can a large enterprise with far more resources.
Automation is the key.
jaymz668@reddit
You mean your homelab where you can tolerate downtime and restarts whenever you feel like it and probably don't have to migrate the solution through many tiers of deployment and also don't rely on third party vendors to also integrate the certs you generate?
neoKushan@reddit
My certs renew without downtime. I'm not saying that Enterprises don't have additional concerns, but cert automation has been a solved problem for nearly a decade now, there's no excuse to still be doing it manually.
Go complain to your vendor about their shitty support.
jaymz668@reddit
A restart is downtime.
neoKushan@reddit
I never claimed otherwise?
TunedDownGuitar@reddit
Except these large enterprises keep laying off the people who know what the fuck they are doing every year. Then they have major incidents, the new team learns what the fuck to do, then they lay that fucking team off too.
I see plenty of good reasons for this, but the skeptic in me says it's a cash grab to force more control over your environment, or to force you into their environment.
neoKushan@reddit
Who is "they" in this case?
TunedDownGuitar@reddit
Google, Microsoft, Amazon. Take your pick.
neoKushan@reddit
But they aren't the only cert providers out there. There's several free providers now, it can all (mostly) be automated. There really isn't an excuse and Google/Microsoft/Amazon doesn't benefit any more or less than anyone else with this.
TunedDownGuitar@reddit
You are right, I do agree, but many of those certificate providers are reliant upon upstream CAs for their keys, which they then use to sign certs for customers. In the case of DigiCert's incident the heat was put on them by Google. From what I recall, Google threatened to distrust all DigiCert certificates if they didn't perform revocation per their binding rules.
The only reason they didn't hit the 72 hour mark is a lawsuit and federal injunction blocked them. The Bugzilla threads are good reading if you have interest.
khobbits@reddit
The point is that it will encourage everyone to use automation. From IT teams to software vendors.
Once it's automated, there is increased security, and less vendor faff.
Assuming the end vendor supports it, most certificates can be renewed with zero effort, a set up once and forget style affair.
I bought a QNAP a year ago, and it ships with an app that can renew a letsencrypt certificate every 30 days or so, for free. I think most large CMS providers have similar plugins. I'm pretty sure things like self hosted wordpress can auto renew.
For all my public facing websites in a cloud provider, that's handled automatically, by the cloud provider on the load balancer level.
For websites we host in the datacenter, but have public URLS, those just have certbot installed, which handles it.
For websites we host locally with no public URL, certbot can do the same but use DNS validation instead. Takes a bit more setup, but is still possible. (I prefer to generate the certificates on a central server, and scp them, rather than have the dns provider creds accessible to each server)
SenTedStevens@reddit
That is a very large assumption. I've dealt with websites, applications, security appliances and what-not and there is no standardized way to even import a cert plus CA path. Now, if the world agrees on a way to do this, great. However, there are and will be systems that cannot do this (think air gapped/secured/federal/certain financial systems/etc.). Requiring certs to renew every 45 days is a massive burden.
khobbits@reddit
That's the point I was making.
Right now, if the vendor supports it, it's easy.
So this is a push to make vendor's support it.
Avamander@reddit
Yeah, and this will be a really strong push towards getting those vendors to behave properly and not ship sh*t that is so tedious to update.
FenixSoars@reddit
Automation is the future.
Plisken_Snake@reddit
Idk people are making this an issue. You can automate now with almost no technical background. Digi and Sectigo have platforms to manage certs. Automation is supported by the endpoint and the platform performs the automation. If the endpoint doesn't support automation they'll patch it and add acme. Until than just get a platform. I use a platform and it couldn't be simpler.
MFKDGAF@reddit
Google has been trying to get certs to 90 days. I think 1 year is the perfect amount of time, especially for companies with small IT departments.
Any less than 1 year will be absurd. Companies will then need to start to hire people solely dedicated to renewing certificates.
TunedDownGuitar@reddit
Yep, Google has been the big proponent for this, and the DigiCert incident in July probably has a part to play here. Long story short - DigiCert sat on an issue with their domain certificate verification, then told clients affected they had 72hrs to revoke (per the binding rules of their parent CA), then got sued and was legally ordered to delay.
My gut says Google is using this as just cause to push for a shorter duration to force companies to invest in automation, which would be a good thing long term. My company was affected by the DigiCert issue, and we identified a lot of issues with how we did certificate management, which we'll be improving on.
Certificate duration should always be a balance. Some higher risk systems should have a 45 day rotation, and highly sensitive ones even more, but you should have a full automation process for automated cert management driving that. Most companies do not have this and will never have it.
The skeptic in me says it's a cash grab to force more shit into the cloud and lock you in to vendors that just want the line to go up.
HotTakes4HotCakes@reddit
It's both.
No one ever said legitimate security guidelines couldn't also be financially motivated.
TunedDownGuitar@reddit
This is a good point too, thanks for raising it. I agree, I have seen this with vendors countless times in the past, and it's always shaped in a "Look at how great this is for both of us! Now please accept this 30% OPEX increase!"
FenixSoars@reddit
You just automate the certificate renewal process via ACME/Certbot and some simple scripting with Ansible, puppet, etc.
This isn’t a staffing problem, it’s the industry moving more towards automation
MFKDGAF@reddit
Doesn't Ansible, puppet, Jenkins, etc. cost money?
FenixSoars@reddit
No.
arwinda@reddit
Or companies start automating the shit in the first place. Relaying on manual procedure is just another breaking point.
Haribo112@reddit
You can’t automate everything. Let’s Encrypt, sure, works fine. Getting an actual paid Sectigo cert? Nope. And don’t even get me started on customer that insist on supplying their own certificate. It requires us to generate the CSR (you know, don’t wanna be passing the private key around…), mail it to the customer, they mail us back some stupid pfx or p12 file that we then have to convert to crt and install on the correct webserver. I already hate doing that yearly, let alone every 45 days.
jaymz668@reddit
yep, we have a few third party vendors that send us CSRs then we request the cert thru our vendor, then we send them the cert. It's a slow process and every year the vendor has to relearn what they want from us
I_Never_Sleep_Ever@reddit
You should look at the latest integrations Sectigo has. I know you can at least use their APIs, we’re doing it for all of our apps running in kubernetes.
karudirth@reddit
I’ve had Sectigo automated for a long while using their Rest API. Albeit that is with cert-manager. not sure how you would do it if you needed to use their public front end and a credit card
Cyber_Faustao@reddit
Sounds like those Sectigo needs to invest in automation, how come free certs have automation and they don't?
