Root Causes 273: A Deep Dive on CA Agnostic
The industry is seeing more and more attention spent on the idea of CA agnosticism. As with any buzzy technology term, it can be used to mean a variety of things. Join us as we catalog the various ways a Certificate Lifecycle Management (CLM) system can be "CA agnostic."
- Original Broadcast Date: January 30, 2023
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
A long time ago, like probably 100 episodes ago or more, we defined, a term. It was one of our “what is” episodes and the term was CA agnostic. We were thinking it would be nice to go back and dive a little deeper on that and in particular, I think one of the things we’ve been seeing, Jay, is that this term is picking up use out there in the world.
We are seeing it used in the industry. We are seeing it used by analysts. I know it’s a Gartner term and as always, with tech words, the definition might vary based on who is using it and what they mean. You and I have discussed this with other terms as well and so we were thinking today it would be a good idea to dig into that a little, talk through the idea of CA agnostic, what might that mean or might it not mean and give everybody a framework.
-
Jason Soroko
Tim, let’s talk a little bit about the history. It’s quite often we start with the pithy definition. But, in this case, I’d like to start off just with a little bit of the history and as you know, Tim, back in the day when the internet first came out there was no https and you just browsed websites, and eventually, of course, the concept of having encrypted communication between a webserver and the browser just made a lot of sense.
So SSL certificates. which became TLS certificates, which we still use to this day heavily, the ability to put those certificates onto the websites, the ability to manually provision them, manually manage them, this was still a world before certificates were used basically just about everywhere in all kinds of use cases. But let’s stick with this idea of publicly trusted certificates for this particular podcast, Tim, because this is kind of interesting.
-
Tim Callan
Ok.
-
Jason Soroko
As you know maybe better than most the vendors of these SSL certificates started to arise and, you know, all of the sudden we now had a few vendors and then many more vendors and then there were all kinds of specialist vendors who were like into specific governments. And things started to get a bit more complicated and all the way to today when you now have basically free vendors such as Lets Encrypt with ACME technologies and that sort of thing. It’s been a long progression and part of this progression has also been that it’s not just one website. It’s no longer even just one subdomain or just a handful of subdomains, and we’ve seen websites go down, and we’ve seen basically the need for certificate lifecycle management.
So you have these couple of dimensions here, Tim. You’ve got the dimension of many Certificate Authorities, more than one. There are a handful of large ones but there are many Certificate Authorities and then you also have many places where certificates come from even if they are not publicly trusted. On-prem PKI was one of the original places where certificates came from in history.
And then you have all kinds of other places. Now in the public cloud, and we’ll go through that list of all the different places you get your certs from. So when you say “CA agnostic,” where did that come from? It really came from a set of vendors who very early on recognized that certificate lifecycle management was important, and these vendors were not necessarily the Certificate Authorities themselves who are issuing the certificates.
-
Tim Callan
Right. They were someone else. They were enterprise software providers.
-
Jason Soroko
They were enterprise software providers who – they didn’t even call it that at the time because they were just saying, look, we’ll get your certs from wherever, right? You buy your certs from wherever and we will help you to manage them.
Fast forward to 2021 and all of the sudden we have a CA who is announcing CA agnostic CLM, and that was Sectigo. Then you have to ask, well what does this mean? And I think, Tim, I love the way you brought it up at the beginning of the podcast because it means so many things to so many people and that’s because it is a lot of things. It actually is a lot of things.
-
Tim Callan
Right and the potential sources for certificates are vast and varied. Right? Even a major public CA like Sectigo, we’re serving the whole globe, we are doing absurd number of OCSP lookups and issuing ridiculous numbers of certs and there are real world certificate use cases out there that aren’t in our domain. Because what you could potentially do is just so broad and varied, and so one of the things I find is that it’s difficult to imagine and define a CLM that is truly servicing every kind of source of certificates, every kind of type and every kind of CA. So you are guaranteed, even if somebody proudly says “I am CA agnostic,” it’s almost like ok, well, what are the white spaces in that because you know there will be some. This is a big thing that CA independence, CA agnosticism, don’t make the mistake… This will be my big takeaway for the podcast. So I’m ruining it early instead of saving it for the end. Don’t make the mistake of thinking of this as an all or nothing dynamic.
