Not sure if you saw the recent news that California’s public health department failed to renew a server certificate required to transfer COVID case-related data to Quest labs. A backlog of 250,000-300,000 records resulted from the outage, which caused under-reporting of COVID cases, and a full investigation into the incident.
SSL/TLS connections are a client/server protocol and can have two types of certificates; all of them have a server-side certificate that secures the connection and gives browsers some assurance that they’re talking to the right website. But these connections can also have client-side certificates that are used to mutually authenticate the client that initiated the connection. These ‘client’ certificates are becoming more and more prevalent in IT environments with the explosion of DevOps, microservices, cloud architectures, and IoT. They often outnumber their traditional server-side counterparts by a factor of 1,000 or more but are often a ‘blind spot’ in an organization, as most traditional cert management tools focus almost exclusively on server-side certs. The Equifax breach and the Microsoft Teams outage of early 2020 are examples of problems directly related to client authentication certificate expiration. Every certificate needs to be inventoried and managed: not just SSL/TLS server certs which you can find with network scans – they’re just the tip of a really big iceberg.