How to Manage SSL Certificates [TLS Machine Identities]

With digital transformation shifting into hyper-drive across the enterprise ecosystem, the use of SSL/TLS certificates is dynamically growing. While this trend steps up organizations’ data protection practices, it poses quite a few new challenges as organizations use increasing numbers of machine identities. As the task of managing certificates is on many companies’ agenda these days, let’s go over the biggest roadblocks along this route and the ways to tackle them.

Visibility Over Certificate Infrastructure Stays Low

The ubiquitous use of IoT devices, cloud-native applications and continuous development have become catalysts for the soaring adoption of SSL certificates throughout corporate environments. The caveat is that DevOps teams—who are focused on speed and agility—often deploy certificates hastily and without proper correlation with colleagues from IT and security departments.

This precipitates an adverse situation where organizations have insufficient oversight and control of digital certificates and the use of certificate authorities (CAs) that issue these machine identities. According to a recent study, a whopping 79% of companies aren’t aware how many private encryption keys and certificates they possess.

Such a lack of awareness hampers proper management and, more importantly, the protection of this important infrastructure. Another side effect of poor visibility is that organizations may suffer service downtime and application outages because their certificates expire and they are unprepared for these pitfalls.

The Average Period of SSL Certificate Validity Is Decreasing

One more trend making itself felt in this domain is that the lifespan of SSL certificates is becoming shorter over time. The global digital industry consortium called the Certification Authority Browser Forum (CA/B Forum) has reduced this period from 60 months down to roughly 27 months or even less since 2012. But some members of the CA/B Forum felt these lifespans were still too long.

In 2019, Google came up with an initiative to restrict the maximum certificate lifecycle to 12 months, to no avail. One year later, Apple set a 398-day threshold for certificates used in its digital territory. Google Chrome and Mozilla followed in the footsteps of the Cupertino company shortly afterward by implementing the same limitation. That said, the trend will likely continue down the line.

What are the Key Challenges?

In light of the booming use of SSL certificates, IT teams’ workload has grown significantly while their budgets may not reflect this change. In addition to insufficient visibility, these inconsistencies have called forth the following problems:

• Too much manual work. Due to the lack of automation, it takes a lot of time to perform processes like certificate requests and renewals. To top it off, manual management is fertile ground for human error.
• Staff turnover. When admins leave an organization, their email accounts may be closed and certificate expiration alerts won’t be received.
• Sluggish response. If a company experiences an application outage caused by an expired certificate, pinpointing and renewing it is a cumbersome process that could take up to several days.

Cryptographic Facet of the Issue

The challenges of managing certificates aren’t isolated to service disruption due to organizational slip-ups. Your company should also be resilient to issues stemming from security imperfections of cryptographic algorithms, virus attacks, and breaches suffered by CAs.

These scenarios include large-scale revocation of certificates, crypto-algorithm deprecation, CA hacks, and cryptographic library flaws such as the notorious Heartbleed vulnerability in OpenSSL. With the rise of next-generation quantum technologies that may allow an adversary to crack strong cryptographic algorithms, IT teams should also create a roadmap for adopting quantum-safe cryptography.

SSL Certificate Management Done Right

The following tips will help your organization manage SSL certificates properly and avoid unexpected outages as well as security risks described above.

1. Stay abreast of your certificates
   As previously mentioned, more than two-thirds of companies don’t know how many SSL/TLS certificates and cryptographic keys they have. If yours is in the same boat, this needs to change. You should gain and maintain visibility of this component of your network infrastructure. Audit your certificates to know the corporate endpoints on which they are installed. Also, keep an up-to-date list of CAs that have issued all your certificates.
2. Identify weak links
   Once you have created an inventory of your SSL certificates, get down to finding and closing the gaps in this environment. These include weak cryptographic keys or hashes and crude implementation of wildcard certificates that are used on your sub-domains. If you come across insecure certificates issued by questionable CAs, you are better off eliminating them from your network. Additionally, set notifications to stay on top of the validity of your certificates and renew them before they expire.
3. Set a certificate management policy
   Enforce clear-cut rules that delineate the roles and responsibilities of SSL certificate owners in your network, including system admins, public key infrastructure (PKI) admins, security personnel, and DevOps crews. It’s also important to specify guidelines for requesting, renewing, and revoking certificates. Combined with well-thought-out expiration alert procedures, these mechanisms will help steer clear of outages and security issues.
4. Leverage automation
   Manual management of SSL certificates using spreadsheets or in similar ways is tedious. Plus it can lead to typos and other trivial inaccuracies. This is why taking the route of automation where possible is both time-efficient and more accurate. It can significantly facilitate the enrollment, installation, auditing, and renewal of certificates. Additionally, some solutions can check your organization’s digital infrastructure for vulnerable or misconfigured SSL certificates and compliance with relevant policies.

The Bottom Line

In August 2020, Spotify suffered a global outage that kept its engineers and customers on their toes for about an hour. It happened because the media services giant neglected to renew one of its wildcard certificates. This snafu demonstrated how impactful such a blunder can be. And in early 2021, we saw similar events with Google Voice and Microsoft Azure. To steer clear of predicaments like these, make sure your organization takes SSL certificate management seriously and adheres to the above recommendations.

Related Posts

• Key Factors for Successful Certificate Management
• Certificate Management Best Practices
• Certificate Management for DevOps