![]() ![]() While mass revocations aren’t commonly initiated by CAs, there have been a few occurrences throughout the last few years. In both scenarios, certificates will be revoked by the CA in a short timeframe and immediate re-issuance of certificates is required. For less immediate issues, such as certificate misuse or violation of a CA’s Certificate Policy, certificates need to be revoked within five days. One of the Baseline Requirements set by the CA/B Forum states that Certificate Authorities are required to revoke certificates whose keys are at risk of being compromised within 24 hours. ![]() Today, the Certificate Authority/Browser Forum (CA/B Forum) is the governing body that sets the rules and standards for certificates. But other events can prompt re-issuance as well, including mass revocations by Certificate Authorities. Key compromises are one of the main reasons certificates need to be re-issued at scale. ![]() Not just that, but the backup certificate will also be wrapped with a different key than the primary certificate, preventing it from being impacted by a key compromise. Instead, customers will already have a certificate that we’ll be able to instantly deploy. Now, with backup certificates, we don’t need to worry about initiating a mass re-issuance in a small time frame. A similar vulnerability at today’s scale would take us weeks, not hours to re-issue all of our customers certificates. At the time, Cloudflare’s scale was a magnitude smaller. Cloudflare’s ability to act quickly protected our customers’ data from being exposed. We patched the bug and then as a precaution, quickly reissued private keys and TLS certificates belonging to all of our customers, even though none of our keys were leaked. It allowed attackers to extract the TLS certificate private key for any server that was running the affected version of OpenSSL, a popular encryption library. In 2014, the Heartbleed vulnerability was exposed. In the event of a key compromise, it's crucial that (1) new private keys are immediately issued, (2) new certificates are deployed, and (3) the old certificates are revoked. They can also be the result of malicious actions, such as a rogue employee accessing unauthorized information. Key compromises can be the result of a vulnerability, such as Heartbleed, where a bug in a system can cause the private key to be leaked. Key CompromisesĪ key compromise is when an unauthorized person or system obtains the private key that is used to encrypt and decrypt secret information - security personnel’s worst nightmare. This is because a new key needs to be issued, and therefore a corresponding certificate does as well. Sometimes, unforeseeable events like key compromises can lead to certificate renewals. ![]() Unfortunately, not all certificate renewals are initiated by the expiration date. This way, by the time the certificate expires, we already have an updated certificate deployed and ready to use for TLS termination. Because certificates come with an expiration date, when Cloudflare sees that a certificate is expiring soon, we initiate a new certificate renewal order. Events that lead to certificate re-issuanceĬloudflare re-issues certificates every day - we call this a certificate renewal. But how?īy having a backup certificate ready to deploy - wrapped with a different private key and issued from a different Certificate Authority than the primary certificate that we serve. When one of these events happens, we want to be ready to mitigate impact immediately. Otherwise, customers can be left insecure or offline. As we build out the most resilient, robust platform, we want it to be “future-proof” and resilient against events we can’t predict.Įvents that cause us to re-issue certificates for our customers, like key compromises, vulnerabilities, and mass revocations require immediate action. Today, we are responsible for managing the certificate lifecycle for almost 45 million certificates from issuance to deployment to renewal. This post is also available in 简体中文, 繁體中文, 日本語, 한국어, Deutsch, Français, Español, Italiano.Īt Cloudflare, we pride ourselves in giving every customer the ability to provision a TLS certificate for their Internet application - for free. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |