Digital certificates, an underestimated IT security component
Since May 2022 at the latest, it has been known what effects unnoticed expired digital certificates can have. It has already been impossible to pay at Verifone H5000 terminals in supermarkets or petrol stations for a whole week. There are malfunctions with ec card payments.
Initially, an unnoticed expired certificate was suspected to have caused the nationwide problem. At the moment, the manufacturer says that a software error is responsible. However, the effect for the customer at the payment terminal is the same. Card payment is not possible.
In this magazine article, you can read about the elementarily important places where certificates are used and what they achieve.
Nationwide, card payments are currently not possible at many payment terminals.
What are digital certificates?
A digital certificate certifies the identity of a person, a device or a company when communicating on the internet. It is comparable to an identity card, with which the identity can be proven beyond doubt. They are always used when machines communicate with each other and exchange data. They are important so that the machines recognise who they are talking to. Because data is only exchanged with legitimised partners in the conversation.
This also serves data security, because it ensures that the data gets to the right place. If something is wrong with a certificate (for details see What does “certificate error” mean?), the result can be that a connection is rejected.
Furthermore, digital certificates are responsible for encrypting the transmitted data. This means that data is no longer sent openly (like postcards for everyone to read) through the web, but is encrypted. Once it reaches the right recipient, the data is decrypted again. Digital certificates therefore help to protect data. If they are not handled properly, system failures can occur, among other things.
For banks, this could be a malfunction of the ATMs. For stock exchange traders, an inaccessibility of the trading platform. In retail, it could mean that EC payment is not possible.
What does “certificat error” mean?
A faulty certificate can have several causes. The certificate may have expired or been deleted, or it may not be readable due to a software error.
Digital certificates have a term within which they are valid. Only if a machine has a valid certificate is it recognised as a valid interlocutor. An invalid (e.g. expired) security certificate results in the desired connection not being established at all or being denied.
Digital certificates in large networks.
If many certificates fail at the same time, all affected terminals are no longer accessible in one fell swoop. This can also happen if the same certificate is used on many end devices (clients) in a network.
Alternatively, it can happen that the certificate of a central device in the data centre has expired. If it acts as a central contact point for all distributed end devices, contact is also denied again. Digital transactions can no longer be carried out.
Let’s stay with the example of mobile payment. In both cases, payment processes might no longer be able to be carried out. The reason for this is that the stationary or mobile card reader can no longer connect to the payment provider or the bank. This results in aborted transactions and the payment can no longer be carried out.
In some cases it may be necessary to delete certificates. For example, if it was applied for with the wrong parameters or was issued incorrectly by the certification authority. To avoid misuse of such a certificate, it is revoked.
However, it must then be replaced by a new, correct certificate. And of course, all end devices must be reconfigured to the new one. For our example, this means: If this does not happen, contactless payment via electronic cash or other digital transactions are no longer possible.
Certificates not legible due to a software error
In this case, everything is fine with the certificate. The transmitted data are therefore sufficiently protected. However, the remote terminal does not recognise the certificate. This can be the case if a software update was not installed.
If certain payment terminals are not affected by the problems with payment by ec card, a software update may have been installed in time.
But there are other possible reasons why a connection cannot be established:
- due to failure or after an update of the infrastructure (e.g. port releases may be missing after the introduction of a new firewall).
- due to excessive system load
- due to maintenance
- because of a cyber attack
Digital certificates everywhere
The fields of application of digital certificates are as diverse as the economic system in which they are used. Here are a few examples from everyday life:
- Financial industry: Digital payment by debit or credit card
- Stock exchange trading: Trading platforms accessible via the web
- Medicine: Medical equipment in the intensive care unit
- Logistics: In partially and fully automated warehouse systems
- Automotive industry: High-quality cars have need at least 2-3 certificates since about 5 years.
- Legal: digital signature of documents
- Mobility and others: Digital cameras for surveillance
- In all sectors: Encryption of e-mails for data transmission
In recent years, digital data traffic has increased enormously, partly due to increased working from home. As a result, the areas of application for digital certificates are increasing. At the same time, there are more and more opportunities to exploit vulnerabilities if the certificates are not managed properly.
Special protection requirements of digital certificates
Since certificates play a central role in digital data exchange everywhere, they require special protection. To ensure smooth data exchange, their specific attributes and characteristics must be monitored.
These include, among others:
- Expiry date: keep an eye on it to avoid system failures
- Encryption level: Is the digitally transmitted communication sufficiently encrypted? Year by year, the computing power and thus the mathematical ability of computers is increasing. Even quantum computers are being developed.
The higher their ability, the faster encryption algorithms can be cracked by attackers. The complete inventory of certificates should be checked regularly.
- Zertifikatsinformation und Ausprägung: Zertifikate enthalten Daten über Identitäten von Personen und Maschinen. Die Richtigkeit dieser Informationen muss überwacht und gewährleistet werden.
- Certificate owners: Who has access to digital certificates and sensitive data about the encryption? Do only authorised persons use the certificate or is it also accessible to third parties?
The challenge here is to ensure that certificates are only made accessible to their owner or the target systems in a secure way. Furthermore, the use of certificates should be monitored to detect deviations.
- Heterogeneous application area: Data centres and networks are highly complex, diverse environments. This target infrastructure gives rise to a wide variety of requirements for digital certificates. They all need to be centrally bundled and managed in accordance with in-house security requirements.
You can read more on this topic at Why certificate management?
essendi xc – digital certificates at a glance
Use the potential of essendi xc for transparency and automation:
essendi xc is a platform for the management of digital certificates. It integrates seamlessly into your company’s existing infrastructure and processes.
We are a competent provider in the field of digital certificates and certificate management. Our certificate management tool essendi xc helps to prevent expiring certificates and thus avoid system failures:
- Monitor the maturity of your certificates. Keep an eye on expiry times
- Process automation for application and output
- Full lifecycle management of the complete certificate portfolio
- Software made in Germany
- Proven with global players
Talk to us about your current challenges in certificate management. We would be happy to demonstrate essendi xc to you in a Live Demo. We look forward to hearing from you.