https://practical365.com/exchange-server/outlook-certificate-warning-exchange-2016/

I HATE Security Certificates and I don't care who knows it!

By Gosslinq | IncompetentTech | 11 Feb 2021


https://en.wikipedia.org/wiki/Wildcard_certificate

Over the last several years certificates have become a steep learning curve and a thorn in my side for multiple technologies I work on. To be fair, its the communications niche which has been undergoing a bloody revolution for the duration of the rise of TCP/IP, Voip, and Cloud solutions over many years so perhaps the birthing pains are more heavy in our realm.

The rise in demand for securing data has led to signed certificates being a must have for all businesses. This would be fine except many technologies fall extremely short of providing smooth and automated methods to keep administrators advised and to keep them updated. This leads to abrupt surprise outages depending on the services impacted. Sure it's nice if you can enable secure protocols on your services and stick a nice signed cert in there, but in my experience the task of keeping track of expiry dates and getting the ball rolling to renew/regenerate and re-apply usually falls on overworked IT teams.

On most traditional communications systems, portions of the services require a certificate to operate properly. In most cases the secure connection is between two servers or services on the same flat network so it makes no sense to me. I worked on one recently and even though both servers would allow a port and protocol change to TCP it simply would not work, what a waste! They kindly give out a default/self signed certificate with an install of multiple products they sell, but even through upgrades this certificate doesn't get renewed. This has led to an occasional bonanza for service providers. Suddenly multiple customer with the same product, often on the same day or week, have abrupt partial outages on random services. Service providers have to generate and apply new certs, generally causing complete outages during required reboots to get them back in service. A colleague of mine disappeared for three weeks working overnight shifts to renew certs on every single customers product once.

Beyond surprise expiry, the variety of required formats drives me up the wall. You may need a .cer for one component, a .pem for another, a private key or a password, and intermediate cert. Customers often download a cert package and send it along and service providers have to muck about with the files, extracting, importing, exporting using other software to get the formats needed. The learning curve for manufacturers appears to be steep as well because when you have problems it can take days or possibly weeks to get connected with a resource who understands whats going on and how to fix it.

Whether a system is installed with manufacturer provided and self signed certs, or a customer wants to put their domain wild card cert on everything, they will eventually expire and if the manufacturer doesn't provide an automated method to give timely warning, or IT doesn't stay on top of expiry dates, we are set up for emergencies. Service providers end up on the front lines addressing them. Thus, I hate certs!

Photo by David Garrison from Pexels

How do you rate this article?

1


Gosslinq
Gosslinq

I work in communications technologies, am an avid reader and weight lifter. I have long been interested in economics, evolutionary sciences, the psychology and biology of gender, science fiction, cultural and religious mythology.


IncompetentTech
IncompetentTech

A blog about adventures in technology support Photos from https://www.pexels.com Telephones Photo by Bruno Cantuária from Pexels

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.