-
Jason Soroko
Right on.
-
Tim Callan
What it really is for every software provider in the world no matter how seasoned, no matter how accomplished, it’s all where do they sit on that spectrum? It’s a big set of shades of gray and what are the white spaces and are those white spaces that I care about? That’s how to consider this concept of CA agnostic in reality because that is the technology reality, the software reality not only today but as it will be for many years to come.
-
Jason Soroko
Absolutely. Another way of putting it for those of you who are hardcore practitioners, if you are running a certificate lifecycle management – first of all bravo. Good job.
-
Tim Callan
Yeah, good job.
-
Jason Soroko
It’s the right thing to do in 2023 and it’ll be the right thing to do going forward, and basically when you are looking at vendors of certificate lifecycle management you really should be asking yourself, hey, are you helping me to source certificates from multiple different places and what Tim is saying is not every CLM is gonna be able to touch absolutely everything. That’s not even probably a great thing to do anyway, but I do think that with all sorts of work and integrations, you will be able to reach out and touch a lot of things, and the list of things you will be able to reach out and touch will be greater. We can’t even say that we know in five years you are going to want to reach out and touch and get certificates from and discover and manage and rotate and renew. We are just not going to know all the sources.
-
Tim Callan
That is a good point. This is a moving target. Like you said, Jay, if you are getting in on CLM, good for you. Good decision. You will want to make sure your CLM stays current with your evolving needs because if you can imagine we could have gone back not that many years ago and there wouldn’t have been a lot of interest and discussion in, let’s say, certificates for the public cloud or certificates for DevOps environments, right? But we couldn’t possibly not consider those today. And what’s looking like in five years? What’s that looking like in ten years? What are those new things going to be that we are not that worked up about today but they will be very important to us for sure?
-
Jason Soroko
I want to go a little bit of history again talking about who needed CA agnostic and I think we all need it now is the punchline. But where was it first needed? One of the original needs for it was, believe it or not, consortia who were coming together for public and I would say probably for the most part privately trusted certificates that were meant to be interoperable. We have concepts and PKIs such as bridging the trust. That’s a trust model within PKI but it’s very difficult to do. You see it in federal government but to LG and Microsoft and, you know, pick your gigantic tech vendor of choice, when they want to get together and have their devices interoperable, they were not going to the traditional CLMs. They were going to the CAs because of the fact that a lot of times they wanted to have that brand name of public trusted certificates, and those CLM players were not in the business of issuing certs. They were just in the business of managing certs. So they went through the CAs.
-
Tim Callan
Because it’s just so reliable, right?
-
Jason Soroko
Exactly. So they went to the CAs, and the CAs could have just chosen a single CA to be basically the top of the hierarchy of trust beneath which all the other players would have interoperable certificates. Great. But what happens if something happens? What happens if services go down? What happens if a company goes out of business? What happens if – I mean when you are talking device ecosystems that will last 25 years or more, you want to have redundancie.s When I myself was involved in consortia and talking about interoperability a lot, we actually encouraged openness and working with other CAs to have redundancy within the trust model, and that was one of the earliest forms of CA agnosticism that was built into systems in the past.
Then all of the sudden, Tim, especially with the adoption of things like Let’s Encrypt, you now had enterprises, sometimes even small companies, that were sourcing their certificates from multiple CAs just because. You might have your Tim.com, your main site, right, TimCallan.com, whatever it is, you might have had your branded origin server certificate from a Sectigo and then you might have had a bunch of test subdomains that you were just gonna turn off and on and you were just experimenting and you might have just went off and got yourself an Amazon cert or Let’s Encrypt cert or something like that. But here’s the problem. You didn’t have visibility to it.
-
Tim Callan
Just bought something from some random CA in retail.
