Contact us
Request demo →
Contact us
German website
search
close

Why you need to know your certificate supply chain

by Sebastiaan Bosman News 7 Oct 2021

Last week, on Thursday 30 September, a root certificate from Let’s Encrypt expired. This is not uncommon in itself, but as the certificate had no update or alternative, it meant that all domains and subdomains running the certificate were suddenly no longer listed as SSL / TLS-secured. The result: thousands of web pages and applications failed and were unable to serve the content people requested. What went wrong? And what can organisations do to fix similar issues in the future?


Importance of root certificates

Let’s Encrypt is an open Certificate Authority, providing organisations with the security certificates to enable HTTPS on domains. Last Friday, one of their root certificates was set to expire, specifically the IdentTrust DST Root CA X3 certificate. That caused a problem for all of the security certificates that Let’s Encrypt assigned to their customers with this root’s private key. As the root certificate was gone, all security certificates related to it were suddenly missing the trusted foundation. Thus, tons of websites were no longer seen as secure and wouldn’t load.

Now, Let’s Encrypt provides their services for free, for the benefit of the internet. It doesn't seem fair to put blame on them, or any single organisation we use on the internet. Things like these can be considered as risks that need to be taken into account. Still, plenty of organisations were left to their own devices, having to implement a work-around for the problem. 


Know your certificate supply chain

Your organisation’s online services get their security stamp of approval from these certificates. Knowing where your dependencies are in case something goes wrong is critical for the continuation of your processes. This is all part of your organisation’s attack surface.

When you have an overview of your digital assets and the certificate supply chain, you are also able to run specific queries to find the certificates that might cause a problem. For our clients, we were able to run the following simple CyberQL command

certificate.issuer_organization = "Let's encrypt"

and immediately get a list of all Let’s Encrypt certificates within their attack service. From there, we are able to filter on details and see if any have expired – or better yet: are about to expire. When combined with automated alerts, you can take action before your online services are disrupted.

Want to learn more about attack surface management? Read our blog on how you can detect the risks within your attack surface. 

Read Blog

Cybersprint nominated for Deloitte's Technology Fast 50

We are excited to have been included the Deloitte Technology Fast 50  list. Cybersprint is one of the 50 technology companies in the Netherlands to be recognised for exceptional growth performance in the last four years.

read more

Why you need to know your certificate supply chain

Last week, on Thursday 30 September, a root certificate from Let’s Encrypt expired. This is not uncommon in itself, but as the certificate had no update or alternative, it meant that all domains and subdomains running the certificate were suddenly no longer listed as SSL / TLS-secured. The result: thousands of web pages and applications failed and were unable to serve the content people requested. What went wrong? And what can organisations do to fix similar issues in the future?

read more

Cybersprint nominated as one of the 10 best cybersecurity providers at Computable

Our team is proud to announce that Cybersprint is nominated for the Computable Awards 2021 in the category Security & Forensics! With our Attack Surface Management platform, we help organisations monitor their attack surface and mitigate the associated risks within. We are pleased that Computable recognises our approach to help make organisations become more digitally secure.

read more

Do you have a question?

Our experts have the answers

Contact us