Public and private bodies are using an increasing number of digital certificates to secure their electronic communications. The expiration of a single certificate is often enough to stop an application or even an entire infrastructure from working.
That’s what happened in California in mid-summer, preventing 300,000 COVID-19 results from being sent from laboratories to the central public database in the state, which has had over 12,000 victims.
In the current health crisis, a reliable and accurate tally of cases is vital for informing local officials’ decisions relating to preventing the spread of the pandemic. This damaging incident also led to the resignation of Dr. Sonia Angell, Director of the California Department of Public Health.
The root cause: An expired digital certificate
The California Reportable Disease Information Exchange, or CalREDIE, is a database for reporting and tracking infectious diseases. The data provided by laboratories is used by California health officials to identify epidemics and the spread of viruses, helping them to take the necessary public health measures.
Digital certificates encrypt the transmitted data and secure exchanges.
However, CalREDIE wasn’t built to handle the volume of COVID-19 data, causing some technical issues. A server outage on July 25 hadn’t been fully resolved when a further problem occurred from July 31 to August 4 due to an expired digital certificate.
For the California Department of Public Health to receive public health results, CalREDIE’s Public Health Information Networking System (PHINMS) certificate must be valid. This is to ensure public health message security,
Quest Diagnostics
“For the California Department of Public Health to receive public health results, CalREDIE’s Public Health Information Networking System (PHINMS) certificate must be valid. This is to ensure public health message security,” said Quest Diagnostics, one of California’s biggest labs, in a statement. The lab’s certificate lapsed in late July, stopping test result transmissions until it was renewed several days later. During this time, the results were sent but the public health system was unable to authenticate their receiver so they were not processed. It took several days to retrieve the data.
The need for certificate lifecycle management
As a reminder, certificates are installed on a server to enable secure connections and data transmission. Their lifecycles vary but they need to be renewed before they expire in order to remain valid and avoid problems.
This means that all companies and infrastructures using secure connections are exposed to operational and security risks relating to digital certificates. The bigger the company and the more certificates it has, the more difficult it becomes to manage their lifecycles.
Numerous globally recognized companies have fallen foul of this issue. Microsoft Teams, for instance, had an incident in February which prevented users from logging in for several hours. More recently, Spotify stopped working due to an expired certificate, resulting in numerous discussions bearing the #spotifydown hashtag and much frustration among users.
On average, a service outage costs a company 15 million dollars and negatively impacts its brand image. For public sector bodies or during an emergency, a service outage can have much more damaging consequences.
That’s why private and public companies alike need to manage certificate lifecycles to prevent service outages.
How can you manage your digital certificates to prevent this?
- Regularly scan your systems, networks and files, applications and trust stores to keep track of all your certificates and trusted authorities (x509, PKCS#11, p12, cer, crt, pem, der, JKS, Root CA, Intermediate CA, Linux, Windows, Docker, web server)
- Define your certificate issue and security policies
- Analyze the quality of your certificates and measure your compliance with company policy
- Monitor your certificates in a dashboard and generate alerts
- Set up managed certificate request validation and issue processes such as CSR, PKI (PrimeKey EJBCA, Microsoft ADCS, OpenTrust PKI)
- Automate certificate management and renewal
Our BerryCert solution can: identify all the certificates in the information systems, manage and automatically renew them to minimize the risk of similar incidents.