X-Istence@reddit
Sounds like Sectigo needs to implement ACME.
Haribo112@reddit
That would be a dream.
X-Istence@reddit
https://www.sectigo.com/enterprise-solutions/certificate-manager/integrations-acme
bluehairminerboy@reddit
What's the difference between the LE cert and the Sectigo cert - other than one costs money?
Haribo112@reddit
None, nowadays. Yet some customers prefer it.
bluehairminerboy@reddit
There are commercial CAs that support ACME - but I would just "accidentally" install a LE cert and see if they notice...
Haribo112@reddit
Customers pay us extra for it, because of the added labor. So it would be unethical to not fulfill their wishes for an actual paid cert.
bluehairminerboy@reddit
If you're actually billing for the time and not the cert, that makes sense - at my place we've moved all the customers to an LE or GTS cert, and have had to decline a few customers from buying old GoDaddy certs since installing them is a pain we'd rather avoid
Avamander@reddit
Primitive approaches are labour-intensive, what else is new?
arwinda@reddit
Generate an API for that, authorize the endpoints and stop mailing certificates around.
1esproc@reddit
I operate systems that involve certificate exchanges with multiple partners with sign off procedures. These have coordinated turnover times and maintenance windows and are two way exchanges -we have theirs, they have ours. 45 days would be a fucking nightmare.
I'm tired of people in IT thinking SSL = website! It is not that simple.
Rare-Page4407@reddit
This is a browser forum requirement. It does not apply to anything not validated by browsers
PlannedObsolescence_@reddit
Is this a production/life-critical system with multiple organisations who interconnect and use TLS for encryption in transit? That's the kind of use that comes to mind with what you've described.
I don't mean to straw-man you if this is tangential to your actual use case, but I'm just going off the minimal context I have.
In that scenario, the public CA system isn't appropriate - instead the parties should be using a self-managed CA or a hosted PKI solution.
They could be issuing 5 year TLS certificates and trusting those specific certificates in each other's systems, then do standard change requests in maintenance windows for the manual rotation.
Or A's systems should trust B's CA and B's systems should trust A's CA (ideally specifcally an intermediary cert used for this project).
Or just use automated certificate renewal if they're going to be using the public CA system.
1esproc@reddit
Wouldn't call it life critical but yeah, it's B2B stuff. Unfortunately this thing is highly regulated and unless the government comes out and says we all need to start allowing and supporting private PKI, it'll never happen - though if this 45 day stuff comes to pass, maybe it would. There's no way things could continue as is, even at yearly renewals it's already obnoxious scheduling turnovers.
isnotnick@reddit (OP)
Yeh, this is where private PKI comes in. Sounds like your use-case really shouldn't be using publicly-trusted certs that are impacted here (note how Google and others call it the 'web PKI' - it's really nowadays for websites/services accessed by devices you don't control). If there's control over the endpoints as it seems to be in this case - it should be a private CA.
This change is also to force these kind of changes and make sure public certificates are used in the right places.
Ttylery@reddit
I have cert renewal automated on the application side. However the team that manages the certs refuses to let me automate cert renewal process itself. This means that I have to create a ticket to them telling them I want my cert renewed, wait about a day for them to look at it and renew, and then hope that they renew the correct one (theyve done it correctly once since Ive taken over this application), then they give me the cert which I drop into my automation script.
Maybe I can use this as a reason to let me take over my own cert and never have to deal with it again.
heapsp@reddit
please tell me how to do cert replacement on my tableau servers without bringing them down :P
arwinda@reddit
What is the uptime requirement you have there. 9 Nines, more? How much money are you spending on availability?
heapsp@reddit
It doesnt matter my only point is that there are applications which don't support ansible swapping a cert, especially enterprise BI tools which require thumbprints to be manually put into a portal or something like Tableau server which requires a downtime of 45 minutes per server when doing non multi-node deployments.
But the technical but non business minded folks will just scream, MAKE EVERYTHING REDUNDANT! Aka double or triple infrastructure costs is not a viable business solution for something simple like this.
Ok_Procedure_3604@reddit
Yeah, automating certificate renewal is the way. Automating renewal with SSRS is maddening though, since Microsoft decided not to use proper IIS, so you have to do a bunch of dumb trickery to get this to work. If that will work, most things will work.
Fatel28@reddit
Dumb trickery = some powershell?
spokale@reddit
I don't know about SSRS, but dumb trickery in SQL certificate binding is putting the cert thumbprint into the registry then restarting SQL.
Fatel28@reddit
spokale@reddit
I believe I tried that but it doesn't like when the cert subject doesn't match the actual name of the SQL server. So if the AD domain is a .local it becomes an issue. Might depend on the version of SQL servee though.
Fatel28@reddit
Did you add the additional name in the msdsadditionaldnsname attribute in aduc? If not yeah I bet it does complain
spokale@reddit
I can't actually find any documentation from Microsoft indicating that msds-additionaldnshostname affects whether SQL accepts a given certificate? I could try it and see what happens, I suppose.
Fatel28@reddit
It affects a lot of different things. If you're using a different hostname to access something I'd recommend adding that hostname to that attribute
Ok_Procedure_3604@reddit
Im fine with PS, I write a lot of it. This is dumb trickery by having to invoke netsh to delete certificate because the "normal" method that involves WMI doesn't remove anything now. The irony is the GUI method doesn't remove it either at this point.
chicaneuk@reddit
I wouldn't mind but that shit has been broken in SSRS now for at least 10 years.. and Microsoft still haven't fixed it.
techit21@reddit
Literally came here to say the same thing - we'd need to have a "Certificate Administrator" role created, and we don't even have the budget to hire another staffer right now in our already-spread-thin org.
sleepybeepyboy@reddit
This is what I was thinking. SSLs can be nuanced. What an annoying requirement if they’re trying to push less than a year. barf
zakabog@reddit
I've never had to manually renew a cert. I have monitoring that'll throw an alert if a cert will expire within the next thirty days but I've never had the alert go off.
MFKDGAF@reddit
Consider your self lucky.
I have systems that we can't automate certificate renewals.
SenTedStevens@reddit
Yep. For those PITA systems, we put in calendar events on the day they expire with a 1 month notice.
Jazzlike_Pride3099@reddit
And in some cases even have to rearrange the order inside the cer file 🤬🤬
Qel_Hoth@reddit
This is so damn annoying. Had one application that kept complaining that the chain was broken, but it kept working so we just ignored it. The same cert was used on a related server and it said the chain was fine. Then the developer updated their android app and it, but not the iOS app or any web browser, starting giving cert errors about the broken chain.
