Self-signed certificates… need to die! #PKI #Certificates #CertificateAuthority
Now that I have your attention. I suggest that self-signed certificates, if needed, should only be deploy-able at the time a system or app is provisioned and their expiration should be at least a week, maybe a month if I'm being generous.
After that period all clients or endpoints connecting to the system utilizing that abhorrent freak of nature that is the self-signed certificate, should absolutely refuse to connect, forcing the use of a revocable certificate that the client is configured to trust.
Before my ideal perfect world implementation of certificate enforcement comes to fruition, what can you do to stop using self-signed psuedo-certificates? Well!
Setting up an internal CA is not difficult and depending upon use case, a simple CA that exists as a set of secured config files for OpenSSL would suffice (not suggesting you do this in an enterprise environment, but just saying its possible to do)
Scaling up? There's a wide range of available options. Windows Domain? AD Certificate Services is a very capable and robust solution with lots of support.
Lots of turnkey vendors enable internal CA possibilities. Vendors like @SectigoHQ and @Keyfactor to name a few. U can do so many neat things to automate this and I've discovered more and more devices support some level of certificate automation out of the box! Pro and consumer!
ALSO! Look at this! There's an entire environment with a funny acronym!
https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment
The important part of all this is you need to get your users to stop blindly clicking through security warnings in their browsers and stop assuming that a self-signed certificate does anything to protect your environment (it doesn't.).
So until self-signed certificates are gone for good, be the change you know you need to be, for the sake of your users security and your own benefit! Till next time friends!
Originally tweeted by Robert Hollingshead (@0xF21D) on January 27, 2022.