Skip to main content
banner image
venafi logo

4 Spooky Mistakes that Can Haunt Your PKI

4 Spooky Mistakes that Can Haunt Your PKI

PKI mistakes
October 29, 2019 | Scott Carter
Let’s face it.

It’s a spooky world out there in cyber security. When you really stop to think about it, it’s pretty easy to be frightened by the consequences of any lapse in process or performance. For PKI administrators in particular, the prospect of an expired certificate causing business critical infrastructure to go down or a compromised key  that is used in a successful cyber attack is downright hair raising. It’s even more scary when you realize that small PKI mistakes can have disastrous results on reliability, availability and risk. Seemingly innocuous practices, such as key sharing, widespread use of wildcard certificates and unauthorized CAs can come back to haunt you.

Why is it so hard to secure the vast numbers of keys and certificates that serve as machine identities? If you don’t have the right technology and processes in place, it’s easy for this challenge to overwhelm even the most knowledgeable PKI professionals. In this blog, I’ll highlight (lowlight) a few horror stories of things that can go wrong with your PKI. Ideally, these “tales from encrypt” will help you avoid the blood-curdling screams that happen when someone makes a simple mistake and the PKI team has to endure some organizational torture as a result.


Here’s what can go horribly wrong. Read on if you dare.
  1. You turn your PKI into a ghost
    If your root-signing certificate authority (CA) goes offline for any reason, you’d better make sure that you know where it’s located. I’ve heard of a couple of organizations that set up their root CA on a virtual machine and then allowed that machine to go dormant. When IT ops teams came along to tidy up dormant virtual machines, they inadvertently disabled the entire PKI by deleting the virtual machine where the forgotten root CA was installed. All that was left was the completely invisible ghost of a PKI. So, they lost access to all machines that used certificates from the deleted internal CA. Without the right technology, this could take months to fix!

  2. You don’t properly bury phantom certificates
    All of your administrators may not understand PKI like you do. So, chances are they’ll make a pretty common mistake like trying to install a certificate on an Exchange server, when they don’t really understand where it should go. They may eventually put the certificate in the right place—but what about all the other places they tried to put it that didn’t work? Were those instances properly deleted? Or are they littered across that server, giving bad guys plenty of opportunities to find and abuse them? Any certificate that’s outside of your visibility is one that will probably come back to haunt you.

  3. You’ve got zombie certificates that refuse to die
    Managing certificates manually can be time and resource intensive, especially if you’re trying to use spreadsheets, internal scripts or CA dashboards with limited functionality. So, it’s pretty tempting to try to eliminate this problem by extending certificate expiration periods. Why not issue a certificate that lasts, say, 99 years?  In theory, you won’t have to worry about rotating them in this lifetime. Right? Not so fast. This hack may save you some time, but it does so at the expense of increasing your organizational security risk. Longer lifespans simply give attackers more time to hack the private keys for those certificates. Even  three-, five- or ten-year certificates will put your organization at greater risk. 

  4. Your wildcard certificates are more trick than treat 
    Wildcard certificates are so easy to use that they are often used indiscriminately—so indiscriminately that many organizations don’t track them. If you don’t know which machines are using which wildcard certificates, it’s nearly impossible to renew them all before they expire. When the wildcard certificate eventually expires, every machine where it is installed will stop communicating at the same time. And it will take hours of precious time and resources to track them all down and reinstall new certificates. And, of course, Murphy’s Law dictates this will happen at the worst possible time, like Halloween or Day of the Dead.

As you can see, it’s all too easy to make ghoulish mistakes with your PKI that have serious implications for your business. I hope that by highlighting some of the things we’ve seen that can go terribly wrong with PKIs, you can learn from other people’s mistakes. And you’ll never have to go through the nightmares that so many of your peers have endured.  



Related posts

Like this blog? We think you will love this.
 Bild eines verärgerten jungen Mannes, der mit dem Kopf in der Hand auf seinen Computerbildschirm starrt
Featured Blog

Erneuerung, Neuausstellung, Widerruf – so vereinfachen Sie das Zertifikatsmanagement

Nachfolgend finden Sie einige Informationen zu jedem dieser Verfahren.  

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more