Historically QuoVadis has operated its own certificate management system (“Trustlink”) and PKI from datacenters located in Bermuda, Switzerland, and the Netherlands. In addition to managing the issuance of TLS certificates, Trustlink is used to manage other digital certificate types such as SMIME, Qualified, authentication, and private trust certificates.
The Trustlink system has checks that enforce technical standards such as the Baseline Requirements; however, QuoVadis has experienced some quality issues when trying to scale TLS validation using processes that are largely manual.
As with other acquisitions, such as the Symantec brands, DigiCert’s intent is to consolidate issuance platforms to its CertCentral platform. QuoVadis will benefit from DigiCert’s significant investment in validation tools, which include guided validation paths, automated checks, and pre-issuance linting. However, we are second in priority queue for consolidation, pending shut-down of all the legacy Symantec systems. DigiCert has told us this will happen in Apr 2020, and they will commence migration of Trustlink shortly after. Planning has already begun for this transfer with the migration paths for TLS being identified.
Like the Symantec migration, the full integration will be done in multiple phases focusing on different customer segments. In its earliest phases, the migration will focus on large enterprise customers or consortia which are not geographically sensitive. In its later stages, DigiCert’s roadmap is to provide a regional version of CertCentral, such that validation data and certain PKI operations can be operated in-region such as in the EU or Switzerland, which is respectful of the needs of customers who are geographically sensitive. This geographic sensitivity is the largest hurdle in migration as DigiCert data is currently stored only in the US. Figuring out the date when that can be accomplished is the primary obstacle to provide a shut-down date for the Trustlink system for TLS.
We have already started consolidating into a single validation team operating under DigiCert’s Dublin based validation group, and are adopting DigiCert’s validation training, standards, and methodologies. Although QuoVadis is still treated separately by DigiCert, we are trying to implement their practices and procedures, including their requirements around incident disclosure and revocation, well before the integration.
As TLS accounts transition from Trustlink to CertCentral, we will check existing organizational details and certificate profiles against DigiCert’s validation platform and revalidate when necessary.