There was a lot of news recently around the Hypercom pin-pads (payment terminals) that just stopped working because an internal certificate stored within the device had expired on Dec 7, 2014. While there were some rumblings throughout the retail digital underground there was a post by Brian Krebs cheekily entitled, ‘Security by Antiquity’ Bricks Payment Terminals that exposed the issue to a larger audience.
This is a familiar problem for those of us that have been around for a while. I first ran into this problem around 2007 when our internal root certificate was due to expire after being created when I first joined my previous employer in 1997 – I was the person that had created the root certificate back in 1997 having deployed an internal PKI utilizing Microsoft’s Certificate Services. The problem wasn’t that we couldn’t renew the certificate, or that we wouldn’t push that new root certificate to the thousands of Windows desktops and laptops or hundreds of servers. The problem was how were we going to push the certificate to the hundreds of HP Thin Clients and had a locked flash. The HP Thin Client would initially authenticate via it’s computer account using 802.1x which relied on the appropriate certificates being in place and functional. When the user would login the HP Thin Client would switch over and re-authenticate via 802.1x as that specific user. We needed to authenticate via the computer account so we could get the devices connected to the network without user intervention so we could manage the devices, otherwise the HP Thin Client would need to be physically cabled up to the network. Ultimately there were a small scramble to “upgrade” all our Thin Clients – the upgrade included all the latest security patches and updates along with a new root certificate.
It’s usually public SSL certificates that organizations occasionally forget to renew before they expire. Take the example of Literature & Latte, the folks behind Scapple, the simple flow and diagram charting application for Windows and Mac OS X. Their SSL certificate expired on December 12, 2014 and has yet to be replaced and/or updated which causes Internet Explorer and other browsers to error when connecting to their website.
At the time I was using Microsoft Certificate Services I believe you could only issue 10 year root certificate which seemed adequate at the time. Imagine my surprise when 2007 came around and I was still managing that same infrastructure. I believe I read that you can now issue 20 year certificates with an encryption key length of 4096?
The moral of the story here… if you’re using internal certificates you’ll want to make sure you plan accordingly so that your root certificate authority doesn’t just expire one day ten years from now and leave you in a lurch.