-
Jason Soroko
Hence the need for discovery within Certificate Lifecycle Management because discovery tells you, hey you got all these certs. But then, how are you, you know, you may want to continue to be operating with multiple Certificate Authorities and so therefore the Certificate Authorities themselves in their CLM software, the decision was made to just have openness. We are recognizing… I would think that one of the better analogies is when Microsoft finally realized we cannot ignore Linux. Linux was really the software for server infrastructure and Windows server had a place there, but there’s no way that they were gonna completely dominate or completely compete with things such as Linux. So in other words, they put Linux into Microsoft as a first-class citizen. What the CAs have done in their CLMs is to recognize all the other CAs are also first-class citizens within the CLM.
-
Tim Callan
I kind of think of it like there are two kinds of scenarios here. One of which – this is for public CAs, right?
-
Jason Soroko
Public.
-
Tim Callan
One of which is what you said, it’s kind of the rogue certificate scenario. Where somebody somewhere in the company I may have standarized on something and I said we will all use Sectigo in this company. But then someone somewhere else in the company never got that memo and just went out and got a cert somewhere else, and you still want to be able to manage that. You want to be able to discover it, pull it in, get it under control, make sure it’s compliant, know when it’s expiring, put some kind of, checks in place so you don’t have an outage due to an unexpected expiration. So that’s scenario number one. And that’s big, and that happens all the time, and you and I discuss that a lot.
Number two, though, is second sourcing – a deliberate second sourcing exercise where you say, you know what, CAs have failed; it doesn’t happen often, but it has happened. There’s no such concept as too big to fail. Symantec failed, right? Therefore, I want to have two vendors and I’m runing 90% of my volume through CA A and I’m running 10% through CA B because that way if there’s ever a problem with CA A, I already know that CA B works, and I just call them and turn up the volume. We see that a lot, too. Under those circumstances it’s pretty rotten if you can’t have your second source sitting inside of your CLM of choice.
Both those scenarios occur on a regular basis, and that’s what you are saying. That’s what CLM vendors including the CLMs that come from CAs, including Sectigo, are trying to address and deal with.
-
Jason Soroko
Correct, Tim. And this goes all the way back to those old consortia days when interoperability, it just made sense. Yes, we are competitors, but we believe in openness within the industry and it’s the only way it makes sense and it makes even more sense as we proliferate certificates into webservers, load balancers, CDNs, you know, just so many certificates from so many places. It’s crazy to think that it’s all coming from one place. That was fine 20 years ago. It’s not fine now.
-
Tim Callan
Now this is where we get into one of my shades of gray, though. Which is to say there are a lot of public CAs out there. A LOT.
-
Jason Soroko
There’s a lot.
-
Tim Callan
And I would bet you that there is not a single CLM available in the marketplace anywhere in the world that works with every single one of them.
-
Jason Soroko
I can guarantee you it doesn’t exist.
-
Tim Callan
Now they can discover those certs. They can show you where they are. They can put them inside of a dashboard but they probably can’t revoke and replace and automatically renew and provision. And so, you got your two sets of shades of gray there. Like if I can discover the cert and put it in my dashboard and tell you when the expiration date is, does that count as support? Well, ok, by that definition, I probably can support all of the public CAs in the world. Or, do I have to do that full suite of functionality. Is that my definition of support?
And then the second shade of gray is honestly if you support three or maybe four major public CAs you’ve hit in excess of 98% of the certificate volume. So, if you do that, then do you turn around and say, well, you know what, that’s gonna be good enough for almost everybody or are you that particular enterprise that happens to want that long tail? So again, what does support look like in that regard? Is it good enough for me to have the top two, top three, top four, top five? Or do I think I need the long tail? And that’s another area where it all is a shade of gray and nothing is 100% and there is no all or nothing. It’s all where do you sit on that spectrum.
