I do understand that PQC puts current encryption/hash algorithms and risk and that we need to prepare for refreshes in systems using them.  But that is a topic for another discussion as it is not the question the OP was posing. 

The part I am struggling to understand is with respect to SSL/TLS certificate management tools (the topic of this conversation), what do you recommend people do today?

@JoePete wrote:

...does anyone else think the 47-day window is a bit overkill? ...

My initial reaction was similar, particularly given that my colleagues and I sign hundreds of certs per year for our webmasters.  Our collective cry was that a 12x increase in effort was not sustainable and that they should have just done a single reduction, to 6 months. 

What I have come to realize is that this really is that there is a long-term trend here and they really are just revealing three of their cards at once, instead of playing them one at a time:

• <=  2015       5 year max
• 2015 - 2018  3 year max
• 2018 - 2020  2 year max
• 2020 - 2026  1 year max

• 2026 - 2027  6 month max 
• 2027 - 2029  3 month max  
• 2029 +          1 month max

The irony to this entire thing is that we were happily giving Entrust lots of money every year until Entrust pissed in the pot.  And, it was their pissing that resulted in 47 days and kickstarted my company's ACME/Let's Encrypt adventure that already has reduced our future annual PKI spend by more than half.

Sure, there are security-geek benefits, such as reducing one's dependency on CRLs and shortening time-to-production for new encryption/hash algorithms, but nothing sells quite as easily as a permanent reduction in ongoing spend.

@denbesten @JoePete @AaronFaby 

I hear your pain, and I fully understand it.  I am going through the same pain where I am located, except most of New Zealand is asleep and a lot of security people have migrated to Australia where they can have a better life - if they like Sun, Sea, Snakes, Crocodiles, Stinging Wasps and poisonous spiders they have it all - gone through all that previously.

There are many areas which are misunderstood such as Developers not understanding how to use PKI root structures for protecting Kubernetes containers etc due to the complexity when really they just want the job done especially when they are attempting to get CI/CD pipelines up and running etc.  

I am coming across organisations who use ITSM's such as ServiceNow, or Spreadsheets, or CMDBs, but the entire processes are manual - mistakes occur, misconfiguration s occur, and often the expiration date is left to one or two people who actually understand certificates.  Whether they are used within SSH server farms or proxies, firewalls or IoT devices etc etc.

I agree that many will think about moving to cloud providers, but are they any better than organisations, looks at Microsoft outages, or AWS massive outages and we become totally dependent upon them all.

All of which have their weaknesses, either the certificate database is a flat file, and you need authorisations. scripts to make certificate requests and then you need scripts and APIs and additional integrations with Hashicorp Vault or Jenkins or even Kong for applications.  It comes in all shapes and measures.  

There are many providers out there who can provide integrations. semi-automate the certificate lifecycle management process, which historically we have left to the few and to those who actually understand it.  Who swallowed the NIST three volume bible on certificate management etc.

Current HSMs will be redundant in the next four years, they are costly bricks but essential in many cases, whether built into an IoMT device or ICS device etc - which points back to the vendors and their capabilities.

There are many providers, I have done some research on a number, but at the end of the day it is down to the organisation:

1) On Premises, do it yourself; 2) Build it yourself' 3) Manage it yourself; 4) Use a SaaS service and manage it yourself; 5) SaaS service and get them to manage it for you etc.  

There is a lot more to this:  Risk Management; Assessment of current environment, Design for automation; Proof of Concept; design workflows for automation, test and test and keep testing - start small and grow in confidence, get the bugs out of the system.  I suggest using an ITSM or CMDB integrate it, but ensure you have full visibility, able to handle incidents, notifications, and audit trails and reports are really important.

Most of these systems are based on the number of certificates to handle - the greater the number, the less the cost annually.

This is only the start of a journey, then think about Crypto-Agility with PQC, migration from Public Key Infrastructure and Hybrid systems towards Quantum Key Management - sorry folks it is happening like it or not.

Blockchain security is busted, not because of the cryptographic algorithms,. but the entire processes around including who can you trust.

Humans are inherently insecure, we make mistakes, the impacts are becoming bigger.

If you reach out I am happy to share some of my findings; but not on a public basis.

A lot of development, experience needs to be built up and humans only really learn through pain, rather than someone putting it on a plate for them.

Compliance and regulations are progressing and chasing us all hard.

Regards

Caute_Cautim

@denbesten Good luck with your Lets Encrypt journey.  I looked them up last night, and saw that they have done some creative work towards automation, via various scripts and approaches.  Including some Github ideas for Azure including:  https://github.com/AddEleven/lets-encrypti-azure-automation

Including some links on Linkedin.com as well too. 

There is a some fascinating work going on towards overcoming our current challenges - but as usual test, trust but verify at all times.

Regards

Caute_Cautim