Finally figured out that this application wanted root>intermediate>server, not server>intermediate>root like literally every other cert I've ever touched.
Jazzlike_Pride3099@reddit
One of our things wants server-root-intermediate.... I guess they did their own webbserver inhouse and the devs had their own CA so they didn't have any intermediate. When reality hit them they didn't manage to implement any better
SenTedStevens@reddit
Now I'm getting PTSD flashbacks from a previous job. 🤬
Jazzlike_Pride3099@reddit
We still have a few of those "things" in place
techblackops@reddit
This right here. If everything standardized on one type of cert, or CA's would give you all the various forms of the cert that would be one thing. Most of my time on every renewal is spent in openssl trying to convert into multiple types for each one of the various formats I need it in for appliances that have to have it just so so. It's a huge pain in the ass. And I'm all for automating everywhere that I can but I'd say about half of the public certs in our environment I still haven't figured out a way to reliably automate.
And usually while I'm doing this I've got projects on pause, things needing fixing just on fire, and users waiting on me for whatever they happen to need that day. At 1 year it's already really difficult to knock out in a mid sized environment. To go to something as frequent as 45 days we would probably have to hire someone and that would be a primary part of their responsibilities. I don't want to do it. Cert renewals are a major pain in my ass.
MFKDGAF@reddit
Yup! Those systems are the bane of my existence.
zakabog@reddit
Do you update them through a web interface? If so, script that, call the same HTTP requests you would if you were manually doing the process through the web GUI.
jimicus@reddit
Tell me you’ve never seen how much effort some vendors go to to thwart automation attempts without telling me…
zakabog@reddit
Stop working with that vendor? Every vendor I've dealt with will generally work with me to figure out some way to do this if they don't already provide an API, or I just figure it out on my own
jrichey98@reddit
Most of our infrastructure is self-signed and doesn't connect to the internet. Getting a bunch of hosts and SAN certs updated every 45 days is not going to happen. Not that I'm too worried about it, as we'll just push a browser policy to make it not a problem.
It does kind of piss me off they're going for the cause more maintinence for people instead of just using larger keys or better encryption methods route.
Ansible32@reddit
All my internal infrastructure is self-signed with automated cert rotation. It's really trivial when you just build rotation in everywhere, it's more secure and it's great. If Google doesn't force the issue everyone will just go on like you. larger keys/better encryption is not a substitute for shorter expiry, in fact larger keys/better encryption probably doesn't improve security at all in most cases. Rotation does.
Avamander@reddit
Larger keys or "better encryption" (whatever that might be) does not help against the situations shorter lifetimes do. Even heavier cryptography won't fix your keys being stolen, it doesn't help against your poor renewal practices and it won't help against misissuance.
Ansible32@reddit
I was forced to integrate such a system, but I'm glad Google is pushing this; it will make those systems obsolete and officially insecure.
BoltActionRifleman@reddit
We do as well. If “they” force them to every 45 days vs. once a year I don’t know what we’ll do as it’s very time consuming.
ExcitingTabletop@reddit
If you only have systems that support ACME, it's a non-issue. For the majority of folks, there are a large number of devices that absolutely don't have ACME and probably never will.
danekan@reddit
Or they'll figure out that manually flipping certs is something you should not be doing and actually fix the problem.
Ok_Meet_2214@reddit
Or MS will add it to Windows for a few years, then deprecate it after 90% of IT shops adopt it
SwiftSloth1892@reddit
If we are going to require daily cert updates I think the pki industry as a whole needs an overhaul. I have a list of at least 10 different ways to install the same wildcard cert for different server uses. Not even going into device certs. Who do they expect has the time and expertise to keep these up to date? Most people I know have very little understanding of how to use a cert outside IIS.
isnotnick@reddit (OP)
Device certs aren’t affected. This is only for the web PKI - ie publicly-trusted certs for TLS (wherever you need a non-managed browser to hit the site). Other use cases should probably move to private CA alternatives.
SwiftSloth1892@reddit
you know what...you may have just given me an epiphany... why the hell am I matching my internal CA cert policies to public certificate standards? excuse me while i go re-write a few certificate templates. Feeling kinda dumb right now.
jaymz668@reddit
We can't even get our solution to support automated domain validation with our vendor. I don't believe we will be able to get cert automation going as well. This is gonna be a shit show
isnotnick@reddit (OP)
Vendor like the CA or vendor like whatever you’re putting the certs into?
jaymz668@reddit
The CA. They are now forcing us to validate our domain every year before they issue a cert, yet have no way to automate that
dnuohxof-1@reddit
What problem is this supposed to solve? 1.5 month expiration of certain is insane….. I’m not renewing 15 certs across my SMB org every 45 days… I can’t imagine a full on-prem enterprise with public CA certs….
Avamander@reddit
Yeah, it shouldn't be you, it should be your automation.
zz9plural@reddit
So many devices out there, where cert renewal can't be automated. Yes, replacements should have a criteria for cert renewal automation, but reality will fuck that in many cases.
Avamander@reddit
If it can be replaced by a human it can be replaced by a machine. Unless you've got captcha-protected admin interfaces?
admalledd@reddit
We've got some industrial-adjacent stuff that has to have certs to communicate back to the control systems, or to be polled by our inventory management stuff, etc. To update the certs on some of those machines means (1) bringing them down and (2) by-hand plugging in a programmer/flash drive. They aren't designed to be renewed like this frequently. For reasons we can't use our own CA.
We have already been considering various workarounds, and all of them in the end strip or reduce the useful security that could be there. One-year certs seemed fine enough, and just this is more frustration on my/our end of being punished for trying to have any security at all on these systems. We could far easier remove all auth/cert flows than dealing with trying to keep any semblance of security.
Avamander@reddit
Sounds like your problem is the poor policies that stop you from using an internal CA where you should be using one, not the wide internet trying to remedy a long-time lapse in handling revocation properly.
crackanape@reddit
Why are you manually installing certs? That's already broken.
I have hundreds of public-facing devices and I don't care if they make the max lifetime 3 days.
zz9plural@reddit
How do you automate cert renewal in Java keystores?
dnuohxof-1@reddit
Some legacy apps we run do not have paths for automation. Like ManageEngine products for example, we have to convert to PKS upload and provide the password.
