The recent expiration of a Let’s Encrypt root certificate led to outages and other challenges for connected services and devices. It serves as an important reminder about how roots work and what steps security teams should take to avoid disruptions when root certificates expire and ensure successful PKI programs. .

Although root certificates have longer validity periods than end-entity certificates, root certificates still expire. If organizations do not create a strategic plan for when a root expires, the expiration can lead to havoc and headaches. Any organization deploying PKI, regardless of the type of certificate, needs to consider a root strategy. First of all, how you set up your certificate chain can have a large impact on your certificate inventory when roots expire. We’ll focus specifically on cross-signing.

Pros and cons of cross-signing

Cross-signing, which creates multiple valid paths between a root certificate and a certificate from another certificate authority (CA),  has been a common industry practice for many years. It offers both advantages and disadvantages. It lets CAs bootstrap themselves by getting signed by a popular root certificate, removing some barriers to entry into the market. This helps organizations buy time, establish their own roots and eventually transition to them.

However, although root certificates are the base of the certificate chain, they can also be the “weakest link.” If device manufacturers fail to design for expiring roots, these manufactures may not have a way to update chain information when expiration happens. The expiration can then lead to unresolvable issues such as a bricked device or end customers encountering failures or error messages when their device or application contacts a browser. The cross-signing issue recently impacted TVs from several manufacturers. The devices utilized certificates that had been cross-signed with a root certificate to ensure that both older and current devices would immediately trust the certificates. When the older cross-signed certificate expired, the TVs didn’t have a way to update the chain information, leaving older devices unable to establish secure Internet connections for software updates.

IoT devices are especially vulnerable

IoT devices IoT devices are particularly vulnerable to root certificate expiration issues. The limited space and operating power of these devices often mean that proper root updating systems are missed. Unfortunately, there are many IoT devices in the field that use root certificates that will expire before the device’s shelf life is up. Some of these legacy IoT devices are difficult to update and lack over-the-air support capabilities. In these cases, updating the root certificate may require a manual update provided by an engineer, which can be slow and expensive. This is especially dangerous because the device lacks the capability to be updated if a major vulnerability related to the root is detected. IoT manufacturers must design and plan for devices to have seamless update capability to be sure patches can be applied to the device over the long term. IoT devices should also be set up with a root certificate that goes beyond the life of the device.

Root strategy planning is key

If you’re an organization deploying PKI and leveraging roots for IoT devices, enterprise PKI or other use cases, it’s important to plan effectively and consider your root strategy from the outset — not just for the next year, but for the lifecycle of the device or application, and establish a plan to migrate roots to better, newer ones. Some products or devices will last longer than the validity of root certificates, as root certificates may expire after 10 or 20 years. For organizations that rely on PKI, it’s clear that implementing a strategic approach aligned to their use case is key.

Ultimately, whether it’s for IoT or for the web, what’s essential is the need to plan for success. Whether using a combination of private trust, public trust or both, make sure that your root strategy is going to help you be successful in the long term.

Consult with your CA

A consultative approach with your CA can help point the path to long-term success when introducing new products, and sometimes it’s necessary to make an investment to help ensure your IoT device or other connected product will continue to function flawlessly. DigiCert has deep experience creating root strategies to support its clients, and longevity in the field, with roots that extend back many years. We consult and collaborate with companies to help them avoid root certificate issues in the future.

Rather than simply acquiring whatever CA certificates are readily available, choose a partner that can provide the support and management you need and will work with you to fully understand the device lifecycle — and set up a root certificate strategy that will align with them in the months and years to come. .