Skip to main content
banner image
venafi logo

Certificate Management Best Practices

Certificate Management Best Practices

January 4, 2021 | Anastasios Arampatzis

Organizations use SSL/TLS certificates and keys to secure communications over the internet by providing end-to-end encryption of data-in-transit. That means that organizations are using X.509 certificates across their entire IT infrastructure to protect corporate information and their customers. Given the prevalence of these digital transactions in large organizations, certificate management is of great importance. One of the challenges of managing a large number of certificates is that the expiration of even a single certificate can cause application outages that may prove to be very costly and cause any number of ripple effects.

As digital transformation is well underway, and businesses automate processes to minimize costs and increase productivity, more cloud platforms, IoT devices, virtual machines and services are introduced in corporate networks. Organizations need to identify these machines that are providing access to corporate data. As a result, we are witnessing an explosion in the number of digital certificates owned by enterprises.

The problems with manual certificate management

Certificates are not a “fire and forget” solution. These machine identities have their own lifecycle, which needs to be managed effectively. Once a certificate is installed, it has to be continuously monitored for security issues breaking its validity, renewed when it expires, and replaced with a new one when necessary.

Using manual processes to manage the certificate lifecycle is an error-prone, unreliable, and time-consuming approach, especially if we consider the thousands of certificates an organization might need to handle on a regular basis. Certificate life spans are currently set at one year and we can anticipate that they will become even shorter in the months to come. Manual certificate management creates a lot of problems, including:

  • Inefficient Policy Enforcement and Auditing: Lack of consistent control over who issues and owns certificates and keys does not allow for reliable auditing or corporate-wide policy enforcement.
  • Blurred visibility: Lack of centralized processes severely limit visibility into your trust structures, which lead to certificates being untracked. Lack of visibility makes it extremely difficult—if not impossible—to locate certificates before they expire to prevent certificate outages.
  • Insecure private key storage: Lack of visibility into certificate ownership results in keeping associated private keys in unsecured locations instead of centrally managed Hardware Security Modules (HSMs). This insecure practice leaves the enterprise vulnerable to data breaches because of compromised certificates and keys.
Best Practices for Certificate Management

Businesses can circumvent certificate management problems by establishing centralized, well-structured certificate lifecycle management processes and ensuring that all development and operations teams are equipped with clear visibility and control over their PKI. These processes should be automated to remove the margin of error and implement a security infrastructure to handle your encryption needs.

The best way to ensure you are following the industry’s best practices in certificate management is to delve into the NIST recommendations for TLS certificate management laid out in SP 1800-16. The following points, however, constitute a quick best practice guide for securely and effectively managing your certificates.

Obtain Visibility

Ensure that you are always aware of every certificate in your enterprise. Having visibility into your certificates means periodically scanning the network to identify certificates and mapping them to the machines where they are installed. While this greatly simplifies future certificate management processes, it also helps administrators look backward to discover orphaned, expired, or otherwise insecure certificates.

Maintain Inventory

Certificate discovery doesn’t stop with scanning your network. Care must be taken to ensure that the results of the scan are stored and updated in your existing inventory. In addition, discovered certificates should be grouped to allow for more simplified management. You may elect to create groups for certificates used in testing and production environments. You may also group them based on business functions. The latter will help you simplify tracking your certificates and alert escalation. 

Enforce Policy

It is not enough to just develop organizational policies according to the NIST recommendations. You will have to enforce these best practices via automation. For example, it’s in your best interest to automate the renewal of certificates that exceed 80% of their validity period. Such rule-definition capabilities for policy enforcement enable you to prevent outages and recover from potential incidents.

Protect Private Keys

It is highly recommended that you store private keys in equipment accredited to the FIPS 140-2 standard – usually Hardware Security Modules (HSMs). No matter which key protection solution you chose to rely on, make sure to remove the human factor from the security equation. When you prevent individuals from having direct access to private keys, you eliminate the possibility of theft or misuse and make it simpler to discover potential compromises. You can automate key orchestration by automating workflows to push certificates and their keys to machines. In cases where you need access to keys, be sure to establish a role-based, least privilege approach.

Continuous End-to-End Monitoring

Besides establishing automated processes for certificate lifecycle management, PKI infrastructures have to be continuously monitored for gaps. You will need to set up a monitoring system that ties into every aspect of your certificates across multiple CAs and network security/automation software. Dashboards that monitor the expiry of certificates and redundancy to the corporate policy are incredibly handy. In addition, you should establish an early warning system to alert designated certificate owners to notify them of impending issues that require their action. The early warning system will keep all certificate stakeholders informed while minimizing noise.


Organizations should ensure that they adhere to these recommendations. Better safe than sorry—it takes just one untracked certificate to break an otherwise solid machine identity management program. Preventing certificate outages is a lot simpler than dealing with their impact afterward.

The Venafi TLS Protect solution can help discover all your TLS certificates and corresponding private keys so you can protect these machine identities across your infrastructure. By automating the replacement of expiring certificates, you can eliminate outages and quickly respond to vulnerabilities, CA compromise, or other errors.


Related posts

Like this blog? We think you will love this.
Featured Blog

Cost of a Machine Identity Data Breach with Yahoo!

Consequences from the Yahoo Data Breach

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more