And even still some automation fails. Once or twice a year Certbot fails to renew some Unifi devices and have to manually intervene to fix.
karudirth@reddit
mine is on about 350. :)
I recently updated our automation to be more vendor agnostic and more resilient in anticipation of this change happening sooner!
pabskamai@reddit
These decisions are taken by companies which have rehearsed this a thousand times, have the teams and resources to make all sort of cool automations/api calls, the there’s is the rest… the majority…
PrettyFlyForITguy@reddit
This is also a bit anti-competitive. I'd have to think that the harder it is to run your own systems internally, the more you'd be driven to SaaS and cloud options who will have the infrastructure set up to automate it all...
dustojnikhummer@reddit
Also even if everyone says no, as long as Google says "Yes", what they say will become standard.
Chunkypewpewpew@reddit
So, whats going to happen for those who need EV certs? do they talk to their public CA by phone or whatever every 1.5 months or so? OUCH...
isnotnick@reddit (OP)
For OV and EV the Subject data has to be re validated every 1 year (2 currently, but that’s being pulled down too). EV is largely dead.
loop_us@reddit
True, but that doesn't stop i.e. banks or electrical companies from demanding them. As long as this type of validation is not sunsetted, it will continue to be used.
FluidGate9972@reddit
Fuck off. Seriously, I have better things to do. 1 year is already a chore.
noobposter123@reddit
Meanwhile lots of people use the same ssh keys for years with no problems. How many of your servers have had unscheduled downtimes because of ssh key expiry? And how many security breaches due to ssh keys not being forced to expire in 45 days? In contrast Microsoft has had how many SSL cert expiry related downtimes? 🤣
I used to pay for SSL certs when they lasted for more than 2 years. Now I use Let's Encrypt - because if the main argument is shorter cert lifetime is safer I might as well go Let's Encrypt for free...
skywalker-11@reddit
One of the reasons the life time is being reduced is that in case of certificate revocation (technical issues, compromises,...) many organizations aren't able replace certificates in a reasonable time. In some cases it took them > 5 month while the CAs would normally be required to revoke certificates in a week.
ajscott@reddit
What makes them think that having to replace all of the certs will make businesses faster at replacing any of them?
If it become inconvenient enough, people will just find less secure workarounds that don't require constant maintenance.
skywalker-11@reddit
Ideally every vendor of software/hardware would support automatic certificate deployments so you would just do the initial setup of configuring the certificate properties and the authorization method once. The renews would then be automatically handled by the system.
If it isn't feasible to do that sort of automation or replacing certificates on a short notice you should look into other solutions such using an internal/private CA that isn't trusted by the public WebPKI as a whole. Is that less convenient and requires additional configuration on the clients? Yes! But then only people you have a business relationship would be impacted in case of issues the certificates and you will need to take full responsibility in that case.
Even today if there is hard evidence that the private key for your certificate is compromised you really SHOULD be able to replace these asap and have corresponding procedures in place to do that.
sysneeb@reddit
if this goes through does this mean all SSL certitificate will follow the below rule?
| __Certificate issued on or after__ | __Certificate issued before__ | __Maximum number of days for data reuse__ |
| -- | - | - |
| | September 15, 2025 | 398 |
| September 15, 2025 | September 15, 2026 | 200 |
| September 15, 2026 | April 15, 2027 | 100 |
| April 15, 2027 | September 15, 2027 | 45 |
| September 15, 2027 | | 10 |
isnotnick@reddit (OP)
Yes. Except the final drop to 10 is not for the certs but for the length of a time a domain validation can be re-used.
sysneeb@reddit
im assuming this is stop attackers from stealing information after the ssl expires?
Behrooz0@reddit
I'm sorry. I know this is a civil forum.
Fuck Off.
PraxPresents@reddit
What a pain in the rear. SSL certificate renewal is the worst.
isnotnick@reddit (OP)
Automate the pain away.
Graham99t@reddit
Haha ridiculous. What a money maker.
isnotnick@reddit (OP)
For who? CAs where there are many completely free alternatives? Or Apple who make no money from certificates and just want to ensure the security and safety of billions of users and devices?
EZRiderF6C@reddit
Letsencrypt!!!
isnotnick@reddit (OP)
Yep.
Hot-Difficulty-9604@reddit
Those systems that are not public facing will go back to using self signed and people will just get use to security warnings. This sounds like a board room decision instead of a practical one.
isnotnick@reddit (OP)
It’s a practical security issue. And if you can use self-signed, you can use certs from a private CA with the root distributed to devices you control, thus eliminating the warnings (and allowing roughly 2 year certs).
biztactix@reddit
This is like forcing password changes every 30 days....
I understand it's supposed to make it automated... But how long before the automation is the taget of the attacks... Get a copy of the new key as it's updated....
No increase in security and lots of bricked devices.... Yay Future!
YoureCringeAndWeak@reddit
Move away from certs :)
markth_wi@reddit
Oh look the mission critical software running some ancient version of Tomcat or IIS can't update......
jaymz668@reddit
let's not forget even automated cert renewals often require a restart, that's gonna be fun when that forced restart has issues or happens at the wrong time
Just-a-dudee@reddit
Just to be clear, from 2027, the validity of an SSL cert would only be for 45 days is it? If so, what’s the reason for bringing it down
NorthernVenomFang@reddit
Every 6 weeks?!
Could someone explain how making TLS/SSL certs rotate this often increase security in a practical way?
iRyan23@reddit
10 days
I guess they want to fully eliminate the certificate revocation system since it’s never worked well anyway.
NorthernVenomFang@reddit
10 days is just insane.
That means I will have to update certs once a week.
Granted I have an ansible playbook that handles this on my Linux hosts and a load balancer with TLS offloading for my primary web app. So those are OK I could do nightly if needed.
The Windows IIS boxes.... Urgh... Now I am going to have to do some PowerShell to automate those.... I know what my project is for Q2 of next year.
Unfortunately I have some certs that go on network appliances, those are going to suck, and ACME/LetsEncrypt certs are not an option for those.
mikejr96@reddit
You can plug the powershell code into Ansible and target the windows machines
sixpackshaker@reddit
My organization switched to 11 months. My vendors thought we were fucking crazy not to have 5 year ssls.
malikto44@reddit
This is just bordering on insanity? Is there some specific security reason why Apple is pushing for what are pretty much SLCs. Are private key repositories so sloppy and insecure that they have to be replaced all the time?
Not everyone has ACME or the ability to use LE.
I am going to propose one thing: Create a type of certificate that can last for 5 to 10 years. The certificate has to come from a key generated in a certified HSM, the higher the security the HSM, the longer the key. This way, a wildcard cert can be generated and placed in two YubiHSMs and something like a F5 used to terminate the SSL connections. Or maybe allow the wildcard certificate with a 3-5 year life to be copied from HSMs on the tier of YubiHSMs. For more secure HSMs, allow for longer expiration.
Going to the HSM route solves what Apple and Google are trying to push without compromising security. Of course, this doesn't solve the fact that rekeying a ton of network appliances manually is a pain in the ventilation shaft.
isnotnick@reddit (OP)
What happens when you find out the key in that HSM was broken due to some later-discovered firmware issue? Or something like the Debian weak-key bug? Wait out the remaining years of the 5 or 10 and hope it's not abused...or do short-term certificates to begin with?
malikto44@reddit
Just have the cert revoked, just like they are now if they get compromised.
Someone breaking a HSM is a lot higher of an undertaking than snarfing a key off a load balancer. Mainly because HSMs are not just designed from the CPU level, if not at the silicon level, but audited a ton of ways to get FIPS and other certifications. If someone breaks a HSM... which can happen like the side channel attacks with YubiKeys [1], it still requires a large amount of effort to figure out the PIN, and then decap the CPU.
HSMs at least give a tough obstacle. Yes, they can be broken, eventually, but it is a lot better than not having one.
rthonpm@reddit
The only reason for this is someone thinks they can make money from it, no different than the expansion of TLDs.
FenixSoars@reddit
The people complaining obviously haven’t figured out automated cert rotation works for about 99.9% of situations.
MustBeBear@reddit
What’s the best way to automate internal certs? Let’s encrypt and using ACME cert bot would be ideal for public facing. However internal only option to to my knowledge is using DNS101 method which to help automate that would require API and then requires keeping secret on each web server which becomes our issue since multiple people manage each web server we don’t want to expose secret to entire domain management.
So I would be curious if there is a better way or something I am overlooking. Otherwise we are considering a paid automation service that some vendors offer.
FenixSoars@reddit
I do my internal with a cloudflare integration for Certbot, then again, i use a normal TLD I can own for internal.
Which I think has been the recommendation for a bit now.
IJustLoggedInToSay-@reddit
On one hand, probably not a bad idea.
On the other hand, time for retirement lmao.
bionic80@reddit
and of course the big cert providers won't charge a renewal for that, nope. never. it would be nothing of the sort.
AdamAThompson@reddit
What if we started to hang the hackers instead?
OtisB@reddit
This gives me actual heartburn, considering the number of proprietary systems/appliances I have that don't support automation or have strange methods for updating certs that would make automation miserable....
isnotnick@reddit (OP)
Then it might be an idea to check if they even need public certs from LE/DigiCert/Sectigo, or rather a private CA would be a better solution. Plus it will free you from these decreasing lifetimes.
OtisB@reddit
A good portion of them run user-facing web interfaces, unfortunately. Good argument to eliminate a lot of this legacy crap that should have gone away already.
Mandelvolt@reddit
All of our production software is regulated and needs approval for changes, so guess what is included in the production repository? Ssl certs and keys which require a whole cascade of beaurocracy to change. It was bad enough once per year and convincing management to let us build a new ssl depyment system falls deaf ears every year we bring it up since it doesn't directly help us make money. This is going to be a nightmare but maybe I can use this to get management on board for modernizing our PKI.
RedNailGun@reddit
I have a feeling that this is like the "change your password every 90 days" fiasco. The security measure put into place to increase security ultimately reduces security due to workarounds.
PlannedObsolescence_@reddit
But in this case, the best and laziest 'workaround' is... To start doing your certificates right? It becomes a no-effort situation if you can remove the manual rotation from certificate renewals.
If a business wants to have more control over the certificates they deploy for internal systems - start using an internal certificate authority. Legacy internal systems is the number 1 reason for people complaining about the public certificate authority ecosystem and their attempts to work towards better global security for all.
If you run public systems that anyone outside your company can access, then you need a public CA cert. But that also means that you need to be running systems that are secure and up to date, otherwise you expose yourself to a lot of threats. Those systems should support ACME, or you should be able to put a reverse proxy or web application firewall in front of those systems and use ACME to manage its certs.
If none of those are appropriate, then the companies need to petition their vendors to support ACME / remove roadblocks for reverse-proxy use, or replace those systems.
pomyh@reddit
might as well go with letsencrypt at this point
yawkat@reddit
Weird comparison. We know password refresh intervals lead to weaker passwords because humans are bad at choosing and remembering passwords.
But this does not apply to certs, you can't choose and remember your keys anyway, it needs a keygen. And cert refresh intervals do encourage automation which is good.
RedNailGun@reddit
My point is that workarounds are unexpected and unpredictable. The people who make the rules had no idea that forcing password changes every 90 days would cause a decrease in security. My point is that the people who are now making these rules, and us, have no idea if the end result will actually achieve what they intend to achieve. Seems obvious now, but any new requirement that puts significant stress on a system, may cause an unexpected problem. That is the only comparison that I am drawing here.
No_Size_1765@reddit
Thats going to need a lot of manpower for things that cant be automated...
MacAdminInTraning@reddit
Time like this make me very happy everything I manage is now SaaS.
SokkaHaikuBot@reddit
^Sokka-Haiku ^by ^MacAdminInTraning:
Time like this make me
Very happy everything
I manage is now SaaS.
^Remember ^that ^one ^time ^Sokka ^accidentally ^used ^an ^extra ^syllable ^in ^that ^Haiku ^Battle ^in ^Ba ^Sing ^Se? ^That ^was ^a ^Sokka ^Haiku ^and ^you ^just ^made ^one.
inteller@reddit
Hell just go Letsencrypt then.
uebersoldat@reddit
Bad actors: "Oh no!...anyway..." continues just phishing users and dropping malware via fake Fedex links et al.
BasicallyFake@reddit
I really dont see how this is helpful
slippery@reddit
This is awesome. I hope some day my entire job is updating SSL certificates daily or multiple times a day. /s
F&ck these idiots.
karudirth@reddit
Automation. Automation. Automation.
The world isn’t ready for this, but they aren’t giving us much choice. hopefully vendors (including Microsoft) will catch up and provide better automation support in their software
isnotnick@reddit (OP)
This. Automation has been possible - ACME or otherwise - for a long, long time. The carrot didn't work too well, time for a stick.
