Skip to main content
banner image
venafi logo

9 PKI Pitfalls and How Automation Helps You Avoid Them

9 PKI Pitfalls and How Automation Helps You Avoid Them

9-pki-pitfalls-and-how-to-avoid-them
November 23, 2021 | Robyn Weisman

Securing your PKI (Public Key Infrastructure) is an essential component of any effective machine identity management strategy. Because PKI is used to safeguard connections and communications among so many types of machines, including websites and microservices, you need full visibility into all the certificates your network is using and the intelligence to know where and how they are being used.

But visibility and intelligence are only two legs of the machine identity management stool. Without automation, you leave yourself vulnerable to a host of PKI pitfalls that involve everything from managing the lifecycles of your certificates to enforcing security policies. Here are nine examples of these pitfalls and how automation can enable you to avoid them.

PKI: Are You Doing It Wrong? Read the eBook.
  1. Outdated security protocols
    Once upon a time, websites were unencrypted, and SHA-1 was sufficient to protect internal systems. Those days are long gone, even though many organizations shockingly still have the latter floating around. And eventually, SHA-3 certificates, along with the current standard for encrypting websites TLS 1.3, will be outdated security protocols, vulnerable to hackers. If you can’t easily automate the replacement of certificates using outdated security protocols, you’ll be a sitting duck for hackers.
  2. Weak key strength
    If you use keys that don’t offer a minimum of 2048-bit encryption, you leave yourself open to hackers who can “crack” the encrypted code. A 2048-bit key takes four billion times longer to crack than the previous standard 1024-bit key. It doesn’t make sense to leave your keys open to easy guessing when you can automate the replacement of those keys to the higher standard.
  3. Self-issued keys and certificates
    Self-issued certificates are typically used internally for testing purposes. But if they get used externally, they won’t be trusted and can present a huge security liability. They’re not as robust as CA-issued certificates, they are typically not stored as securely , and they can be difficult to find later on, presenting blind spots for hackers to hide in. Thankfully, you can automate the enforcement of how these certificates are stored and used as well as the removal of these vulnerable certificates before hackers get ahold of them.
  4. Substandard protection of private keys
    There’s no point in installing a lock on your front door if you leave the key peeking out from your doormat. Too often, however, organizations leave their private keys strewn about in places easily accessible to hackers—everything from unencrypted hard drives to spreadsheets and even email! You need to control access to your private keys using strict authentication protocols and zero-trust initiatives. Automating enforcement of these policies means only those who need access to these keys gets it—versus everyone else in the world.
  5. Wildcard Certificates
    A wildcard certificate allows multiple domains to be validated with one umbrella certificate. This can be especially convenient for organizations that rely on manual processes to manage certificate procurement and replacement. But this also leaves organizations open to attacks from spoofed subdomains that can impersonate these sites through DNS. Additionally, wildcard certificates are often used indiscriminately, making them difficult to track down and replace once expired. Automating the lifecycles of your certificates—from procurement to renewal—makes tracking and replacing wildcard certificates painless. It also removes the need for having them in the first place.
  6. Failure to Revoke Certificates
    Unaccounted for certificates can cause a lot of hullabaloo. They may be unused. Or installed in the wrong place. They may contain bugs from their certificate signing requests. If a certificate is not fully operational or has a lifespan that's greater than one year, it should be ferreted out and revoked to prevent malicious, man-in-the middle attacks. Automation simplifies this process dramatically while removing the potential for human error.
  7. Infrequent Key Rotation
    Many know to change out their certificates regularly, and shortened certificate lifespans help ensures this happens. Because certificates can be duplicated, you should also change out their corresponding keys to prevent hackers from leveraging stolen ones. Best practice is to rotate keys and certificates every six months. That may sound like a lot, but it won’t if the task is automated.
  8. Complicated CA Hierarchies
    Keep it simple. With the difficult task of implementing multiple CAs within a PKI environment, the priority should be on securing each certificate—not obsessing over the diagrams and flowcharts. Place them where you need them—root CAs, online CAs, CAs pertaining to policy and others—and move on.
  9. Rogue Certificates
    When organizations implement digital transformation initiatives without updating the way they manage certificates, developers—whose top priority is speed rather than security—may circumvent lengthy, outdated processes for procuring certificates by just grabbing one from, say, Let's Encrypt that InfoSec doesn’t know to track. If these rogue certificates are not located and removed from the network, they could lead to outages or exploitation by savvy threat actors. Automation enables you to streamline certificate procurement and renewal by allowing developers and other end users to grab their own certificates that comply with your security policies without slowing them down.

     
Don’t forget the automation

In today’s digitally transformed world, it’s impossible to track every machine identity being used in your organization. Automation makes sure that your certificate management policies are enforced and your processes run smoothly, so that you can avoid these and other pitfalls that plague organizations.

The Venafi Trust Protection Platform can help you automate management of your TLS keys and certificates, SSH keys, code signing keys and user certificates across your entire enterprise. Find out how you can secure this avalanche of new and constantly changing machine identities by speaking to one of our experts.

Related posts

Like this blog? We think you will love this.
ssh-certificate-management
Featured Blog

How Do SSH Certificates Reduce Management Complexity?

The pain points of SSH keys management

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more