The migration of certificates is not trivial and has the potential to cause major problems, particularly if the process is not carefully planned and all affected parties are not considered. This is not simply a patch that can be pushed out as a global update, but rather requires strategic coordination between responsible IT and security management teams.
This involves establishing a process to ensure nothing is overlooked; all technological implications are considered; technology is implemented properly; and people know what to do in the event issues arise.
Involve the Right People
Make sure you identify everyone who may be affected by these changes and is required to help with migration. If you manage, oversee, operate or otherwise secure a website, operating system, application or browser that relies on SSL encryption, you likely need to take action.
The deprecation of SHA-1 affects roles across the enterprise, including CISOs, enterprise network security professionals, IT directors, network administrators, SaaS product managers, online service marketers, owners or operators of consumer-facing websites, application managers and developers, managed security services providers and more.
In addition, also ensure you’re prepared for failure and include your customer support and help desk in the conversation.
For an in-depth breakdown of how to develop a successful transition to SHA-2, download, “A Migration Guide to SHA-2 SSL Certificates: Avoiding pitfalls, meeting critical deadlines and eliminating service disruptions during SHA-1 certificate deprecation.”
Establish a Process
With so many moving parts — including the various roles above and extending to systems, certificates expiration dates, domains and the like — there is a lot to manage.
Introducing a process will allow for a systematic migration where priority is placed on the most mission-critical applications and help prevent the use of incompatible certificates that could impact operations. This process should include identification of all SHA-1 certificates and prioritization of their replacement based on a critical path.
For many organizations, the migration process will span several months. All stakeholders need to understand their role in the process and be accounted for in a project plan that covers migration — from start to finish.
Once your organization has established a process and prioritized replacements, implement a centralized and reliable tracking system. If you’re manually tracking certificates, you will find cataloging all certificates to be inefficient unless you have only a few certificates and a single administrator.
If this is the case for your organization, deploy SSL scanning tools to find SHA-1 certificates. This will not where they are installed and when they expire — regardless of certificate vendor.
In addition, consider a certificate management service so all activity is performed and monitored in a centralized account. This simplifies certificate inventory and helps your organization monitor certificate types and expiration dates.
There are services available that offer real-time details into affected certificate types and the order in which to renew. This helps organizations plan their migration path across several months, disseminating costs and reducing management challenges.
Finally, make sure you have reporting tools that will give you a view into your certificate inventory and status reports that will allow you to track your progress throughout the migration process.