Certificate Lifecycle Management: People, Process and Technology

April 25, 2018 | David Bisson
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Trust and Digital Certificates

Trust is a valuable commodity in the age of data proliferation. An abundance of information makes it possible for bad actors to impersonate trusted brands using fake websites and accounts. Organizations therefore need a way to ensure that potential customers can trust their identity when visiting their official website, especially if they decide to purchase their goods or services.

To address this issue of trust online, organizations look to the Public Key Infrastructure (PKI). This framework enables the issuance of public key certificates, otherwise known as digital certificates. These documents use security technology called Transport Layer Security (TLS) and previously Secure Sockets Layer (SSL) to encrypt a connection between a company's web server and a user's browser. As such, digital certificates provide a way for web users to trust that a website domain owner is who they say they are and that the transmission of their information with the website is secure.

Challenges of Certificate Management

It's not difficult for organizations to obtain a digital certificate. Depending on the level of trust they want to build with users, they can obtain a domain validation (DV), organization validation (OV) or extended validation (EV) certificate. These different types of electronic documents require that domain owners submit to validation checks conducted by trusted Certificate Authorities (CAs). In the case of DV certificates, CAs look to confirm the contact listed in the WHOIS record of a domain. EV certification is comparatively more thorough, requiring steps to confirm legal and physical operation. For those that obtain EV certificates, web browsers display their names in green along with a padlock indicating HTTPS protection in the address bar.

Extended validation SSL certificate

(Source: Quora)

Difficulties in Certificate Management

By contrast, managing a certificate can be difficult. This is especially true for enterprises that use numerous certificates issued by multiple CAs to protect their web resources. Here are some of the biggest enterprise certificate management challenges identified by DigiCert, a trusted CA, in a useful web guide (PDF):

  1. Keeping Certificates Up-to-Date: TLS certificates suffer from security vulnerabilities just like other software. The problem could arise from misconfigurations, such as missing fields and the use of internal names, or they could owe their existence of out-of-date hashing algorithms. Organizations need to be able to discover these flaws and remediate them to prevent bad actors from compromising and abusing their certificates.
  2. Ensuring Complete Visibility Over All Certificates: In an enterprise, some users may have the authority to request, approve and issue a certificate. This level of access is fine as long as the organization can maintain complete visibility over its certificates. Without it, bad actors can seize upon an overlooked certificate and use it to their advantage.
  3. Managing Certificate Expirations: Besides suffering from vulnerabilities, all certificates have an expiration date. That maximum validity period for a certificate is two years as of 1 March 2018. At the end of that period, organizations need to renew their certificates or risk them expiring, a scenario which could allow bad actors to renew those certificates in their names and/or steal users' now unencrypted data when exchanged with the domain owner.

insecure connection digital certificate

(Source: Super User)

Certificate Lifecycle: A Holistic Approach

To adequately protect their digital certificates against bad actors, organizations need to manage their electronic documents across their entire lifecycles. This involves properly accounting for certificates from the moment they're issued to their renewal/expiration.

Certificate lifecycle management involves building up an organization's people, process and technology. Here are Entrust's recommendations:

  1. Assign Roles: As part of their certificate lifecycle management plan, organizations need to clearly identify administrators who can manage issuance, expiration, etc. as well as approvers and other required roles. Companies can then use each entrusted employee's privileges to streamline workflows by deciding what types of notifications each person will receive as well as implementing security controls at each phase.
  2. Build an Inventory: Those employees responsible for organizations' certificate lifecycle management should oversee the creation of an inventory of all certificates in the environment. This step usually requires an audit of all domains, applications and certificates. With an inventory in place, administrators can then add new certificates as they become available, monitor existing resources for vulnerabilities and stay on top of impending expiration dates.
  3. Invest in Automation: It's possible for organizations to build inventories and manage their certificates manually. But there's always the chance that they could miss a certificate or an important alert. For that reason, companies should consider investing in a solution that uses a centrally managed system to automate the certificate discovery, management and renewal processes.

Trust for the Future

Digital certificates help confirm organizations' identities to web users. With these certificates, users can trust they're dealing with a domain owner that is who they say they are. It follows that companies should leverage their people, process and technology to make sure that trust is always there. Towards that end, certificate lifecycle management is the way to go.

David Bisson

About the Author: David Bisson
David Bisson is an information security journalist and security news junkie. He is the Senior Content Manager at Bora Design, an IT security marketing agency which specializes in content creation and social media management. Through Bora, he serves as Associate Editor for The State of Security, the official blog for Tripwire, Inc., and Contributing Author for Venafi. David also writes for IBM Security Intelligence, Gemalto, and others.
Read more posts from David Bisson ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT