GlobalSign Blog

12 Feb 2016

Complete Guide to Switching your MSSL CA Provider

With all the hype around switching your managed SSL service provider, you would think the process to be extremely complex and difficult to navigate. The truth is, it's not nearly as complicated as you may first think. Successful switches will involve a clear set of expectations for what is involved in terms of resources, costs and preparation and will follow a certain series of events. Let's take a quick tour of what actually needs to be done in order to achieve a smooth as possible transition.

Step 1 - Survey and Assess Existing Certificates, Needs, and Usage.

As soon as you first consider switching managed SSL Providers, you should begin by surveying your the current SSL usage and environment. We recommend this as the first step because it is the most important part of setting reasonable expectations for the cost, and time involved with switching.

Inventory all certificates

Determine the locations of all current certificates so you know what needs to be replaced after you decide to make the switch. Enterprise or larger companies may have many active SSL Certificates within their environments that need to be accounted for. Therefore it is extremely important to locate all certificates during the transition to avoid possible expirations, which could lead to lapses in coverage, network outages or possible compliance issues.

GlobalSign has a Certificate Inventory Tool which will allow you to do this.

Identifying internal vs. external usage

There are different levels of security and features offered by different CA's. Take the time to review offerings from your prospective new CA and to identify what you will need for your organization's requirements.

  • Public-facing sites may require higher levels of security and should be secured with a certificate from a reputable brand.

  • Internal sites really just need encryption capabilities, so you may be able to use more basic, less feature rich certificates.

Working with Certificates from Multiple CA's

An organization may be working with multiple CA's for many different reasons such as:

  • Many different individuals or departments purchasing certificates separately from different service providers.

  • Differing CA's as a result of mergers, acquisitions or absorptions.

Dealing with Multiple CA's can hinder the process of getting an accurate inventory of your existing certificates. Fortunately, GlobalSign's Certificate Inventory Tool will assist in indexing your network and locating all existing certificates regardless of the issuing CA. This aids you in compiling a complete inventory to reference when the time comes to switch to the new managed SSL service provider.

Of course if you are certain that all of your existing SSL Certificates were purchased from the same CA, you can just download a list of all of your certificates from that account. This enables you to have a record of all previous purchases, and then you shouldn't have to rely on the old account during the migration process.

Identifying administrators, servers & applications

  • You need to go through and identify which of your team members will manage your new account. Making sure you train these individuals on the new GUI (Graphical User Interface) is key, and you should factor any training time into your transition timeline.

  • The number and type of servers and applications you have certificates on should be closely evaluated, so that you can accurately figure out what to expect when it comes time to make the actual switch of managed SSL service providers. One example is that you may need to do manual replacements, depending on the type of server the certificate is installed on.

Step 2 – Determine Renewal Strategy and Appropriate Next Steps

Looking at the logistics behind switching managed SSL service providers is so much easier to do, once you know what you're working with. There is this huge misconception behind switching that often deters organizations because it is usually outlined as a painful and time-consuming process. However, when you break it down and scope out exactly what is involved, you discover that it really isn't that bad and is actually quite achievable.

Decide on a renewal strategy

Always tailor a plan of attack for handling certificate renewals before you switch your managed SSL provider. Most CA's should be able to accommodate the following procedures for renewals and replacements:

  • Transition Model: Approach renewals on an individual basis, each certificate is replaced as the expiration date approaches. An accurate certificate report with expiration dates is very important if using this process, as well as a clear assignment of responsibility of whose job it is to manage renewals. You spend less time installing certificates during the initial switch period using this model, but must be very diligent about monitoring expiration dates until you have renewed all certificates with the new management account.

  • Rip & Replace Model: This is exactly how it sounds, you can choose to replace all of your certificates at once. This requires an additional initial investment of time and resources in order to replace all existing certificates at once, but there is no worry about expiration dates and monitoring old certificates through their lifecycle. There is additionally no concerns about having to rely on several different management platforms. GlobalSign offers a trade-in so you can receive the remaining validity of your existing certificate added onto your GlobalSign certificate for no additional charge.

  • Learn the New GUI (Graphical User Interface): You need to know and assess how many users you have, their roles and their responsibilities. Be sure to take into consideration training time in your final switching timeline. Your account administrator may need more training than a person for example who is just placing orders.

Scope any API integration

If there is API integration in use with your current CA, there will need to be a similar integration with your prospective new CA. Your prospective new CA should have satisfactory API documentation and be able to provide support and guidance throughout the on-boarding process.

Step 3 – Estimate the Costs Involved

Now that you have a better idea of what the scope is of this change, you can more easily estimate the costs involved with switching your managed SSL provider. Be sure to evaluate what your prospective new CA offers as a feature and what they charge for. This is all outlined in our first post about reasons for switching your Certificate Authority.Be sure to factor in any costs involved with:

  • Capital Expenditures: One-time capital expenditures may include (depending on the CA you choose) Certificate Discovery Tool, Certificate Management Tool, and API Integration development costs.

  • Operational Expenditures: Ongoing, operational perspective, the time needed for your account users to become familiar with the new management platform, delegating responsibilities, etc. Training time varies of course depending on individual responsibilities.

  • Annual Certificate Costs: During your evaluations of prospective CA's, you must consider the cost of all individual products together with the provided value in terms of features and functionality.

  • Product Definitions: Each CA will define their products differently, be sure to completely evaluate the product line and be certain that the certificate meets your needs, and also that it doesn't include any unnecessary premium add-ons.

  • Set-Up Fees: Any and all set-up fees that may be assessed or required.

Step 4 - Consider All Options, Features & Benefits Needed to Suit Your Individual Company

When comparing managed SSL providers, be sure you place an importance on the fact that you are essentially picking a business partner, not just a product. This is a definite relationship that goes well beyond just the delivery of a product. Your organization will have a dependency on this CA long after they have issued your certificates.Your prospective new CA should be able to provide you with the highest security, feature-rich SSL Certificates and they should also be able to:

  • Give sound advice on security initiatives.

  • Take your business needs into consideration when making recommendations.

  • Provide you with tools in order to verify that your web server configuration has been optimized to guarantee maximum security.

Your managed SSL vendor should provide more than just certificates. Choose a company that can become your security partner by offerings cutting edge technology, flexibility to develop solutions to fit your needs, and has the ability to advise on your organization's security concerns.

GlobalSign has helped a great number of many organizations successfully make the CA switch. If you would like to talk to us about switching, contact us today.

Share this Post

Subscribe to our Blog