You would think by now that certificate-related outages would be a thing of the past. But as the number of certificates that large organizations use continues to double every couple of years, it’s increasingly difficult to maintain a complete inventory of all these highly-valuable security assets. If even one certificate expires, it can cause mayhem internally and block business externally until it is remedied.
In the case of the recent certificate error at ServiceNow, a root certificate can have even broader impact. This Monday, a key SSL certificate expired and disabled ServiceNow’s Management, Instrumentation, and Discovery (MID) Server. The resulting certificate-related outage left over 600 organizations unable to integrate applications, access updates, and manage critical operations.
In an advisory, the company noted, “ServiceNow has identified an expired SSL Root certificate that is affecting MID Server and instance-to-instance connectivity.” The cause of this loss of connectivity was an expired MID Server Root G2 SSL certificate which impacted multiple services, including Orchestration, Discovery, and AI-powered functions such as Virtual Agent. Also impacted were instance upgrades, update set retrievals, and instance-to-instance communications.
“The certificate-related outage that left hundreds of ServiceNow customers pulling their hair out this week is not just a PR disaster, it also signals there are some serious gaps in ServiceNow’s’ processes that need to be fixed,” noted Venafi Chief Innovation Officer Kevin Bocek. “Root certificates provide the foundations of digital security and identity online—they sit at the top of the trust pyramid, authenticating and issuing other TLS identities down the chain. If the root certificate expires, it impacts all the other machine identities associated with it—which is why we have seen such wide ramifications for customers”
As part of the remediation process ServiceNow was taking to address the issue, the company stated that “ServiceNow is continuing our preparation work to roll out the SSL Root certificate chain and remove the expired certificate used by your hosted instance.”
According to some reports, it appears that the certificate expiration error was flagged with ServiceNow two weeks ago. One can only assume that the certificate replacement job was mismanaged. “Outages of this kind are entirely preventable—if you have the right tools and processes in place,” advises Bocek. “But reports indicate that the expiry was flagged weeks before, but that the replacement was not carried out properly—which suggests they are still trying to manage these machine identities manually. That’s crazy!”
CIO Study: Automation Vital to Address Shorter Lifespans and Massive Growth of TLS/SSL Certificates
Trying to manually manage machine in today’s complex IT environments is an impossible task. And it’s getting harder. There are more than 290 million TLS certificates across the globe, jumping by more than 40 million in the last two years alone. This number is set to grow at an even greater rate as fast-paced, dynamic cloud native environments and AI-driven services become the norm. Moreover, with Google on the verge of mandating 90 day expiry deadlines for certificates, rolling replacements and shorter lifespans are going to be the norm in no time.
What can you do to protect your business from an outage triggered by a missed certificate expiration? Bocek recommends that automation is essential. Organizations need a control plane for managing and securing machine identities throughout their lifespan across all environments, including cloud native – from issuance, through to ongoing management, retirement, and replacement. By automating this process, companies cannot be caught off guard by an unexpected or overlooked expiry, and the process won’t be prone to human error.
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.