Upcoming Expiration of Qualys SAML Certificate
Last updated on: May 26, 2023
Overview
We value our users’ security and strive to provide a seamless experience when accessing Qualys services. In order to maintain the highest standards of security, we periodically update our SAML certificates. This blog post serves as a notification that the current Qualys SAML certificates will expire on May 30th, 2023. It is essential to take immediate action to ensure uninterrupted Qualys login via SAML.
To ensure a smooth transition, we have generated a new Certificate Authority (CA) certificate that needs to be imported into your SAML Identity Provider (IdP) configuration.
What Functions Are Impacted
- If you have SAML Enabled on your account within your IdP SSO configuration for Qualys, and signature verification is enabled on your IdP, you are impacted.
- API users are not impacted.
- If you are not using SAML SSO, you are not impacted by this change. If you have SAML SSO Enabled on your account within your IdP SSO configuration for Qualys, please check if you have signature verification enabled on your IdP. If Signature verification is not enabled, you are not impacted.
How to check if Signature Verification is enabled
You may check the signature verification setting in your IdP.
Here are examples for Azure and Okta.
Action Required
If you currently use SAML Single Sign-On (SSO) and have signature verification enabled for Qualys UI login, replacing the certificates as outlined in this communication is crucial for uninterrupted access. Those that are potentially affected by this change will have received an email from the Qualys team informing you of the changes required. By doing so promptly, you will avoid any interruptions in accessing Qualys’ services. Please refer to the article to download and import the new certificate. We recommend involving your IdP administrator to assist with the import process.
Temporary Workarounds
Option 1: To avoid any potential login issues resulting from certificate expiration or delays in uploading the new certificate, we suggest creating a temporary “Non-SAML user” for the time being. This will ensure that at least one user can access the Qualys UI during the transition period. Once your new certificates are successfully uploaded, and you can log in via SAML, you can decide whether to delete or disable the temporarily created “Non-SAML user.”
Option 2: Customers can temporarily disable signature verification in their IdP.
Option 3: You may also contact Qualys Support to disable SAML SSO temporarily from the backend.
Platform-Specific Certificate Update dates
The table below outlines the platforms for which Qualys Operations will update the certificates. After this activity, please replace the certificate at your end as soon as possible to ensure uninterrupted login:
| Platform | Update Date and Time |
|---|---|
| EU01, EU02, UK01, IND01, AE01, AU01 | 21:30 PDT 25th May 2023 | 04:30 UTC 26th May 2023 |
| US01, US02, US03, CA01, US04 | 26th May 2023, 08:00 PDT |
Frequently Asked Questions
Why is the composition of the certificate changing?
The threat model for enterprise SaaS applications has changed. Given significant advancements in computing and computational analysis, security professionals must respond to changing cryptographic risks by increasing the strength of trust infrastructure such as certificates as well as switching to contemporary algorithm for hashing. Current NIST guidance makes clear the realities that certain cryptographic models will likely not provide sufficient protection past 2030.
Why does this certificate expire in 3 years rather than 10?
The changing cryptographic threat model must include an acceptance that traditional high-performance computing and quantum computing are scaling to levels where they introduce new threats. Best practices are changing to support shorter lived certificates. Given these realities, organizations must become more responsive to cryptographic risk. Shortening the time given to a certificate works to address those risks is practical ways that are aligned to evolving guidance.
Qualys customers are requested to contact their Technical Account Manager or Qualys Support for any assistance. Our team is dedicated to supporting you every step of the way, providing assistance and guidance for smooth transition.