The Gaming Boardroom

Updating our guidance on security certificates, TLS and IPsec

Steve Tyler Leave a comment

Updating our guidance on security certificates, TLS and IPsec

Summary

The NCSC has updated three core pieces of cryptographic guidance. The new “Provisioning and Managing Certificates in the Web PKI” consolidates previous advice on certificate provisioning and sets out current thinking on Web PKI. Minor edits were also made to the TLS and IPsec guidance to ensure consistency; larger updates (including post‑quantum profiles) will follow as standards and implementations mature.

Key Points

  • New consolidated Web PKI guidance replaces the previous provisioning guidance.
  • Key recommendations: automate certificate provisioning and renewal, prepare for shorter certificate lifetimes, monitor issuance and renewals, and ensure access/control of private keys.
  • Use cloud key management services where appropriate and avoid wildcard certificates to reduce compromise impact.
  • TLS and IPsec guidance received minor updates for consistency; recommended profiles remain protective but legacy profiles are increasingly outdated and should be updated promptly.
  • Substantial TLS/IPsec revisions are planned to introduce post‑quantum cipher suite preferences once standards and implementations stabilise.

Content summary

The article explains practical, near‑term steps for certificate management: prioritise automation, implement effective monitoring, and adapt operational processes for shorter certificate lifetimes. It clarifies that while cipher recommendations stay the same for now, organisations should stop relying on legacy/deprecated profiles and prepare for forthcoming post‑quantum updates.

Context and relevance

This guidance reflects international trends in the certificate ecosystem and aligns NCSC advice across Web PKI, TLS and IPsec. It is especially relevant to security teams, operations engineers and architects who manage PKI, TLS or IPsec configurations and who need to plan migrations and operational changes to avoid outages or weak configurations.

Why should I read this?

Short and blunt: it tells you what to change now so you don’t get burnt later. If you run web services or VPNs, this saves you admin pain — automate renewals, ditch wildcard certs where sensible, and start planning for shorter lifetimes and post‑quantum updates.

Author

Jeremy B — Principal Technical Director for Crypt and High Threat Technologies. Punchy verdict: this is practical, must‑act guidance for teams responsible for certificates and crypto configurations.

Source

Source:https://www.ncsc.gov.uk/blog-post/updating-our-guidance-on-security-certificates-tls-ipsec

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.