Should organisations be switching their certificate authority?

For many technology professionals, the organisation’s Certificate Authority (CA) may not always be front of mind – many might fall into the trap of considering management of the organisation’s keys and certificates as ‘just another process’, giving little thought as to whether the CA fits the organisation’s needs.

Yet it’s a process which carries serious implications for security; not all CAs are created equal, many are susceptible to cyber attacks, and in certain cases, some have ignored security protocols.

This should be concerning to technology professionals. According to a recent survey, 65% of organisations rely on tools developed by their certificate authorities (CAs) to control their cryptographic assets.

>See also: The business of Blockchain in financial services

This simply isn’t workable when you’re managing certificates from more than one CA – something that applies to almost every large firm. This becomes even more complex when moving certificates between CAs.

Technology professionals should take this issue seriously, and the upheaval involved in changing CAs certainly isn’t something to be taken lightly. But, in this unpredictable climate, many of us have to ‘roll with the punches’ and change CAs, often at a moment’s notice.

Muddying the waters even further is the fact that even the best CAs can fall victim to human error, invalidating certificates that you may be using. Recent events at Symantec and GlobalSign demonstrate the impact of CA errors.

Worse still is a compromise, or even wilful disregard for protocols, such as the problems recently detected at WoSign. Or you may find that new CAs have been introduced into your environment without your knowledge or approval.


To ensure the security of your cryptographic assets, agility is key. Let’s say your CA is compromised by a cyber attack and your certificates from that CA move to an untrusted state.

First, you have to be able to locate all impacted certificates. You’ll then need to reissue certificates from another CA. Which CA’s management console will you use to complete this arduous task? Can you expect any CA to provide the functionality that helps you move certificates to a competing CA?

Granted, a compromise is probably the worst-case scenario for switching CAs. However, there may be other cases which are less dramatic, but are still as important to address.

>See also: Current investment in blockchain is just the tip of the iceberg

Let’s say the employees at your CA make an (all too human) mistake such as mis-coding a batch of certificates or accidentally revoking a root certificate. You’re basically left in the same situation; you experience a service outage.

You can wait for the CA or browser to resolve the problem which could take weeks or months (see what happened when a Chrome bug affected Symantec certificates), or you could quickly solve the problem yourself by finding and replacing any certificates that were affected.

Setting the standard

The drive for change may also come from within your organisation. Perhaps your security policies mandate that you consolidate the number of CAs in the company to reduce your trust exposure.

Or, perhaps they dictate that certificates for certain high-value functions, such as global financial transactions, are held to much stricter attributes that are only available from a particular CA; while those that support lesser functions may be acquired from a less expensive source.

You might also wish to simplify your encryption environment to enable tighter control or better operational efficiency.

In the process of discovering which certificates you need to migrate, you may discover certificates from a branch or department within your company that originate from a CA you didn’t know your organisation was using (unsurprising, given the average organisation has 16,500 certificates that they weren’t aware of). These certificates are prime candidates for registering with a CA that has been approved by your organisation.

>See also: Keeping the enterprise secure in the age of mass encryption

Ultimately, there are any number of reasons for changing CAs and you need to be prepared to make these changes quickly if the situation requires it.

To keep your fingers on the pulse of your encryption environment, you’ll need the agility to adjust your CA exposure in response to external and internal demands. This agility will also help you fine tune your strategic use of CAs to better meet your business goals.


Sourced by Mike Dodson, global head of security architects, Venafi


The UK’s largest conference for tech leadershipTechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...