The digital certificate landscape over the past year was nothing short of a roller coaster. Major events like Google’s decision to distrust Entrust digital certificates, DigiCert’s revocation incident and significant certificate outages highlighted the criticality of managing and securing digital certificates in today’s modern digital landscape.
In 2025, it will be imperative to reflect on these recent events as we prepare for even greater identity shifts on the horizon, such as Apple’s proposed shortened certificate lifespans and post-quantum cryptography.
A scorching summer for public key infrastructure (PKI) incidents
In the second half of last year, several notable PKI-related events captured headlines. In July, Google publicly announced its decision to distrust Entrust digital certificates. After October 31, 2024, any Entrust certificates were no longer trusted by the Google Chrome browser. Google credited this decision to compliance failures, lack of improvement despite commitments and the failure to provide “measurable progress” following publicly disclosed incidents.
For many businesses, this triggered a race to replace affected certificates to avoid costly operational disruptions. With Google Chrome commanding 65 percent of the browsing market, companies using Entrust certificates faced the risk of security warnings deterring potential customers and eroding trust. Additionally, transitioning to a new certificate authority (CA) posed significant financial challenges.
Later in July, DigiCert faced a certificate revocation incident due to improper domain control verification. This incident hit 0.4 percent of its certificates (approximately 216,400 certificates in total). Impacted businesses had only a 24-hour window to replace revoked certificates within their PKI infrastructure. This short timeline made operational downtime almost inevitable, leading to substantial costs and potential revenue losses for companies unable to act swiftly.
The summer’s PKI challenges continued with a major certificate outage for the Bank of England. In September, ServiceNow also experienced issues due to an expired certificate. Expired certificates are all-around bad news for businesses, exposing them to significant operational outages, the erosion of customer confidence and questions about their ability to track and manage security credentials.
What can business learn from these events?
The PKI incidents of this summer offer valuable lessons for businesses, highlighting the importance of closely examining their PKI and cryptographic infrastructure. The common thread between all events is that each underscores the need for proactive management and robust safeguards to mitigate risks and avoid disruptions.
The biggest lesson businesses can learn from all four of these PKI events is that crypto-agility is critical in today’s and tomorrow’s modern landscape. In the case of the Entrust and DigiCert PKI incidents, it is important to remember that mistakes can happen. The industry will inevitably have to make the tough decision about what to trust and not trust at one point or another. As these decisions are outside of the control of the impacted businesses, organizations must rely on crypto-agility to efficiently manage certificates and trust at scale and seamlessly replace expired certificates, ensuring minimal disruption to business operations.
Businesses should also lean on automation when they can. In each organization, there are hundreds of thousands of digital certificates that security teams are tasked to manage and secure. No matter how big or robust an organization’s security team is, there is simply no team large enough to effectively do that on its own. Especially on top of a long list of other pressing priorities that require human attention. This goes for many areas of cyber security, but chief information security officers (CISOs) need to invest in automation where they can.
The bottom line is that certificate outages are avoidable. Businesses that lean on automation and implement crypto-agility into their machine identity management strategies can avoid the costly repercussions from the failure to properly manage and secure their PKI infrastructure. Certificate-related outages stem from insufficient visibility and control over an organization’s certificate environment. By automating certificate discovery and having the ability to make changes seamlessly with crypto-agility, organizations can eliminate the risk of certificate outages.