On March 18, 2024, Certificate Authority (CA) Entrust announced that six days later (Sunday, March 24) they would revoke, and reissue extended validation (EV) certificates that had been mis-issued over the past 6 months. The reissuance is due to mis-issued policy qualifiers on the impacted certificates, which violates EV guidelines. Many of the organizations affected will likely struggle to renew and replace all their EV certificates at such short notice.
But CA errors are not altogether uncommon. Most are very minor and are resolved quietly behind the scenes. But this particular incident stands out for a variety of reasons. When the incident was first revealed on Bugzilla, Mozilla’s bug reporting platform, there was no response or acknowledgement from the CA for about a week. Not entirely uncommon. To be fair, one of the reasons for that was that there was a slight inconsistency between the EV guidelines and the CA/B Forum Baseline Requirements on the implementation of policy qualifiers.
Initially, Entrust posted that they had no plans to reissue the impacted certificates. In addition, they stated that they would continue to issue certificates that did not include the required reference to policy qualifiers. But many Bugzilla contributors felt that because the EV guidelines were already so strict they should be the definitive source, and that the CA should make every effort to comply with them as a matter of course.
It was only when heavy hitters weighed in on the issue that Entrust began to chart a course of action stating, “We have stopped issuing mis-issued certificates and fixed the EV certificate profile.” The CA subsequently announced that they planned to revoke and reissue all 24,000+ impacted certificates after six days.
So where did that leave those companies who were using certificates that had been mis-issued? Turning on a dime to make sure they found and replaced all the impacted certificates before they were invalidated. But to further complicate matters, because EV certificates are the most highly vetted of all certificates, they are generally used in systems that require the highest level of security. So that makes it even more critical that companies are prepared for the revocation and reissuing of these high-value EV certificates on mission-critical systems. For most of the impacted enterprise customers, 6 days may not be enough as they are likely to have change control and security gates.
Large Bank Uses Venafi to Achieve Crypto-Agility; Absorbs New Acquisition Without Hiccups
But forward looking organizations may have already taken steps to reduce the friction of this type of spontaneous certificates rotation. In fact, organizations that have embraced automation throughout the certificate lifecycle have essentially built in crypto agility (or in this case, CA agility) that will allow them to rapidly find and replace any impacted certificates. They are also very well prepared to keep their businesses running when 90-day certificates become ratified—and ultimately when the advent of quantum computing mandates new standards for post quantum cryptography.
To achieve crypto-agility, enterprises must be able to respond promptly to mass certificate and key replacement events. At the same time, they must be able to demonstrate policy compliance for all certificates and identify any anomalies. This requires comprehensive visibility and detailed intelligence, as well as automation to enable replacement and renewal at machine speed and scale.
What can you do about it?
Fortunately, companies can save themselves unnecessary effort using TLS Protect Cloud. The solution provides customers with a list of certificates issued by a given CA as well as the installation locations of all electronic documents that chain up to a that CA's root certificate. With this knowledge, organizations can begin requesting replacement certificates manually, or they can configure TLS Protect Cloud to automate the replacement certificate issuance process. Whichever replacement method they choose, enterprises will spare themselves potential downtime, associated brand damage, and lost revenue. Start your free trial now to find EV certificates from Entrust in your network.