Industry PKI experts recently have discovered a flaw in certificate generation practices that employ the commonly used EJBCA CA tool, which can result in serial numbers with 63 bits of entropy as opposed to the 64 bits required by public certificate guidelines. The plain-English explanation for this problem is that public CAs were generating 64-bit keys and then discarding results that turned out to be negative numbers, which from a pragmatic perspective reduced the available key space by half.
The scale of certificates mis-issued in this way is estimated to number in the millions. While this story is still unfolding, a GoDaddy representative has expressed the company’s intention to replace all such certificates — which for GoDaddy is estimated to number 12,000 or more — within 30 days. Other certificate issuers’ responses are still forthcoming. (Disclosure: Sectigo has none of these mis-issued certificates active on its Sectigo, Comodo, PositiveSSL, InstantSSL, or EnterpriseSSL brands.)
One possible outcome an enterprise may face is the need to replace very rapidly a large number of certificates from one or more CA before these certificates are revoked by the CAs in question. Incidents like this one can cause problems for enterprises as they add significant unexpected workload on tight timelines and introduce extra risk of outages and technical problems.
Episodes like this one put a spotlight on the value of automation in certificate practices. Automated capabilities enable the consistently correct maintenance, revocation, and replacement of a large number of certificates with little human interaction required. The benefits of automation apply even when an enterprise does not face a sudden certificate management crisis, of course, but when these crises do raise their heads, automation can be a lifesaver.
Automated certificate management applications can help with: