In 2024 automation of Certificate Lifecycle Management (CLM) becomes crucial

In 2024 automation of Certificate Lifecycle Management (CLM) becomes crucial
17 Jan ‘24

In this blog, we provide an overview of developments within the PKI market and upcoming initiatives at KeyTalk.

90-day Maximum Validity for TLS/SSL Certificates

On March 3, 2023, Google announced in its “Moving Forward, Together” roadmap the intention to reduce the maximum validity period for public TLS certificates from 398 days to 90 days. This reduction to only 90 days of maximum validity will bring significant changes to the industry. While the specific timing is unknown, it is likely that this 90-day maximum will be in effect by the end of 2024.

What is the impact?

Most organizations still handle the replacement of TLS/SSL certificates manually, or it is outsourced to an external IT manager or a Managed Service Provider (MSP), who also performs it manually. With the implementation of this proposed rule by Google, the replacement of these certificates will be needed four times as often as currently, which could result in significant additional costs. Also, the risk of errors in this replacement process will increase fourfold, thereby increasing the likelihood of jeopardizing the continuity of critical IT infrastructure, which could lead to much higher costs.

Time for Automation

To stay ahead of rising costs and the risk of further costs due to discontinuity of crucial IT Infrastructure, automation of TLS/SSL certificate replacement is essential. Major Certificate Authorities like DigiCert, GlobalSign, and Sectigo have been warning about this and logically offer their own certificate management systems for this purpose. To avoid unnecessary dependency on such entities, it is wise to consider CA-independent Certificate Lifecycle Management (CLM) systems such as KeyTalk’ s Certificate & Key Management System (CKMS).

Automation à la Let’s Encrypt

Many web servers are equipped with Let’s Encrypt certificates because standard automation is offered through the ACME protocol. The validity of these certificates is already 90 days and can easily support even shorter validity periods. The issuance of Let’s Encrypt certificates involves no validation of the company applying for the certificate, no checks with a Chamber of Commerce, and no other legitimacy checks for the company or the domain for which the certificate is requested. A certificate application at DigiCert, GlobalSign, or Sectigo is processed with the required checks and is therefore not free. With the KeyTalk CKMS however, the application, installation, and replacement of all types of DV, OV, and EV TLS/SSL certificates from all these CAs are automated, and you don’t have to worry about certificates valid for a maximum of 90 days.

Extensive Support for Automation

With the KeyTalk CKMS, automation has been possible for years based on the KeyTalk agent, comparable to an ACME agent (Certbot or WinAcme) but, for example, responds to certificate revocation and unintentional certificate deletion, which ACME agents cannot do. Since KeyTalk has also been functioning as an ACME server since Q4 2023, all servers, network equipment such as load balancers and firewalls, and applications that support automation based on the ACME protocol, are also supported with the automation of TLS/SSL certificates, but now for all types of certificates from DigiCert, GlobalSign, and Sectigo (as of Q2-2024).

KeyTalk’s Development Roadmap for 2024

As we embark on another exciting year, KeyTalk is thrilled to announce several new feature developments that are part of our 2024 roadmap. These innovations are designed to enhance our services and provide our clients with the most advanced security solutions. Here are some of the key highlights:

  1. New Embedded Certificate Network Scanner: We’re introducing an all-new embedded feature within the KeyTalk CKMS to efficiently scan and import network certificates, ensuring your network security is always up-to-date.
  2. Azure KeyVault Integration: KeyTalk’s seamless integration with Azure KeyVault is set to enhance cloud-based security, making certificate management more robust and streamlined.
  3. Extended Load Balancer Support for Citrix NetScaler: Our support is expanding to include Citrix NetScaler, broadening our compatibility and offering more options for load balancing solutions.
  4. Extended DV Certificate Automation Support: We’re enhancing our Domain Validated (DV) certificate automation with automated DNS validation for Azure and AWS-based DNS, making the validation process fully automated.
  5. Enhanced Roles, Authorizations, and Workflow Management: Expect more flexibility and control with our improved roles, authorizations, and workflow management features, tailored to meet diverse organizational needs.
  6. Support for ACME for Client Certificates Using ACME Device Attestation: In our commitment to versatility and advanced technology, we’re implementing ACME support for client certificates, utilizing ACME device attestation for heightened security.
  7. Support for EST and CMPv2 Protocol: By supporting EST and CMPv2 protocol, KeyTalk is enhancing its capabilities in certificate management and encryption standards.
  8. Addition of HSM Key Attestation: With the addition of Hardware Security Module (HSM) key attestation, we are further strengthening the security and integrity of cryptographic keys.

 

At KeyTalk, we are continuously evolving to keep up with the latest trends and technologies in cybersecurity. Our goal is to provide the most efficient and secure solutions to our clients, and our 2024 roadmap is a testament to this commitment. Stay tuned for more updates and breakthroughs in the coming year!

For more information on these upcoming features or any queries regarding our services, please feel free to contact us. We’re here to guide you through the advanced landscape of cybersecurity.

 

The KeyTalk Team