63-Bit Password Episode Emphasizes Role of Automation in Enterprise PKI

Industry PKI experts recently have discovered a flaw in certificate generation practices that employ the commonly used EJBCA CA tool, which can result in serial numbers with 63 bits of entropy as opposed to the 64 bits required by public certificate guidelines. The plain-English explanation for this problem is that public CAs were generating 64-bit keys and then discarding results that turned out to be negative numbers, which from a pragmatic perspective reduced the available key space by half.

The scale of certificates mis-issued in this way is estimated to number in the millions. While this story is still unfolding, a GoDaddy representative has expressed the company’s intention to replace all such certificates — which for GoDaddy is estimated to number 12,000 or more — within 30 days. Other certificate issuers’ responses are still forthcoming. (Disclosure: Sectigo has none of these mis-issued certificates active on its Sectigo, Comodo, PositiveSSL, InstantSSL, or EnterpriseSSL brands.)

One possible outcome an enterprise may face is the need to replace very rapidly a large number of certificates from one or more CA before these certificates are revoked by the CAs in question. Incidents like this one can cause problems for enterprises as they add significant unexpected workload on tight timelines and introduce extra risk of outages and technical problems.

Episodes like this one put a spotlight on the value of automation in certificate practices. Automated capabilities enable the consistently correct maintenance, revocation, and replacement of a large number of certificates with little human interaction required. The benefits of certificate automation apply even when an enterprise does not face a sudden certificate management crisis, of course, but when these crises do raise their heads, automation can be a lifesaver.

Automated certificate management applications can help with:

• Certificate discovery. By crawling your network and finding and categorizing certificates, your organization is equipped to find and fix insecure and non-compliance certificates.
• Certificate replacement. Where necessary, automation can replace non-compliant certificates quickly and error-free with little human effort.
• Certificate renewal. For certificates within 90 days of expiration, automation can simply renew them rather than performing a replacement, adding the remaining certificate duration to the new certificates so that new certificates are in place without losing any paid-for certificate lifespan. In fact, this same automation can manage renewal of certificates on an ongoing basis to avoid outages.
• Visibility. An automated system can present certificate results in reports or dashboards to give the IT team visibility on its certificates under management and help assure that certificates are correct and available.