17 April 2018 marks the day when Google will remove trust for all Symantec-issued certificates issued prior to 1 June 2016. The decision reflects a series of security mis-steps that caused Google to lose trust in Symantec's infrastructure. Those include the issuance of certificates that did not comply with CA/Browser Forum Baseline Requirements as well as Symantec's failure to implement appropriate oversight over companies it had previously entrusted to issue certificates.
At the heart of the Symantec case is a lack of CA policies and processes that when implemented can help protect against improper actions. In the absence of such safeguards, organizations should consider switching their certificates over to another CA. By no means is that the only reason why enterprises should consider a change. Nor is it the only element that factors into their decision-making process.
Indeed, organizations face several possible difficulties when it comes to switching CAs. Those obstacles aren't insurmountable, however. With that said, here are four common challenges involved with switching to a new CA and guidelines on how to overcome them.
When organizations are considering a switch to a new CA, they need to first find all of their certificates. They might have a running inventory of all certificates purchased through the appropriate channels, but departments sometimes go rogue and purchase certificates from other CAs without proper authorization.
Acknowledging that possibility, it's important for organizations to use an automated tool that can find all of their certificates no matter where they are being used and create a comprehensive inventory. IT can then use those records to develop a plan for transitioning to a new CA.
- Issuing and Installing
Next on organizations' list of concerns is issuing and installing certificates. Doug Beattie, VP of SSL product management at GlobalSign, explains in a webinar that this challenge consists of ordering new certificates, requesting them, verifying that their domains are validated and accounts configured, and issuing and installing all of the new certificates. This obstacle is of particular importance for organizations; they don't want to cause a service disruption.
Fortunately, organizations can take steps to make sure issuing and installing certificates with a new CA easier. DigiCert notes that this effort begins with following best security practices such as not uninstalling a certificate until organizations have properly installed its replacement on the server, renewing certificates before expiration, and running regular scans of their encryption environment. They should also look into a platform that allows for automated issuance and installation of organization validation (OV) and extended validation (EV) certificates.
The steps above might not sound too overwhelming in practice. Even so, some organizations might worry about how much switching to a CA costs. They're already paying fees for an existing certificate agreement; their fear is that they'll need to pay more for a new agreement with less favorable terms.
Organizations have lots of choices when it comes to the costs of switching to a new CA, however. Many Certificate Authorities offer flexible pricing plans like pay-as-you-go models as well as certificate licensing models where they can purchase thousands of certificates for one flat fee. At the same time, companies should be sure to weigh pricing as opposed to the overall value of a certificate agreement. For instance, an arrangement might include SSL management tools, a certificate management platform, and customizable options, features which could all justify higher costs for an organization.
Last but not least, organizations don't want to lose out on their certificates' existing validity. Many CAs recognize this fact and work with organizations to ensure their certificates retain the most value over the course of a transition. Towards that end, some Certificate Authorities add the remaining validity of organizations' existing certificates onto their newly purchased replacements. Such measures help organizations save money and thereby help make a transition to another CA smoother.
Certificate Management as a Core Concern
Most if not all of the challenges discussed above boil down to organizations finding a certificate management solution that maximizes flexibility, control, and security. Such a platform can help them manage their certificates regardless of which CA they ultimately choose.