I am responsible for approving SSL certificates for my company. I’ve developed a process over the past couple of years that works well. My stakeholders understand their roles and responsibilities and put up a minimal amount of fuss as I review and approve each cert. What started out as a quarterly or semi-monthly task has become a monthly-to-weekly task depending on when our certs are expiring.
I appreciate the amount of trust put into certificates and understand that they are a critical component of digital security. But this 💩 is getting out of hand. When certificates underpin nearly all digital security, including VPNs, WiFi, Email, Websites, APIs, and more, increasing the administrative burden of managing them will have diminishing returns.
And, I think it’s going to push organizations away from traditional Certificate Authorities (CAs) in the long run.
Validation Mechanisms#
Our certificate issuer used to allow a number of handy validation methods.
In 2021, they announced that file-based domain validation would be disallowed for wildcard certificates. When used for non-wildcard certs, file-based domain validation would be required for every individual SAN/FQDN. This was a minor annoyance, because at the time we had some automation that would allow us to renew certs with minimal fuss.
File-based domain validation was less secure; one dangling DNS record or webserver mis-configuration is all it takes to hijack a certificate. (I recommend any organization leveraging PaaS platforms like AWS or GCP might want to consider a thorough DNS inventory and cleanup if they haven’t recently; you may be surprised by what you find.)
The remaining domain control validation (DCV) methods for my organization have been reduced to two options: DNS TXT recrods and email-based validation. One of these is completely useless: we don’t set up email addresses for every possible subdomain, so email-based validation may as well not exist when we need to update a certificate for test.lab.corp.example.com because there is no [email protected] . But, it’s not just validation methods. There are new defenses requiring more stringent validation.
DNS validation is a decent and secure option in an organization where DNS management access is tightly controlled. I don’t generally have a problem with it as it’s a straightforward and small time sink to implement.
Defending against Hijacking and Spoofing#
... continue reading