A Chromecast certificate outage highlighted a wider problem in certification, writes Tim McAllister – Senior Director of Digital Trust, DigiCert
In early March 2025, Chromecast customers learnt that their devices weren’t working with an ‘untrusted device’ error message. Their devices couldn’t use official Google apps, rendering them largely unusable.
This was ultimately due to a common problem in the IoT: an expired certificate. The Google-owned authentication certificate associated with those Chromecast devices had expired after 10 years in service.
This is not a new problem, and in fact, one of the defining features of modern technological failure is that small things – such as an unplanned certificate expiration – can cause large-scale havoc. Because a digital certificate is the thing which authenticates one entity to another, an expired certificate will mean that one entity cannot connect to the services on which it relies, due to the lack of trust indicated by the expired certificate. This is especially true of the Internet of Things (IoT), where certificate problems dog this popular technology.
Certificate expiry and the IoT
The IoT has gone through a brutal teething period and despite its popularity, still suffers from a number of repeated design flaws and implementation mistakes that continue to make it a target for threat actors and risk to users.
One of the flaws is an increasingly untenable holdover from the early days of this technology: the single-issuance certificate. These come with long validity periods with the idea that because these devices will sit outside of everyday reach and can be used with a ‘set-and-forget’ mentality, relieving users of potentially arduous maintenance requirements such as update, revocation or reprovision. Unfortunately, this also creates a serious risk of widespread device failure, as devices make their way out into the physical world and sit in place far longer than their certificate’s validity periods.
On top of that, when certificates do expire, manufacturers are often left with limited options. While in the past, any manufacturer would have been forced to recall devices for physical updates, today’s advanced certificate management platforms offer remote certificate renewal capabilities that can dramatically reduce the need for physical recalls. Unfortunately, many manufacturers haven’t yet implemented these automated solutions, leaving them vulnerable to costly remediation efforts.
As you might expect, that’s a time consuming process with uneven results that frustrates customers and racks up a long list of expenses. These start with the immediate customer support expenses and extend to potential recalls and replacements for customer devices. Just one certificate expiration can quite quickly mount to millions in direct expenses while eating away at the brand trust it takes years to build.
Solutions exist but execution lags behind
This problem has been known for a while and specifications for IoT device certificate revocation have arisen through standards like Matter; those are not always implemented and these problems still arise. In fact, a 2024 industry survey found that only 42% of IoT manufacturers fully comply with CSA certificate management recommendations, highlighting the gap between published standards and implementation.
Dealing with the problem
For their part, device manufacturers should take a number of immediate steps to evaluate their certificate management strategies. They can start by identifying and auditing all their currently deployed devices, paying attention to their certificate status and their expiration timelines. From there, they can develop renewal pathways and establish technical mechanisms for certificate updates that won’t require expensive remediation strategies. They can then start monitoring those certificates by deploying systems that provide visibility into certificate status across device fleets. Finally, they should integrate trust planning by making certificate lifecycle management an integrated and automated part of product design.
The implementation needs vary significantly by device type and use case. Consumer IoT devices with direct internet access can leverage different certificate renewal approaches than industrial IoT devices in restricted environments. Manufacturing equipment, healthcare devices, and smart home products each require tailored certificate management strategies that consider their unique operational constraints and security requirements.
Organisations that have implemented robust certificate management solutions typically see significant improvements in operational reliability and efficiency. Industry reports consistently show that automated certificate management can substantially reduce certificate-related incidents while simultaneously lowering the administrative overhead and costs associated with manual certificate processes.
If that isn’t enough of a compelling reason for many to reevaluate their IoT certificate management strategies, it’s worth noting that the certificate ecosystem is rapidly evolving. Browser vendors and industry standards bodies are pushing for shorter certificate validity periods—moving from years to months in many cases. This trend, while improving security, creates additional challenges for IoT device manufacturers who must adapt their certificate management processes accordingly. Additionally, regulatory frameworks like NIST SP 800-213 and the EU Cyber Resilience Act are beginning to mandate more robust certificate management practices for connected devices, adding compliance incentives beyond just operational reliability.
IoT devices have become everyday parts of our lives, used by both businesses and private citizens alike and as our reliance deepens on them, outages like Google’s will become all the more threatening. In turn, manufacturer failure in this area will alienate consumers and drive towards competitors. Manufacturers should realise that effective certificate management strategies aren’t just a disaster prevention strategy, but a crucial part of product design, brand preservation and long-term competitiveness.
Tim McAllister, a seasoned professional with over 24 years of experience in senior management roles, currently serves as the Senior Director of Digital Trust at DigiCert, a provider of scalable identity and encryption solutions for the web and connected systems and devices.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.