What would you do if you found out that the Certificate Authority that provides Digital Certificates to your company was compromised, and Microsoft was adding the Certificate Authority’s public key to Windows un-trusted Root Store? Well if you have not got a contingency plan to implement then I can presume you will be in a panic to purchase new certificates from another Certificate Authority. If you only have to secure a few domains this might not be too bad but you will still have to join a queue of companies in the same position. What do you do if you manage a large number of internet domains? It can take Certificate Authority’s (CA’s) a few days to validate domain ownership and company registration details at normal times. Don’t forget they will be getting a lot of requests in and you will be in the queue. While all this is happening your customers are getting a message from Internet Explorer that your SSL certificate is not to be trusted.

What can you do?

Do not rely on one Certificate Authority for all of your certificates. You should have a relationship with at least two well known Certificate Authority’s and the CA’s should have validated all of your domains. This will let you quickly order Digital Certificates from the second CA without having to go through the company validation process. Please note here that your second choice Certificate Authority is going to be extra busy but at least they will not have to validate your domains.

If you cannot tolerate any downtime for a service you can take the extra step in which you create backup certificates for each service using your backup Certificate Authority. This will enable you to implement the backup certificates without having to contact the second CA and joining the queue of company’s looking for new certificates.

Whichever step you think is appropriate should be a result of an impact analysis. More than likely you will decide some services can tolerate downtime so you will go with the first option. You will also decide that some services are critical to operations so you will go for the second option.

I think Certificate Authority’s should have the responsibility for addressing this risk. They should have a relationship with another CA where any domain they validate is automatically validated by the partner CA. This will let their customers quickly change vendor.

Conor Roantree CISSP, CISA, GIAC GSNA