Cybersecurity

mTLS & Public CAs: 6 Weeks to Avoid a Critical Security Breach

Bl4ckPhoenix

Bl4ckPhoenix

3 min read
mTLS & Public CAs: 6 Weeks to Avoid a Critical Security Breach

In the fast-evolving landscape of modern infrastructure, mutual TLS (mTLS) has become a cornerstone of secure service-to-service communication. Many organizations, particularly within DevOps and platform engineering teams, have opted for the convenience of public Certificate Authorities (CAs) like Let's Encrypt to provision certificates for their mTLS setups. This approach, often chosen for its simplicity and automation capabilities, is now facing a critical deadline that could leave numerous systems vulnerable or entirely inoperable.

Bl4ckPhoenix Security Labs has observed an urgent shift in the public CA ecosystem that demands immediate attention. If your CI/CD pipelines, service meshes, or any other service-to-service identity flows rely on mTLS certificates issued by a public CA, a critical six-week window for remediation has opened. Failure to address this could lead to significant operational disruptions and potential security incidents.

The Impending Change: What You Need to Know

The core of this impending issue stems from a change in how Certificate Authorities, specifically Let's Encrypt, manage the "Client Authentication" (ClientAuth) Extended Key Usage (EKU) for certificates. Historically, many teams found it expedient to configure mTLS or service-to-service identity flows against public CAs because it offered an easy path to certificate issuance and renewal via protocols like ACME (Automated Certificate Management Environment).

However, a significant policy update occurred in February: Let's Encrypt removed the ClientAuth EKU from its default ACME certificate profiles. The ClientAuth EKU is crucial for certificates used in client-side authentication scenarios, where a service authenticates itself to another service using its certificate.

For organizations that had previously relied on a "holdout profile" specifically designed to continue issuing certificates with ClientAuth EKU (often referred to as the tlsclient profile), this temporary reprieve is also concluding. The tlsclient holdout profile is set to sunset on 8 June. This means that after this date, new certificates issued by Let's Encrypt (and potentially other public CAs following suit) will no longer contain the necessary ClientAuth EKU by default, effectively breaking mTLS implementations that depend on it.

Impact on CI/CD, Service Meshes, and Beyond

The ramifications of this change are far-reaching:

  • CI/CD Pipelines: If your build or deployment pipelines authenticate to internal services, artifact repositories, or cloud providers using client certificates from public CAs, these connections will fail. This could halt deployments, block essential automation, and severely impact development velocity.
  • Service Meshes: Environments leveraging service meshes like Istio, Linkerd, or Consul Connect often use mTLS for encrypting and authenticating traffic between microservices. If these meshes were configured to obtain their internal identity certificates from public CAs (a less common but not unheard-of practice, especially in initial setups or hybrid environments), their inter-service communication will cease.
  • Internal API Authentication: Any bespoke service-to-service communication that relies on client certificates from public CAs for authentication will break. This includes internal APIs, data streaming services, and other backend components.
  • Security Posture: Beyond operational failure, relying on misconfigured or invalid mTLS can create a false sense of security, potentially exposing internal services that were presumed to be protected.

Given the urgency, Bl4ckPhoenix Security Labs strongly advises platform and security teams to undertake the following actions immediately:

  1. Inventory and Audit: Identify all instances where mTLS or client certificate authentication is used across your infrastructure. Specifically, determine if any of these certificates are sourced from public CAs (e.g., Let's Encrypt) and if they require the ClientAuth EKU.
  2. Transition to Private CAs: The most robust and recommended long-term solution is to establish and utilize a private Certificate Authority for internal service authentication. Solutions like HashiCorp Vault's PKI secret backend, AWS Private CA, or self-hosted options provide full control over certificate issuance and EKUs.
  3. Leverage Platform-Specific Identity: For service mesh deployments, prioritize using the mesh's native certificate management and internal CA capabilities (e.g., Istio's Citadel/Istiod, Linkerd's identity controller).
  4. Update ACME Clients: Ensure that any ACME clients used for certificate issuance are updated and configured to request appropriate EKUs if custom profiles are still available (though this is becoming less viable for ClientAuth). Prepare to switch to alternative certificate sources.
  5. Implement Robust Secret Management: Integrate certificate and key management with secure secret stores. This facilitates automated rotation and ensures keys are not exposed in CI/CD pipelines.

Conclusion: Time is of the Essence

The sunsetting of the ClientAuth EKU in public CA default profiles marks a significant moment for infrastructure security. While the initial choice to use public CAs for mTLS was often driven by ease, the industry is increasingly moving towards more controlled and robust private PKI solutions for internal service authentication. This impending deadline serves as a critical wake-up call for organizations to re-evaluate and fortify their internal certificate management strategies.

The six-week window is not merely a suggestion; it is a hard deadline. Bl4ckPhoenix Security Labs urges all affected teams to prioritize this assessment and transition to ensure the continued security and operational integrity of their systems.

Read more