AnnoyedVelociraptor@reddit
This is a trade off. No one is checking revocation lists and no one is adding OSCP signatures. And OSCP signatures is just a bandaid.
isnotnick@reddit (OP)
CAs do (or will, soon) have an option to issue 10 day certs with no revocation information in, so they couldn't even be checked if you wanted to. 10 days is a maximum acceptable risk window.
Avamander@reddit
I mean, stapling does work, but nobody is enforcing that.
I remain hopeful that maybe they'll allow longer lifetimes with must-staple flag, but who knows.
AnnoyedVelociraptor@reddit
Problem with stapling is that it merely proves private key possession, not legitimate domain ownership.
And OSCP stapling requires the legitimate owner to DETECT that its private key was stolen and to actually report it.
And frankly, if your software supports OSCP stapling it also supports ACME.
Avamander@reddit
It proves that the cert has not been revoked. It only helps when the stolen certificate is revoked.
But yes, anything that can staple can most likely do ACME and we've gotten rid of a bunch of complexity OCSP introduces.
SikhGamer@reddit
I will admit to loving this thread for show casing the slow descent into madness.
brm20_@reddit
That’s just silly! Thats a no from me!
secret_configuration@reddit
This sounds like a nightmare, I think 1 year is reasonable.
clubfungus@reddit
Of all the security threats and solutions we have to deal with, I can't recall a single time that I thought anything remotely like, "You know what, shortening SSL certificate lifespan even more is my top priority. That'll solve so many problems for me."
Who is asking for this?
jeffmartel@reddit
Remindme! 1 day
zz9plural@reddit
Internal PKI, here I come.
PlannedObsolescence_@reddit
Awesome to see some progress towards reducing the public trusted TLS cert lifetime to below 398 days. I know it's not a given that this will pass, there will be a lot of push back.
A schedule of decreasing periods for max validity is the right way IMO, each period passing will make it increasingly more obvious how much effort is being put into any manual certificate renewals. Giving everyone a very clear push of 'if you aren't automating your renewals your life will soon become hell'.
There are certainly some workloads where manual certificate renewal 'makes sense' when the max vailidity period is over a year. For example some esoteric system where you cannot easily automate the rotation. The effort to manually rotate annually is 'worth it' compared to the effort to put the proper solution in place.
If we get public trusted cert validity down to something like 45 days, it will force companies to:
Old_Ad_208@reddit
Sorry, but my employer is not going to spend many thousands to replace a couple of year old firewall just because it doesn't have ACME support.
PlannedObsolescence_@reddit
What part of your firewall do you need to use a publicly trusted TLS certificate for?
Old_Ad_208@reddit
The VPN requires a public TLS certificate as far as I know. The firewall also has a public website that allows a user to log in and use a website via an SSL VPN, or reverse proxy, of some sort. I would like to get rid of the website piece if it was up to me as it gets used very rarely.
PlannedObsolescence_@reddit
Okay, so your SSL-VPN is exposed to the public internet on a certain port - and that service needs a TLS certificate that each remote user's laptop is going to see as 'trusted'.
This doesn't need a publicly trusted certificate FYI.
If you have no internal CA, and don't really have any other reason to spin one up - then I can understand wanting to still use a public CA for this. In that scenario, you would just need to find a solution that allows that certificate to be swapped out automatically. If you have admin over your firewall, you can absolutely automate this - even if there is not an ACME feature built in.
What is your firewall vendor?
At minimum firewalls from these vendors natively support ACME (caveat - not all product lines/models):
If you wanted to avoid public CAs and didn't want to run your own internal CA...
The ugliest option would be to generate a self-signed certificate for something like 10 years, and load it into everyone's machine trust store using a GPO in Active Directory. Everyone's laptops will now be happy about the certificate being trusted, and you now need to worry about generating another cert in a decade.
Old_Ad_208@reddit
Palo Alto is not on that list. Yes, it can be done with third party scripts, but I hardly have the time to spend a month implementing and testing something like this. I then have to repeat for another month testing a third party solution for my Netscaler. My luck the third party integration will fail on a critically important day for the business like election day.
Yes, I have an internal CA, but trying to get that working with both Windows and Mac VPN clients means a bunch of extra work too.
The annual process of buying a cert and throwing it on is a lot less time compared to the days and weeks to automate things. One to two hours per year adds up to around three eight hour days compared to weeks to automate. I just installed some software that has native ACME support and it was literally minutes to set up and get a cert, but the native ACME support is the key.
PlannedObsolescence_@reddit
If this ballot goes ahead, you can pretty much guarantee Palo Alto will ship ACME support well ahead of the first max validity period change (200 days max from 15 September 2025 onwards).
And it still wouldn't be that much of a headache until 15 September 2026 when it's 100 days.
Of course you can implement an alternative right now - but if you want to use the built in feature you (collective) need to petition your vendor to support ACME.
BWMerlin@reddit
Please correct me if I am wrong, but if you run your own internal CA can you not issue certs for however long you like as you can push the cert chain out to your devices?
PlannedObsolescence_@reddit
Absolutely, there are no TLS validity checks in the major browsers when using an internal CA. You control your own kingdom, which of course means taking full responsibility for CA security.
SnakeOriginal@reddit
The problem is - until the idiots at apple start enforcing their rules within browsers on internal CAs, like they do on most LOBs with iOS/iPadOS
ChadTheLizardKing@reddit
I mentioned this up thread... both iOS and Mac OS enforce 825 day maximum validity.
https://support.apple.com/en-us/HT210176
PlannedObsolescence_@reddit
Thanks for that, so if running your own CA and issuing certificates that are going to be valid for something longer than normal - you need to keep 825 days in mind if they'll be used on iOS/iPadOS/macOS etc.
Now, thought experiment - if you have full control of the CA...
You can just make it issue certificates that have a manipulated NotBefore of before July 1, 2019, and valid for say - 15 years. Wonder if that would work.
spokale@reddit
You can, but since Google is also pushing for this, don't be surprised if one or more browser vendors also fail sites with long-expiring certs regardless of whether the certs themselves are valid.
PlannedObsolescence_@reddit
The already-present 398 day max validity checks are only done to publicly trusted CAs in browsers. They don't check that if the certificate or CA is manually imported into the browser or OS cert store.
protogenxl@reddit
Bubba8291@reddit
Why does it go from 100 days to 200 days?
cgimusic@reddit
OP just got the numbers the wrong way around. It's 200 in 2025, 100 in 2026, 45 in 2027.
salazka@reddit
Why did Apple propose that? Often when they do such things which appear harmless, it is either to hurt some competitor or punish a partner. OR there is money to be had and Apple is on it somehow?