-
Jason Soroko
Absolutely, Tim. And therefore, that term CA agnostic – that term agnostic is a bit odd. But it’s an industry term. It’s being used by a lot of people. We use it. And so with everything you just said, Tim, it’s kind of an insider term. It’s not a term that was come up with from folks who were the practitioners. That’s why I’d like to repeat, the reason why that word is kind of used and floated around a lot, it’s because it’s the CAs kind of making the hard decision of, you know what, when you come to us for Certificate Lifecycle Management software, if you want to dual source your certificates, we are not going to stop who you are using that from. In fact, we are open and agnostic to who you get those certificates from. You will not be able to get them from anybody that you choose, and that’s simply because a lot of that long tail of smaller CAs, they are not open systems anyway. Yes, they are publicly trusted certificates, but they are not in the business of selling those certificates to you the way the big CAs are. The term agnostic means if you come to a Sectigo we are happy for you to source your certificate from your CA vendor of choice, recognizing that in today’s world we need to be agnostic to where those certificates come from. It doesn’t make sense for us to dictate that you must sole source your certificates from a single CA vendor. We are CA agnostic.
-
Tim Callan
Right. And that of course is just public CAs, and as you alluded, there are many other sources of certificates as well, and ultimately those two deserve to be dealt with using the same methods and the same systems with the same interface with the same rules showing up in the same dashboards, etc.
-
Jason Soroko
There are a lot of private Certificate Authorities. They may not be public Certificate Authorities but there are a lot of private Certificate Authorities. And, Tim, let’s list off some of them.
-
Tim Callan
MSCA.
-
Jason Soroko
Right. Microsoft CA. It’s been around a long time.
-
Tim Callan
Or your other internal PKI, whether or not it’s MSCA. I already mentioned public cloud. I might be getting certificates from Amazon, Google, Microsoft, and I care about those and I want to deal with those, and I want to manage those and make sure I don’t have an outage or something. Certificates in your DevOps environment. Those are all obvious examples. Then there are types of certificate, right? There’s not just SSL. There are other types of certificates in the world, so that deserves to be in part of this conversation as well.
-
Jason Soroko
It is a first-class member of this conversation but as you said, Tim, CA agnostic means so many things to so many people because we have multiple dimensions. We have public/private dimension. We also have public cloud internal PKI dimension and we have the different types of certificates dimension.
-
Tim Callan
Yeah.
-
Jason Soroko
And so it depends on who you are as a practitioner. If you are a webserver Linux administrator and you are obsessed with making sure that your multiple websites and load balancers are cycling through their publicly trusted certificates, well your dimension is pretty clear and you might want to dual source so CA agnostic means something to you. But if also you are transitioning from Microsoft CA to public cloud sourced certificates, well that’s a whole different deal of CA agnostic and CA agnostic means a lot to you as well because you want your certificate life cycle management to be agnostic to where your certificates are coming from because of your transition.
-
Tim Callan
Yeah.
-
Jason Soroko
So those are the three big dimensions in my mind. If anybody listening can think of more dimensions, let me know. But those are the three big dimensions of CA agnostic to me.
-
Tim Callan
Right. And so you can almost imagine it’s kind of like a cube. And you are saying well where am I sitting? There are these three different meters, these three different axes, and how extreme is my need on every one of these axes? That puts me in a unique spot in this three-dimensional space and then I say, ok, that’s what I am and I am looking for solutions that match what I am. But I’m also looking for solutions that match what I’m going to be, right? So right now my scope might be limited to certain kind of certificate but I think that will expand over time. Right now it’s limited to certain environments but I think that will expand over time. Or I am using it for a focused use case but I want something that can be future proofed for my organization so eventually it could work for all of the use cases. And so, that also was some of what you think about when you think about what does CA agnostic mean to me in the context of my environment, my work, my use cases, and my CLM.
-
Jason Soroko
Sorry to give everybody a history lesson because I’m sure a lot of you have lived through it but I never want to assume everybody has been here for 20 years. There’s a lot of you who are new and wanting to learn about this and so there it is. That’s how we got to this place. That’s why that term is used. It’s not a practitioner word. It’s a vendor word so it sounds a little awkward. That’s why we wanted to do this podcast.