Free Trial
Contact Us
Podcast

Root Causes 524: How to Kill Three Birds with One Stone

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
September 8, 2025

Three major changes are coming to the world of public certificates, all of which require major changes in how organizations deploy, renew, and manage their certificates. These are 47-day SSL, PQC, and the deprecation of mTLS. We describe the overlap between these efforts and how to combine them for better efficiency and project management.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanJason, everybody likes efficiency. Everybody likes to kill two birds with one stone. How about three birds with one stone?
Jason SorokoJason SorokoThat's the best kind.
Tim CallanTim CallanSo, there's a few things that we all suddenly need to deal with in the world of our public PKI. One of them is that we have to gear up and get ready for shortening certificate lifespans. The march to 47 day certificates. And as you and I have spoken about a lot and will continue to speak about a lot, a lot of the old methods become increasingly untenable or decreasingly tenable maybe I should say, and eventually break entirely as we squeeze ourselves down to a monthly renewal cadence. So that's coming, and an important part of preparing for that is understanding what you have. What certificates do I have in production? Where are they? How do I deal with them? What are their use cases? What are the priorities? What are the risks? All of that. So understanding that is an important part of preparation. This is something we're advising people to do.

The next thing that's coming along is you might be able to guess post-quantum cryptography. And what's the first step in preparing for post-quantum cryptography?
Jason SorokoJason SorokoKnowing what you have in inventory.
Tim CallanTim CallanNow, that is broader than TLS server certs, but TLS server certs are probably the lion's share of the certificates you're dealing with. So you got huge overlap on the Venn diagram right there.



Now, the third thing that's coming up is the deprecation of mutual TLS.
Jason SorokoJason SorokoWe have talked about this, folks, and it hasn't gotten enough airplay - client authentication certificates. If you go back as far as the New Year's, 2025 prognostication episode. We talked about sometime in 2025 we're probably going to see the announcement of the deprecation of client authentication certificates. I said erroneously it would be the end of 2025. Turned out the announcement actually came in February.
Tim CallanTim CallanAnd the hard deprecation for all CAs universally everywhere, is June of 2026. There are - June 15 to be specific. There are earlier deadlines leading up to that as we phase out our own use of MTLS and we can get into that in a different episode, but the point is, we're advising people, and once again, it's the same thing, that large, complicated enterprises with large complicated environments, you don't even necessarily know where you're doing this and where you're not, and you suddenly are not going to be able to use your server cert for client authentication anymore. And so what advice are we giving people?
Jason SorokoJason SorokoYou got to know what you have. So, if we gave you a homework right now - in fact, here maybe is the homework exercise, Tim - can you tell me in the split of all of your publicly trusted certificates, which ones are TLS server certificates, and which ones are TLS client authentication certificates? Could you tell me precise numbers right now?
Tim CallanTim CallanFor most people, the answer is no. So suddenly, so Tim starts to think, okay, imagine a large, complicated enterprise. You probably have somebody who rolls up to the CISO who's out doing an exercise to do a C bomb for PQC. You probably have a different individual who rolls up to the CIO who is out inventorying TLS certificates for purposes of understanding how to go to shortening certificate lifespans. You might have nobody, or perhaps a third individual who is trying to understand the client. Like it feels to me like for almost all enterprises, these need to be one project.
Jason SorokoJason SorokoThey are. It has to be one project. You and I talked about a Cryptographic Center of Excellence as a concept of bringing together disparate folks that are typically siloed within an enterprise that have to come to the table in order to be able to fully understand the inventory. Taking full advantage of certificate lifecycle management. So those are the those are three, Tim. I think we could actually add even more than three.
Tim CallanTim CallanWe probably could. First of all, there's other certificate types. What about your S/MIME?
Jason SorokoJason SorokoFor certain. But, one of the podcasts I hope we record later today is actually a, would it be a good idea to do a revocation, a mass revocation fire drill? And a mass revocation fire drill may end up coming in because of a potential misissuance of a bunch of certificates, and you might be handed a set of serial numbers from a CA saying, these have to be revoked.
Tim CallanTim CallanI think you're absolutely right, Jay. I think preparedness for an outside revocation event, or preparedness for an internal revocation event.

Which also we see. Most enterprises just aren't prepared. They're really not. Getting prepared for that absolutely, is probably the fourth bird that you should be dealing with while you're doing this. So I think kind of where I'm going is, on the one hand, true certificate understanding and true certificate agility is something that I've been beating the drum on for five, six years on this podcast to say, look, if you don't do this, you're taking on risk. I think we have these outside drivers, like the march to 47 days, like PQC, like deprecation of MTLS, that are going to force a reckoning. As you're doing that with all of these things coming together, go into it in a planned way, with your eyes open, combine your resources, combine your efforts and make one project to deal and there are nuanced differences. It's a little sophisticated. But again, the amount of overlap on the Venn diagram is huge. So why don't we create one project to deal with all three of these must haves and other things like preparation for revocation events, and do it all together in a single considered properly resourced, properly managed fashion.
Jason SorokoJason SorokoThe only thing I'll add to that, Tim, is that that's not going to be the Linux administrator. That might not be the Director of IT. It might have to be somebody who is more of a risk owner within the organization, and that could be the CFO.
Tim CallanTim CallanWe touched on, and you and I saw this when we looked at the research results from our survey that we put up in some recent episodes, the PQC effort and the 47 day effort seem to be owned by different people inside the organization. The PQC effort is owned by security architects and the CISO, which makes sense, because it's a security problem. Attackers are going to attack us. They think about security threats. The 47 day problem is an operational problem. So that's being considered by operational people. Different teams. So now I start to say, okay, if we want this to be a single, coordinated effort, that makes sense, what we need, is we need somebody with scope over both teams.

So now you're looking for head of product or CTO or CEO. Like that's the level that this needs attention at.
Jason SorokoJason SorokoThat's something that I've been pushing on for a very long time. One of the reasons why we haven't seen the pickup of these kinds of activities is because the risk owners are not the ones who are taking it by the horns. They're leaving it to the people who are in the trenches. The people who are critical for executing on this. The people down in the trenches don't see the full picture, and they're never going to.
Tim CallanTim CallanThey're in different trenches. They have different assignments, but the work that needs to be done there is incredibly duplicative.
Jason SorokoJason SorokoThink of certificate lifecycle management (CLM), Tim. The five pillars of CLM we've talked about, the visibility arc going across all the pillars. That visibility arc goes across your organization. So if you think about certificate lifecycle management as being one part of your organization, publicly trusted certificates, the 47 day problem, if you're in that world, you might not think about visibility right across your enterprise. I think that we're trying to appeal to those C level people, the risk owners, that arcing visibility layer of the five pillars of CLM, that's who we're trying to speak to there, because that level of visibility, that's how you how you're going to solve, killing three birds with one stone, or four birds or five birds. Trust me, there's a lot of birds flying around right now that you're gonna have to deal with in the next short while.
Tim CallanTim CallanI have a lot of conversations about each of these topic individually with implementers and, executives and even senior people at large enterprises. And we're always talking about one of them. Hey, let's talk about PQC and what you need to do. Hey, let's talk about shortening certificates lifespans and what you need to do. Hey, let's talk about client authentication and what you need to do. I started to think, no. Every one of them needs to be thinking about all three or four of these.
Jason SorokoJason SorokoI think you have to be thinking about all of them. Absolutely. And even if you are tasked with just the one, I think you’re just gonna have to be aware. Because you're going to be interacting with all of it.
Tim CallanTim CallanYou’re gonna be interacting with. Also think about it this way. Like, if I'm responsible for putting together an action plan for getting a full inventory of my server certificates, and someone else is responsible for putting together an action plan for getting a full inventory of my server certificates, and a third person is responsible for getting an action plan - like are we going to work at cross purposes? Are we going to have multiple efforts going at the same time? Are we going to be trying to evaluate install it and purchase more than one tool?
Jason SorokoJason SorokoLet's talk about this even from a temporal aspect, Tim. You talked about how much the Venn diagram overlaps, let's really make that clear, even from a time element. So think about this. 47 days.
Tim CallanTim Callan2029.
Jason SorokoJason SorokoAre we going to have CA/Browser forum rules around post-quantum certificates by that point? The answer is yes. Therefore overlap, Tim.
Tim CallanTim CallanAnd deprecation of RSA-2030 and deprecation of client certs.
Jason SorokoJason SorokoI would say by 2028/2029, the complete overlap of all these things hitting you at once is in place. So preparing for it right now – critical.
Tim CallanTim CallanAbsolutely. So I think probably more on this, but this is just a thing I've been observing, and it's on my mind, and I wanted to talk about it.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud