The clock is ticking for businesses to prepare for mandated certificate automation

Many organizations are unprepared for sweeping industry changes that call for mandated certificate automation, according to GMO GlobalSign.

There could be significant changes within the Public Key Infrastructure (PKI) marketplace, the most pressing matter being Google’s move to reduce the lifespan of SSL/TLS certificates. The solution to meet this call by Google, and other browsers, is to automate certificate management.

However, this is causing concern for the millions of businesses worldwide who rely on PKI for security compliance since many of them are not ready to make this leap.

Infrastructure issues affect automation

GMO GlobalSign inquired about the challenges companies will face when Google reduces the maximum certificate to 90 days.

30% of respondents said the increased administrative work and complexity were the biggest concerns. Also worrisome for respondents is the possibility of more frequent root certificate updates, such as expected Mozilla updates set for 2024.

20% of survey participants believe that a seven-year rotation for root certificates is manageable and would not cause a significant impact.

15% of those who responded worried about costs and overhead. This was of particular concern to small businesses and websites, where added costs might not be justified by the owners. Another 30% voiced concerns with older or legacy systems, frequent expirations as well as security and compliance challenges.

Certificate automation challenges

38% of participants believe that technical limitations and compatibility are the biggest blockers to automation. This includes not having out-of-the-box solutions for automating certificate management, the lack of support for automated renewal in certain systems or environments (such as Windows, IIS, Plesk), and the incompatibility of some systems with standard automated solutions.

A quarter of respondents point out cost and resource constraints as potential obstacles. This includes the costs associated with developing a custom automation system, and the resources needed to manage and maintain solutions for automated certificate management.

20% of participants say a lack of knowledge or expertise is another potential challenge to automating certificates. This includes not knowing whether systems support the injection of new certificates and the restart of services, or being unfamiliar with, automation in general.

10% also cite security concerns, especially the governance and control of a fully automated system, as well as the need for audit trails, security approval and oversight in free public Certificate Authorities (CAs).

7% also express concerns about the limits of infrastructure. This includes servers that are behind firewalls with strict policies, equipment that does not provide an API or other facility to manage the certificate, and networks that do not have access to the internet.

“It’s clear that many challenges to certificate automation exist, whether you are an enterprise level organization or an SMB. There are a lot of steps to overcome before the vast majority of customers can support full automation,” said Doug Beattie, VP, Product Management, GMO GlobalSign.

“On the plus side, tools are available today to remove the pressure of certificate automation. Our industry does not have clarity when a mandated 90-day automation may become real, but judging from our survey, organizations with concerns should begin taking steps now. In the long run, it will serve them well,” added Beattie.