SSL Certificate Renewal
SSL/TLS authentication is part of the encryption suite to ensure that a requester is who they say they are and to grant or refuse access to data. TLS is the current security certificate standard but literature often refers to them by the older SSL standard which TLS has superseded. They are most apparent on web sites where the ‘https’ address and padlock moniker indicates the use of SSL. In brief; private and public key pairings are used to authenticate a user and create a secure connection. The role of the certificate is to ensure that those keys are valid and have been issued by a trusted authority. There is no need for a website to use SSL but many browsers will refuse to load a site that has no SSL or is linked to an expired on untrusted SSL certificate.
A less visible use of SSL is within private networks to restrict access to devices or data depending on access credentials. The ultimate implementation would be a Zero Trust solution; a goal that can be accomplished through several methodologies and is offered by vendors as a managed package. Any such solution is likely to involve several certificates. Zero Trust assumes that everything is authenticated where possible and the quantity of certificates would depend on how segmented the trust network is.
There has been some concern that Google will be reducing the lifespan of certificates that it approves from 1 year to 90 days. At the time of writing (October 2024); the most recent live data from Google seems to be a Chromium Project update from March 2023. It would still be prudent to work on the principle that certificate validity periods will be reduced and to plan how to overcome that.
From the viewpoint of the issuer; making the certificate last for a shorter period means that compromised or invalid certificates will go offline more quickly making the security model more secure. For the user it means 4X (quarterly rather than yearly) the work in setting up the new certificates and an increased chance of connections being blocked because certificates are not updated in time. The actual process of setting up a new certificate is not (in cyber security terms) especially hard but varies depending on the system and certificate issuer. It is also necessary to prove (every time) to the issuer that the user is who they say they are and that they have control of the asset to be protected. A simple example would to add some hidden but publicly accessible code on a website that proves to the issuer that the user has the privilege to create files on that website. This all adds up to more ‘busy work’ for a system admin.
Self-signed certificates can be used to overcome the expiry issue on a network. There is no cost to create such a certificate and they can be generated by Windows, Linux and Unix machines. The expiry period can be set to any length (1 year is a common choice) as they are generated and there is no cost payable to any issuing authority. This is an ideal solution for a small test network but has flaws because the validity of such a certificate cannot be trusted. Any connections to or from outside that network depending on the certificate will fail plus there is no external authority to revoke their issue should the system become compromised.
A possible solution to automatically renewing externally validated certificates is through a service such as ‘Let’s Encrypt’ who issue free 90 day SSL certificates. This can be used on traditional public facing websites or on local networks. A tool such as Certbot can be used to download and install ‘Let’s Encrypt’ certificates automatically. The user still needs to prove that they own the destination DNS. Another web service DuckDNS can automate these steps. Possible security concerns would be the reliance on an open source script (Certbot) an external web service (DuckDNS) and an issuing authority (Let’s Encrypt) who although valid are a non-profit group with limited support.
Left alone certificates will not warn that they are about to expire. The issuer should send a reminder although that cannot be relied upon. Certificates can be replaced before their expiry dates With the possible use of multiple certificates and shorter validity spans their renewal should be coordinated to minimise the work required when that task comes up.