Skip to main content
banner image
venafi logo

6 Things You Probably Don’t Know about Your Certificates [And Why They Matter]

6 Things You Probably Don’t Know about Your Certificates [And Why They Matter]

business man looking for answers  - digital certificates
May 23, 2019 | Scott Carter

Whether your organization is trying to prevent machine identity attacks or stop outages, there’s a lot riding on the effectiveness of your machine identity protection program. But to create an effective program, you need in-depth insight into the strengths and weaknesses of each of your machine identities. Some of that you can learn from the certificate itself. But much of the intelligence you need just isn’t part of the certificate. It’s situational.

To gain the intelligence you need to enforce policies and detect machine identity anomalies and vulnerabilities, you need to be able to discover and collect information on the critical attributes of each of your machine identities. To do that successfully, you’ll need access to additional intelligence beyond what you can retrieve from the keys and certificates themselves.

Here are six things that you can’t learn from keys and certificates:

  1. Where it’s located
    You need up-to-date information about every machine where a key or certificate is installed to effectively manage machine identities and incident response. Without location information, machine identity problems can be extremely difficult to diagnose and even harder to fix. Location information should include the machine address, file location, Hardware Security Module (HSM), if applicable, and account (in the case of SSH keys).
     
  2. Who owns it
    Any number of users can request machine identities across countless systems and different groups. Central Public Key Infrastructure (PKI) and security teams rarely have the permissions necessary to manage these systems directly, and updates to machine identities often have to be performed locally. So, when a security vulnerability is detected, such as a weak algorithm, operational risk, or impending expiration, your PKI or security team needs to be able to rapidly contact the appropriate owner to solve the problem.
     
  3. Is it using strong ciphers
    Each machine that uses a machine identity is configured to use certain ciphers, such as Advanced Encryption Standard (AES). With advancements in technology, the strength and weaknesses of a cipher is often relative. It depends on factors, such as client compatibility, key size, faulty random number generators, cipher vulnerabilities, and including side channel attacks. Weak ciphers undermine the strength of encryption and can facilitate compromises by cybercriminals.
     
  4. Which protocol version it’s using
    New vulnerabilities are regularly found in protocols like SSH and TLS. To reduce the chance of compromise, ensure that you’re using only approved protocol versions. For example, a critical vulnerability was found in the TLS heartbeat extension of the popular cryptography library OpenSSL. Dubbed Heartbleed, this vulnerability required all impacted certificates to be replaced with those using an updated protocol.
     
  5. How is it configured
    Misconfigured servers, applications, or keystores may leave otherwise secure keys and certificates open to compromise. For SSH, configuration information can include source restrictions, force commands, whether port forwarding is allowed, and other security-critical requirements.
     
  6. Is it being misused
    The relative security of machine identities relies on multiple variables, and because there are so many rapid changes to machine identities, assessing risks quickly can be difficult. Reputation scores combine multiple machine identity attributes into a single numeric value that quickly indicates the risk associated with a specific certificate.
     



After you’ve gathered intelligence for all machine identities inside and outside your enterprise, you can use this information to identify machine identity vulnerabilities, anomalies, risks, and trends. This is important because each of your business groups need in-depth intelligence on the relative strength of machine identity for the systems they control. Otherwise, they won’t be able to follow the best practices required to protect machine identities or take rapid remedial action when needed.
 

If you’d like to learn more, download our Machine Identity Protection for Dummies. 

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

encryption backdoor

Overheard in the Press: Encryption Backdoor Debate

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat