Entrust sells certificate business: Implications and actions
Entrust selling its certificate business to Sectigo isn't the only change that enterprises will face when it comes to the future of digital certificates.
- Todd Thiemann,
-
Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
Digital certificates power much of today's internet plumbing by ensuring safe communication, verifying identities and protecting sensitive data. Entrust's announcement that it is selling its certificate authority (CA) business to Sectigo provides a catalyst for enterprises to improve their crypto-agility and adapt to this and future changes on the horizon.
Digital certificates verify the identity of websites, individuals, devices, servers, applications and services to enable secure and encrypted communication across the internet. It is a type of nonhuman identity (NHI), also known as machine identity, that needs to be managed to prevent information from being intercepted or tampered with, prevent unauthorized access and build trust by verifying the legitimacy of online identities.
Enterprise Strategy Group, now part of Omdia, recently completed research that delved into the concerns security and platform engineering professionals have around securing and managing NHIs, including service accounts, API keys, application credentials, and bots and robotic process automation. The number one concern raised was the risk of operational disruption caused by expiring digital certificates -- ranking above NHI attack surface visibility, compliance risk and adapting to more frequent certificate rotation.
Entrust had been facing declining trust in its certificates and made a strategic decision to stop operating as a public CA and divest its CA customers and contracts to Sectigo. This move enables Entrust to focus on higher-growth security products while Sectigo can grow its enterprise customer base.
Establishing and maintaining certificate trust
Certificates establish a trust chain. Expiring or revoking certificates can cause digital havoc and require infrastructure revisions to include a new and trusted certificate. Enterprises previously had to adapt to rapid change in their certificate estate -- for example, when Google, Mozilla and Apple announced in 2017 that they distrusted Symantec CAs and urged anyone using a Symantec CA to replace their certificates with a trusted CA. This was a significant disruption that challenged enterprise public key infrastructure and security teams to move to a new CA or risk critical application and service outages. Symantec later exited the CA business, selling its CA operations to DigiCert.
Another example of rapid change occurred in 2024 when DigiCert announced it was revoking incorrectly validated SSL/TLS certificates. Rapidly responding to these changes is challenging without the right certificate lifecycle management infrastructure and processes.
Prepare for more frequent certificate rotation
In addition to responding to certificate trust issues, enterprises need to prepare for more frequent certificate rotation. The standards for CAs are set by the industry's Certification Authority Browser Forum (CA/Browser Forum), which includes major participants who play a role in certificate infrastructure. CA standards include rules around certificate issuance, validation and revocation, and are intended to secure data transported by the internet.
The CA/Browser Forum is considering proposals from Google and Apple to reduce the validity period of certificates to enhance security and promote automation. The current lifespan is 398 days. Google proposed reducing the maximum TLS server certificate validity to 90 days, while Apple proposed shortening SSL/TLS certificates to 47 days by 2028. Shorter certificate validity requires enterprises to increase their agile certificate management processes and adopt automation to adapt to more frequent certificate rotation.
Post-quantum cryptography on the horizon
Enterprises also need to consider changes from traditional public-key cryptographic algorithms to post-quantum cryptography (PQC). NIST recently released an Initial Public Draft report detailing its roadmap for PQC adoption. The report includes aggressive timelines for deprecating (2030) and disallowing (2035) a broad range of currently used algorithms. Enterprises also need to consider deploying updated cryptographic algorithms to prepare for quantum threats targeting traditional encryption algorithms.
Upping your crypto-agility game
With change on the horizon, enterprise security teams need to prepare and improve their cryptographic agility game. Crypto-agility refers to the ability of an enterprise to rapidly adapt cryptographic algorithms and practices without significantly disrupting the overall compute infrastructure. Crypto-agility enables organizations to switch between algorithms and protocols, change CAs, update cryptographic components, implement new security standards and prepare for PQC challenges. Certificate lifecycle management products are a key building block to achieving crypto-agility because they provide certificate visibility, automation and control.
Change can be incremental and happen slowly in enterprise infrastructure. Just look at TLS in the enterprise. TLS underpins today's infrastructure by providing a flexible framework for secure communication that can adapt to evolving cryptographic standards and threats. Newer TLS versions, such as TLS 1.3, support multiple cryptographic suites, which permits enterprises to switch between cryptographic algorithms as needed. This lays important groundwork for PQC readiness. Yet much of today's infrastructure still relies on older versions of TLS, including 1.1 (deprecated in 2021) and 1.2. While TLS needs to be upgraded, that can pose technical, operational and organizational issues.
Also consider the Secure Hash Algorithm. SHA-1 was deprecated in 2011. The SHA-1 to SHA-2 migration started around 2013-2014 and public systems largely transitioned by 2017, yet it took many enterprises an additional three to five years to fully migrate private and internal systems to SHA-2 due to the logistical challenges of the process.
While certificate lifecycle management products are frequently used, many enterprises still use spreadsheets and manual processes to manage certificates. Such manual processes are error-prone and can break as certificate volumes grow. And if expiring certificates and misconfigurations are missed, enterprises are at risk of application outages and vulnerabilities.
Understanding your certificate inventory
The first step to crypto-agility is knowing which public and private trust certificates are used across the organization's complex hybrid multi-cloud environments. Conduct a full discovery and create an inventory of all certificates, including crypto algorithms, expiration dates, the CA, where the certificates are installed and the certificate's internal owner. Understanding the human owner of nonhuman certificates speeds response when change needs to happen. Manually cobbling together an inventory in a spreadsheet is dangerous and risks missing something significant.
Beyond visibility, apply automation actions and policy enforcement. This starts with understanding the certificate infrastructure. As organizations prepare for PQC, they should implement crypto-agility and use the recent certificate incidents and coming changes to improve their overall crypto hygiene.
Todd Thiemann is a senior analyst covering identity access management and data security for Enterprise Strategy Group, now part of Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.
Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.
