Skip to main content
banner image
venafi logo

All TLS Certificates Are NOT Created Equal [What You Need to Know]

All TLS Certificates Are NOT Created Equal [What You Need to Know]

November 3, 2021 | Diane Garey

I enjoy a good science fiction movie so gave Voyagers a try recently. If this were a movie review, I’d give it two thumbs down for poor execution, but the description was interesting enough, "An expedition to colonize a distant planet descends into chaos as the young astronauts explore their most primitive natures in this sci-fi thriller."  Think George Orwell’s Animal Farm, but with teenagers on a spaceship rather than pigs on a farm.  

At the start of the movie, all the teenage astronauts are basically equal, just like in Animal Farm where “all animals are equal.” But in the movie, as in the book, that quickly changed. For the purposes of this blog, I will use “equal” with quotes to note where at first glance, a TLS certificate might seem the same as any other but, in reality, it’s not that equal at all.  

In the world of machine identities, there are those like TLS certificates that, at first glance, seem like they’re all equal. All TLS certificates do play a critical role in securing and encrypting communications between machines (e.g., like a client and a server). However, in practice, there are actually subtle differences—in the TLS certificates themselves, where they’re used, and who is using them. Considering these differences, you’ll need to carefully choose which certificates you use in your organization and how those certificates should fit into your machine identity management strategy. I’ll explore a few of these areas that come up frequently in conversation with Venafi customers. 

 

Do you know enough about TLS machine identities? Get the Dummies Guide.
  • What type of TLS certificates are you using? 
    It’s important that you know which different types of TLS certificates that are suitable for different use cases in your organization. At a high level, there are public and private TLS certificates. Public TLS certificates are issued by a trusted certificate authority (CA) for use on things like public facing websites. Private TLS certificates are typically used on internal networks and are issued either by a trusted CA or by an internal PKI within your organization, like Venafi Zero Touch PKI. You could make a case that public TLS certificates should be more “equal” than private ones given they’re exposed to the internet. However, as we’ve discussed in recent blog articles, if you’re adopting a Zero Trust model (which you hopefully are), it’s important to secure every connection point which means both public and private TLS certificates need to be included in your machine identity management strategy.  
     
    When you buy a public TLS certificate from a trusted CA, there are different options. There’s lots of great information about Domain Validated (DV), Organization Validated (OV) and Extended Validated (EV) from our many Certificate Authority technology partners if you want to learn more about the differences. In a nutshell, each of these types of TLS certificates has different layers of validation that are designed to gauge their levels of trust.  
     
    One other option that I want to highlight here is a wildcard certificate. A wildcard certificate is a public certificate that can be used on multiple subdomains. For example, if I had a wildcard certificate for venafi.com then I could cover: 

    www.venafi.com

    mobile.venafi.com

    shop.venafi.com

    cloud.venafi.com

    At first glance, wildcard certificates might seem like a great idea, making it easy to secure multiple sites without needing to manage multiple, different TLS certificates. And that is true if you are effectively managing those wildcard certificates. The flip side however is if the wildcard certificates expire or are compromised, they can very quickly have a broad impact across systems or applications. For these reasons, wildcard certificates may seem to be more “equal” that others. However, if they’re being used in your organization, having visibility into them needs to be an important part of your machine identity management strategy.  
     

  1. Where are you using the TLS certificate? 
    As mentioned earlier, TLS certificates play a critical role in secure and encrypted communications between machines. Since organizations today have more machines in more places than ever before, there are more use cases for TLS certificates. In this growing landscape of machine identities, one way to determine if one certificate is more “equal” than another is to identity where the certificate is being used. A print server and a load balancer should both have a certificate but if you are looking to prioritize that as part of your machine identity management program, which one should be an initial wave of automating certificate renewals? The certificate on the load balancer probably plays a more important role to the organization and for that reason probably should be prioritized higher. 
     

  2. What is the volume and velocity of your certificates? 
    While some TLS certificates can stay on a website, server, device, or other machine for a long period of time (398 days for public TLS certificates from trusted CAs), other TLS certificates have much shorter lifespans. Virtual machines, cloud instances, containers and microservices that need a TLS certificate can be spun up in seconds. They can also be retired just as quickly. When issuing TLS certificates becomes part of an automated build process, a certificate might be requested but then retired after several minutes, hours, days, or weeks when there’s another build. 
     
    That brings up an interesting point. Are TLS certificates that are needed quickly and have a shorter lifespan less “equal” than other TLS certificates and therefore don’t need to be included in a machine identity management program? We know from working with Venafi customers that one of their biggest TLS certificate challenges is certificates that expire and cause an outage. But that may not be as much of a factor for certificates with short lifespans. However, there are many other reasons that even a short-lived certificate needs to be part of a machine identity management program. It's important that all certificates are compliant with security and audit policies. And without guidance, developers might take shortcuts that increase security risks like: 

    Creating their own certificate authority (CA) to issue certificates 

    Using CAs outside of policy 

    Using improperly signed certificates 

    Not following practices for secure issuance, configuration, or installation 
     

The takeaway: 

You need to manage all TLS certificates, even if they are not created equal 

While all TLS certificates perform similar functions, it's true that some TLS certificates are more "equal" than others. That said, there are reasons to include all your TLS certificates in your machine identity management program, even if factors such as how or why you manage them may vary. With the Trust Protection Platform, Venafi helps hundreds of leading organizations successfully manage TLS certificates and other machine identities in a whole spectrum of diverse environments.  
 

Related posts: 

Like this blog? We think you will love this.
attaques de décapage ssl
Featured Blog

En quoi consistent les attaques SSL strip ?

  Un peu d'histoire

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Diane Garey
Diane Garey

Diane is on the product marketing team at Venafi and loves sharing how the Venafi Platform helps organizations protect their machine identities.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more