"Renewing everything manually will soon become impossible to do"

A Transport Layer Security (TLS) certificate secures communication between a web browser and a server by encrypting sensitive data. Together with a team of IT experts, Mario Mieldijk, Team Lead for Central Infrastructure, and Dorian Harmans, Linux/DevOps Engineer, ensure that information on the KNAW website is securely encrypted for visitors every day.

Shorter validity period

To ensure proper encryption, all TLS certificates must be kept up to date. This is becoming increasingly labour-intensive, as certificate validity periods continue to shrink. A few years ago, certificates were valid for two to three years, but soon, this may be reduced to just 47 days.

“A shorter validity period does increase security,” says Mario, “but it also means you have to renew certificates much more frequently.” For KNAW’s 700 applications and 1,400 URLs, that’s no small task. “If we had to do all of that manually, it would cost us more than 700 hours a year. That’s simply not feasible anymore. By automating the process using the open Automatic Certificate Management Environment (ACME) protocol and SURFcertificates, we’re saving around 680 hours annually.”

Less room for error

Dorian Harmans is also pleased with the automation of the process. “If people are responsible for monitoring certificate renewals, there’s always a risk that something gets missed — and the consequences can be serious. Automation makes the process far less error-prone.”

He explains how the automated process works: “We’ve installed special software on our systems that checks weekly whether any certificates are due to expire soon. If so, it automatically requests a new certificate for the relevant website. Even if the software fails, we’re covered: there’s a backup tool, ‘SSLchecker’, that sends an email alert roughly seven days before a certificate expires. And if that’s not enough, we also run daily checks via Kibana/Elasticsearch to detect upcoming expiries. So we have plenty of redundancy.”

More secure and more efficient

The added value of SURFcertificates, according to Mario and Dorian, lies in the fact that SURF provides a central and reliable platform tailored to the needs of educational and research institutions. This brings several clear advantages.

“It’s great to have a single point of contact,” says Mario. “We can take all our questions to SURF, so we don’t have to coordinate with multiple parties about domains, certificates, and related matters. This leads to quicker, more efficient problem-solving and reduces administrative burden.” “And it’s safer,” adds Dorian. “By consolidating everything with one provider, we reduce the risk of man-in-the-middle attacks.”

Influence on procurement

Mario and Dorian point out that working with SURF ensures members always have access to the best possible solutions. “Many education and research institutions, for instance, need advanced API functionalities,” explains Dorian. “In our field, an API is a must-have — it’s been on our wishlist for ages. SURF took this need into account when selecting the platform during the tender process. As a result, all SURF members can now benefit from it. You simply don’t have that kind of influence with a commercial provider.”

“At SURF, they understand how the research world works, which makes them the ideal partner,” Mario concludes. “We also believe in collaboration. So if other educational or research institutions are interested in how we’ve set this up at KNAW, they’re more than welcome to contact us. We’re happy to share our approach. If this interview encourages even one other institution to automate this process, then that’s already a win.”