Contact us
Request demo →
Contact us

Why you need to know your certificate supply chain

by Sebastiaan Bosman News 7 Oct 2021

Last week, on Thursday 30 September, a root certificate from Let’s Encrypt expired. This is not uncommon in itself, but as the certificate had no update or alternative, it meant that all domains and subdomains running the certificate were suddenly no longer listed as SSL / TLS-secured. The result: thousands of web pages and applications failed and were unable to serve the content people requested. What went wrong? And what can organisations do to fix similar issues in the future?

Importance of root certificates

Let’s Encrypt is an open Certificate Authority, providing organisations with the security certificates to enable HTTPS on domains. Last Friday, one of their root certificates was set to expire, specifically the IdentTrust DST Root CA X3 certificate. That caused a problem for all of the security certificates that Let’s Encrypt assigned to their customers with this root’s private key. As the root certificate was gone, all security certificates related to it were suddenly missing the trusted foundation. Thus, tons of websites were no longer seen as secure and wouldn’t load.

Now, Let’s Encrypt provides their services for free, for the benefit of the internet. It doesn't seem fair to put blame on them, or any single organisation we use on the internet. Things like these can be considered as risks that need to be taken into account. Still, plenty of organisations were left to their own devices, having to implement a work-around for the problem. 

Know your certificate supply chain

Your organisation’s online services get their security stamp of approval from these certificates. Knowing where your dependencies are in case something goes wrong is critical for the continuation of your processes. This is all part of your organisation’s attack surface.

When you have an overview of your digital assets and the certificate supply chain, you are also able to run specific queries to find the certificates that might cause a problem. For our clients, we were able to run the following simple CyberQL command

certificate.issuer_organization = "Let's encrypt"

and immediately get a list of all Let’s Encrypt certificates within their attack service. From there, we are able to filter on details and see if any have expired – or better yet: are about to expire. When combined with automated alerts, you can take action before your online services are disrupted.

Want to learn more about attack surface management? Read our blog on how you can detect the risks within your attack surface. 

Read Blog


Darktrace, a global leader in cyber security AI, today announced that it has entered into a definitive agreement to acquire the entire issued share capital of Cybersprint B.V. (“Cybersprint”), an attack surface management company that provides continuous, real-time insights from an outside-in perspective to eliminate blind spots and detect risks. The acquisition of Cybersprint is aligned with Darktrace’s vision of delivering a ‘Continuous Cyber AI Loop’ and complements its Self-Learning technology and inside-out view.

read more

Cybersprint partner of THESEUS: making patching happen

Cybersprint is proud to announce our partnership with project THESEUS. Project THESEUS aims to empower organisations to patch faster by radically changing the risk governance of patching.

read more

Lancering handleiding digitale veiligheid zó hack je een stad

Den Haag, 11 november 2021 - Vandaag heeft wethouder Saskia Bruines bij het ECP Jaarfestival 2021 de handleiding ‘Zó hack je een stad’ gelanceerd en deze overhandigd aan Tineke Netelenbos, voorzitter van ECP en lid van de Cyber Security Raad, het onafhankelijke adviesorgaan van het kabinet.

read more

Do you have a question?

Our experts have the answers

Contact us