Migration of Certificates 2021: lessons learnt & future plans
A conversation with Dirk Serruys, Chairman of the EASEE-gas Technology Standards Working Group
For years now, EASEE-gas has been acting as a provider of security certificates for its community of members. The EASEE-gas certificates are used for encryption and signing in the AS2 and AS4 protocols ensuring the reliability of a message’s origin and protecting the integrity and privacy of the message.
The EASEE-gas Technology Standards Working Group (TSWG) is responsible for the maintenance and renewal of these certificates. Every three years, they coordinate the migration of certificates (MoC) project to ensure that their protection level is up-to-date. This process implies a great deal of preparation and coordination.
Dirk Serruys, TSWG Chair, explains why the implementation of the last MoC had to be initiated much earlier than foreseen and gives more details on how the project was handled, the lessons learnt and the plans for the future.
MoC 2021 was completed in January 2021 instead of September 2021. Why the rush?
In November last year, it was found that the Advanced CA G1 root certificate of QuoVadis, the certificate authority for the EASEE-gas certificates, was no longer meeting the latest requirements. QuoVadis therefore decided to revoke the root certificate on 31 December 2020.
The EASEE-gas certificates were affected because this root certificate was part of their trust chain. Therefore, we had to react very quickly in order to avoid any communication disruption on the European gas market. I am proud to say, that with the great support of PSvdL Consulting, we managed to renew successfully all certificates in a record time.
In normal times, how much time does this process take?
Normally, this project spans nearly one year. For example, for this last MoC, we had initially planned to kick off the work in November 2020, start the certificate requests in June 2021 and release the certificates and go live in September 2021.
What was the action needed from the EASEE-gas members?
Together with PSvdL Consulting, we acted as one team at the service of the roughly 80 members using an EASEE-gas security certificate. We planned every step and what we needed from them was just to follow our instructions in order to download the new certificate and securely store it on their systems.
For all the other non-EASEE-gas certificates they might use, these 80 members need to dedicate a team of their own to manage the certificate renewal from A to Z. By using EASEE-gas certificates, they save about two or three weeks of work.
What are the lessons learnt?
For this project, we need to get hold of the technical people in our members’ teams and this is always a bit of a challenge. We have already experienced this issue in the past. We also noticed that many member companies lack a good overview of their communication partners.
That is why we are putting a lot of effort into finalising work on EASEE-connect, the digital platform for the creation and management of AS2/AS4 company profiles. This platform will allow companies to create and manage relations with other companies enrolled on the platform. Moreover, by creating and managing their profile on this platform, companies will automatically contribute to building up and maintaining a common up-to-date database of contact details.
This will be very helpful because it will eliminate the time wasted on emails or phone calls regarding technical connection parameters and the headaches with outdated excel lists of contacts.
What changes can we expect in the future?
With EASEE-connect in place and with the guidance offered in the Common Business Practice (CBP) on Agreement update & Certificate exchange, there will be no need for a MoC for AS4 in the future. The CBP encourages members to use the agreement update according to the AS4 ENTSOG profile and in addition use the EASEE-gas certificates whose public keys can be exchanged using AS4.