Some interesting stats:
https://www.ssldragon.com/blog/ssl-stats/
If this gets to pass the growth of the industry by 2028 is going to be more than 11%... buy SSL issuer stock :P
But how is it going to work?
Especially on the web, some vendors take months for validation.
I had some web certificates being validated after an entire year!!!
They got validated by the time they expired 😂
You can imagine what is going to happen if the validity reduces to 45 days.
Org SSL is an entirely different story. This is going to get messy.
RequirementBusiness8@reddit
Passwords: Let’s go from every 90 days to once a year. Certificates: let’s go from every 2 years to every 45 days. And realizing how much CAs charge for public certs, the logic checks out.
Ludwig234@reddit
You still only pay in year increments. Renewals are free within the paid period
Old_Ad_208@reddit
I really wish I didn't have both a Palo Alto firewall, and a Netscaler, that don't support ACME natively. I can't find anything that says Netscaler 14.1 will support ACME natively. It appears there are non-native ways to do it with both, but I hate having to add an extra layer of complexity to break when I upgrade PANOS, or the Netscaler.
I have everything else in my DMZ doing Let's Encrypt, but the software on the other servers have native ACME support.
SomeoneRandom007@reddit
I hate SSL provision now, never mind if I have to keep refreshing them. On the plus side, someone might produce a nice way to automatically refresh them. No security risk in 3rd parties doing that for you at all, is there? /s
ElectroSpore@reddit
Googles solution is so automated without checks that scammers now seem to prefer it over lets encrypt for phishing and copycat sites.
Dal90@reddit
I can deal with it if I have too; much of our stuff isn't fully automated because I have too many other things to do and I have co-worker who handles the low risk ~80% of our certs. Things to do would include fighting the political battle that API access to Splunk so I can automatically detect an increase in TLS errors and rollback a change is not a security risk...so for now I have to run GUI queries in Splunk and rollback if I see issues.
The group we have who since January has had their application go down every 60 days when MongoDB Online uses Let's Encrypt to update their certs? Them...not so much. They went as far as demanding Mongo notify us in advance of cert updates and Mongo responded they should consider a new database provider.
Imagine my shocked face when Mongo told them the exact same thing I had told them earlier that week.
Z3t4@reddit
Then my company will stop buying certs and just use certbot/letsencrypt for everything.
tastyratz@reddit
I have to say, certificate management automation still feels like a lot of hand scripting and shell scripts/ssh when it isn't just windows & IIS. One thing I really wish we had for certs is something similar to a local peer-to-peer environment and just a client you install on every server. The "torrent" file could be how it hooks into the network and each client could have a recipe for what to do every time it updates. There are lots of great clients that pull certs directly but if you just want one or 2 to pull direct from letsencrypt/etc and then share that wildcard to peers it becomes a lot less friendly.
edhands@reddit
How about they fix certificate revocation first? This all meaningless until that part works.
zqpmx@reddit
Certbot and Letsencrypt are your friends.
vast1983@reddit
This seems like it has the potential to hurt large CAs unless they scale prices down to match.
If Digicert,Thawte etc think people are gonna pay $100 dollars every month or two for certs .... Well.... Does anyone know if Let's encrypt is publicly traded? Haha
PlannedObsolescence_@reddit
There would be no cost change for the CAs that charge for certs. Right now you buy a certificate period, 1/2/3 years etc. In that period you can re-key / renew your cert however many times you want.
In fact, if you buy a 2 year term right now - you already have to renew your certificate during your term due to the 398 day max validity requirement. There's no extra cost for this already.
4t0mik@reddit
This is a SaaS grab. Reject this.
GamerLymx@reddit
move all public sires for leta encrypt .... because my org doesnt allow automatic certificates by automated tool
widowhanzo@reddit
What dumbass came up with that rule?
GamerLymx@reddit
no idea, because its through european research identities , it has some restrictions... however we can still use let's encrypt.
dustojnikhummer@reddit
One of our customers does this. They refuse to automate and to use LetsEncrypt, apparently because "they are not trustworthy" and because their insurance said so. Guessing it's one of those "it's not extortion level expensive so it is not secure"
SenTedStevens@reddit
I wouldn't doubt it's a heavily regulated industry or government. It's more about the process and accountability than actually being efficient.
ITaggie@reddit
Then just automate the cert process and manually validate?
SenTedStevens@reddit
Maybe that'll happen with the ISSO, Compliance Officer, and GS-15 govvies step down in the next 20 years. I worked a fed gig a while back and you'd have a better chance getting Congress to bilaterally sign off on something before that happened.
Secret_Account07@reddit
Jesus fucking Christ. I hate this 😩
wrootlt@reddit
NIST just has to come up with new recommendation that changing certs that often is bad for security (just like passwords) :)
corruptboomerang@reddit
What's the upside or reasoning for this change?
1-year feels like a good amount of time?
Maybe, I'm an idiot, but couldn't it be an option to have certs expire sooner, if they want 'more secure'?
Feels kinda like A&G et al are just trying to push more and more of The Internet into fewer and fewer hands because they're the only ones who can (afford to) run it?
mrmacedonian@reddit
Servers get compromised and certificate revocation is a basically a joke.
The upside is security in the sense that a stolen private key will be valid for \~45day (statistically speaking) when issued with a 90day lifespan. The shorter the original lifespan, the reduced time an attacker has to benefit from the stolen certificate. Used to be 3yr extended validation certs and when compromised, those gave malicious actors so much time to setup and execute their campaigns.
The downside is people need to spend time and resources properly automating and testing (and monitoring) their certificate processes, or shift their architecture to pass through hardware (load balancer, reverse proxy, etc) or a service (cloudflare, etc) which becomes their public facing SSL termination. Then, what happens after SSL termination is handled however they wish (ssh, etc).
Basically it's people resistant to change, or working for companies where they can't bring about change, crying about the added work required as a result of not changing. There's no downside beyond this, and eventually I could see a 3day certificate life cycle being implemented, because why not.
I've shifted as much as I can to Cloudflare/Argo Tunnel routing so it's all built into that architecture. Things that aren't suited to this are setup with acme.sh script and DNS-01 challenge, which runs every night to check if the certificate needs renewal. Upon renewal, it triggers a deploy script which handles export into appropriate formatting and deliver of certificates where they need to go, and then restarts the necessary services, if restart is needed.
I put significant time into these transitions (planning, testing, implementing, testing) and a change from 90days to 45days or 5days would have no impact whatsoever until certificate life drops below 24hrs; though if this becomes necessary to any degree we've outlived the useful lifespan of SSL and public/private key authentication/verification schemas.
danekan@reddit
Companies shouldn't be manually managing certs and the shorter the time span the more likely they'll actually fix the root problem. Combined with: encryption we know today is about to be broken and everyone needs to be ready for five minutes cert swaps
toast4ya@reddit
Get ready for Bluetooth certification
ISU_Sycamores@reddit
This sounds like death to internal MS CAs for server use.
shouldvesleptin@reddit
Where the heck is ESRI? Someone trout slap them with this one, please.
_BoNgRiPPeR_420@reddit
What is the real concern here, though, that AES-256 can be hacked in that short amount of time? Or do they not trust themselves with safeguarding private keys?
If it's the former, we can simply increase encryption strength at the cost of slightly more processing power. If it's the latter, even if someone gets the key, they still need to be able to MiTM traffic, which isn't always easy depending on where you want to perform your attack. The HSTS policy is also supposed to help most types of MiTM by preventing downgrade attacks.
Most of this seems like security theater to annoy the masses and increase profits of CAs.
fadhawk@reddit
Ok fine, how much is the cert subscription? Just let me pay it so we can move on and stop playing this ridiculous charade.
First-Structure-2407@reddit
I renewed one today, I’ll be doing it again very early Jan ‘25
thedatagolem@reddit
I think this is probably an initiative of some government three-letter organization.
They have not cracked TLS encryption. (Or want everyone to believe they haven't) But they can subpoena a certificate authority for expired private certificates. So all they have to do is collect data until the certificate expires, subpoena the private key, and decrypt it.
But this is troublesome for them if they have to wait for a 3 year certificate to expire. Not only is it very time consuming, but it makes the data dump big enough that it's difficult to manage. Certs that expire quickly are much more convenient.
Or at least, that's my hypothesis.
Urd@reddit
koliat@reddit
I don’t see a reason at this point why not make them valid for 1 hour
Avamander@reddit
That's a different certificate profile, in theory it's now possible.
devonnull@reddit
Why not 1 second? Why not 1 ms? Blah blah blah automation, blah, blah, security, blah blah blah incompetent if you don't know this or that.
ComeAndGetYourPug@reddit
I think they're underestimating how lazy people are.
If they do this, many people will switch things back to HTTP "temporarily" and it will stay that way forever.
pixel_of_moral_decay@reddit
Already chrome warns when using http in certain use cases, I can see that expanding.
Moleculor@reddit
Chrome only warns in certain cases? I can't think of any situations Firefox doesn't warn about HTTP. But maybe that's a configuration setting on my end or something.
neoKushan@reddit
Actually I think they're banking on people being lazy. Set up your automated cert renewal of choice and stop worrying about certs.
bmxfelon420@reddit
ELI5, but would this also affect Apple MDM certs? That would suck.
Avamander@reddit
No, those do not fall under WebPKI AFAIK.
bmxfelon420@reddit
I hope not, I've had to re enroll phones before and it sucks tremendously. We can barely remember to renew those every year, 45 days would kill us.
Avamander@reddit
Honestly it's kinda crazy that these things do not auto-renew already.
Crotean@reddit
This is insane, fix the security of SSL, 45 days is waaaaay too fucking short with how many appliances that use SSL can't be automated.
netsysllc@reddit
fuck apple and google
gnimsh@reddit
Can we please not?
loosus@reddit
I think 1 years is low enough. If you want lower, you have that option today without burdening the entire ecosystem.
Some systems will not support automation for the foreseeable future. Some cannot support automation due to the way they're not connected to the public internet.
TerrificGeek90@reddit
It’s 2024, if you don’t have your certs automated by now then you’re a lost cause. And yes, your cert renewal CAN be automated, but you probably need to know how to program to do it. gasp!
qejfjfiemd@reddit
Uuuuuugggghhhh
Axiomcj@reddit
This is why we went and looked at a cloud pki system a few years ago. We went with venafi cloud pki as our choice. Rotating of certs and ties into automation platforms we leverage.
Mike22april@reddit
Thats what CLM solutions are for
VirtualDenzel@reddit
So happy our internal certs have a looong duration.
dritmike@reddit
This is the standard amz has been running this standard since about 2019.
Just figure out your redeployment
Ad-1316@reddit
I like the thought of automating the process so the cert auto renews and installs itself. I don't know why we need to drop the time period less than a year. Seems like it just makes it easier to do a shorter-term (cheaper) option to legitimize something that shouldn't be. Although certs have always been a money grab, it did keep out some of the rift raft.
etherealenergy@reddit
https://github.com/cabforum/servercert/pull/553
Gbarnett101@reddit
So basically I’ll need to hire a Cert Specialist that all he does is re apply my certs to all our devices. Full time. I’m sure he will cost 50k a year lmao
PlannedObsolescence_@reddit
What does
mean?
Are you using public trusted CA certificates for something like Radius / 802.1x enterprise authentication device certs?
InevitableOk5017@reddit
F that
Gummyrabbit@reddit
So this means my Digicert certificates need to be renewed on my public facing servers every 45 days!
Sk1tza@reddit
Fuck that.
nakade4@reddit
Google has proposed 90 days already (enforcement via Chrome/Chromium). Time to automate & to push your vendors to make it easier to automate, and about time..
the more often we get these certs updated the less chance we forget (exercise that muscle memory) which is what’s happening now..
jrichey98@reddit
We run a local CA for everything internal anyway. This will just push everyone to run reverse proxies for everything external.
I do think these companies are mainly trying to just make it difficult for small companies to stay off cloud services.
Holmesless@reddit
Super small companies already go to Microsoft. If your workprocesses can be a cloud app without infrastructure or IaaS then goodbye on prem stuff. It's more so the companies that are medium.
campfred@reddit
I’m okay with it. At my workplace, we’re already on 30 days and it’s been good. We’re thinking of maybe shortening it further but unsure that’ll be that useful.
butter_lover@reddit
Trying to increase the value of their investments in in CAs and venafi I guess
QuietThunder2014@reddit
Cool. Then first make it not such a pain in the ass to monitor and update certs...
Otherwise, stfu
ThirstyOne@reddit
Just when you thought certs couldn’t get any more annoying.
Bright_Arm8782@reddit
Excellent, means I can get my hands on certificates often enough for the renewal processes to sink in.
Ok-Particular3022@reddit
Great!