I just got a notice that my SSL certificates were going to expire and it was time to renew at GoDaddy (http://www.godaddy.com). Not a problem. Just go to their website and renew the certificate in a few clicks. Matter of fact, we just renewed a previous certificate a couple weeks ago and it was easy, painless and very inexpensive. Heck, that is why we chose GoDaddy as our provider for DNS registration and SSL certificates. Their prices are great, their site is simple to navigate and they get things done quickly. Having come from Verisign where a ten-pack of SSL certificates and a administration certificate costs $10,000/year, this was a real no-brainer decision to move.
So, what happened? As soon as we tried to renew the certificate, we were blocked with a warning that the certificate signing request (CSR) was not between 2048 and 4096 bits in length. We have never used certificates with anything other than 1024 bits and all of them were working fine, including the one we recently renewed. We thought it was an error and tried to renew again on their site. Same thing. We thought it was some sort of error, so rather than renew, we decided to issue a new CSR from our appliance (more on that later) and submit it. Again, we were stopped by GoDaddy. When we contacted technical support, we were told that the CSR had to be at least 2048 bits in length and that we would have to adjust our web server to change the CSR to that value.
Here is where we got really stuck. Like a lot of shops, we use a number of appliances for security and other functions. In particular, we have some Cisco products that we require to have SSL certificates because they face the Internet. These appliances are not generic web servers like Apache or IIS. They come with custom user interfaces that ask few questions and give few options. None of them ask or allow the administrator to set the number of bits in the CSR and all of them generate one with their own private key set for 1024 bits.
I contacted Cisco TAC, but I knew the answer to my question before I got it typed into the case notes. The products do not support 2048-bit CSR and you can submit a feature enhancement with your sales rep if this is something you want to be considered for a future release. I wrote the case up anyway and escalated it since the appliance was about to go offline without a certificate. When the TAC engineer finally contacted me, he was polite and professional, but also knew that there was nothing he could do for me. He pointed me at a Cisco document that stated no support for anything other than 1024 bit CSRs and agreed to talk with the developers to see if they were developing anything for 2048 bits.
I told the TAC engineer that in fact I found a workaround that would make it work. Rather than using their interface, I could start up the box, take a 2048-bit IIS certificate and install it on the fly and then restart some other services, install the second 2048-bit IIS certificate and then bring up the device completely. That works until the box needs to be rebooted and then the process has to be repeated. He was shocked that 1)it could be done and 2)that I found a way around their systems. I told him that this confirmed compatibility and functionality and now they just had to provide better support. He agreed, but the rest is out of his hands. End of phone call.
Now, lets get back to the real culprit in my mind and that is GoDaddy themselves. First and foremost, they changed their SSL issuing policy without informing their customers in any way. We did not receive any notices from them about this change which prevented us from taking care of upcoming certificates before it happened. This is unforgivable in my opinion. Paying customers for services should know what they are paying for and must be informed well in advance of any proposed changes, modifications or limitations in that service. So, I called GoDaddy technical support to get answers to these questions.
Once I got hold of someone at GoDaddy, I asked about the CSR. They told me that the change just happened a few days ago and that they now require 2048 bit CSR’s for security reasons. I told them that this was impossible since the original certificate and CSR has been stored on their servers for the past year and all I was asking was for them to renew the certificate with the already submitted CSR which they approved last year. How could that request be considered less safe than submitting a brand new CSR for the same URL? They had no answer, just a memorized statement. Then I told them that I was using a custom appliance that did not provide me the mechanism for creating a 2048 bit CSR and that Cisco does not support it. Then I was told that Apache and IIS can be used to generate 2048-bit requests. Again, I reiterated that I was not running a web server application, but an appliance that had set standards that had to be met. After being put on hold, the same answer came back. Then, I was asked if I talked to Cisco and informed them that 2048-bit was more secure and that they should support it. Are you kidding, I said. I don’t tell Cisco what to do and neither does GoDaddy.
I asked the GoDaddy support tech to talk with developers and tell them that the security of my site is my responsibility and that I do not require 2048-bit CSR’s to obtain my certificates. I asked them why didn’t they inform me in writing of the changes and give me time to react and protect my site during a transition time. I demanded that they provide customers a mechanism for renewing pre-existing certificates with the CSR’s that have already been submitted and are on file with them. After being placed on hold, I was told that it was not possible to provide that service to me. Then, the real shock came when the technician told me to find a different certificate provider to obtain the certificate! Whoa. Here is GoDaddy technical support telling me to drop GoDaddy as my certificate provider and go find someone who will do what the customer wants. In my opinion, that is great advice. It will take some time to qualify and build a relationship with another provider, but at this point, GoDaddy seems to be missing a real opportunity to provide customer service.
I do not know how GoDaddy goes about developing and delivering their services to customers, but I do know it is absolutely not working. To change something like this, which is critical to the day-to-day operations of a business without so much as a simple E-mail or letter to customers is one of the dumbest things I have ever seen in a long time. If they really thought this was a great idea (or even a good idea), they should have shouted it to their customers to let them know how they were working to improve security moving forward. And for current customers and certificates, only renewals would be allowed to continue to use the 1024-bit CSR since it has already been filed with GoDaddy prior to the change. This could have been continued for up to 1 year from the date of change which would give customers time to react. They should also have found the major appliance vendors and got them to agree to support the new 2048-bit initiative in a press release. But what did they do instead? Sat around the office one night, came up with a release date and installed it without telling anyone – not even their paying customers. Then built a policy for the technical support staff to have them tell their customers, “That’s too bad for you. Do it our way or hit the highway. Either way, we don’t care.” Clearly, customer loyalty and respect is something they don’t have for customers and conversely, we no longer have for them. Too bad. It was nice while it lasted.
Pingback: Tweets that mention GoDaddy Changes SSL Policy Without Warning | Just A Word (or two) From Steve -- Topsy.com()