Skip to main content
banner image
venafi logo

Key Factors for Successful Certificate Management

Key Factors for Successful Certificate Management

January 19, 2021 | Anastasios Arampatzis

Organizations are embracing digital transformation and emerging technologies at an increased rate. In fact, this rate has accelerated in 2020 to address a pandemic-driven move to online business. In addition, the proliferation of IoT devices, the migration of data in multi-cloud environments, and advances in virtualization and DevOps have skyrocketed the number of SSL/TLS certificates that enterprises hold.

More machines means more machine identities. And in addition to the increasing importance of digital certificates as machine identities, another crucial trend that is complicating machine identity management is the shortening of SSL certificate lifespans. As of September 2020, the lifespan of certificates has reduced to just 13 months or 398 days. This trend is expected to continue in the future, with some organizations already issuing certificates that are valid for only a few days or even hours.

Crypto agility is essential

Despite their importance, digital certificates are often left poorly managed. Because of weak certificate management practices, nearly every enterprise has experienced an outage due to an expired certificate. These outages have proven to cause great damages to affected businesses. Beyond the risk of certificate related outages, various cryptographic incidents, such as algorithm vulnerabilities and advances in computing, have enhanced the need for businesses to become crypto agile. Here are 6 key factors businesses need to consider for maintaining crypto agility:

  • Mass certificate revocations: How do you respond to certificates being revoked en masse on a short notice?
  • Algorithm deprecation: Researchers may discover vulnerabilities hidden into cryptographic algorithms. This was the case with the SHA-1 hashing algorithm. Organizations were required to migrate to SHA-2 family of hashing algorithms.
  • CA compromise: If a CA is breached, the entire chain of trust is broken. Certificates issued by the compromised CA are rendered invalid and they must be replaced with new ones.
  • CA agility: Most businesses rely on more than one CA to avoid lock-in. Being able to switch from one CA to another is critical for business agility and maintaining continuity in case of cryptographic incidents.
  • Crypto-library bugs: If a bug is found with the key-generation functions of a cryptographic library, then all keys generated since the bug was introduced must be replaced. Vulnerabilities like Heartbleed in OpenSSL expose certificates and private keys to risk.
  • Quantum crypto: Advancements in quantum computing require organizations to prepare for the implementation of post-quantum algorithms.
Key factors for effective certificate management

How do you respond to these certificate management challenges to maintain crypto agility? The answer is by employing policies and practices for effective certificate management.

Understand the importance of TLS certificates

To effectively address the challenges related to the management of TLS certificates, everyone needs to be aware of the importance of these machine identities. Every employee who interacts with certificates in any way needs to understand the consequences of rogue certificates or the damage that happens when a certificate expires. Certificate related outages can cause reputational damage and cost businesses a lot. According to Gartner, network downtime costs roughly $300,000 per hour. Compromised or stolen certificates are being leveraged by cyber criminals to wreak havoc, exfiltrate sensitive data or launch DDoS attacks. They can also be used to impersonate legitimate websites, causing harm to potential customers, and loss of revenue due to damaged trust.

Gain Visibility

The foundation to every successful security program is to have visibility into your assets. An effective certificate management program should also start by establishing and maintaining clear visibility across all SSL/TLS certificates in a corporate environment. The inventory should focus on:

  • Certificate Authorities (CAs), which are the source of most certificates and synchronize with internal and public CAs.
  • Devices and endpoints where certificates are installed across the business network.
  • Key and certificate stores to discover certificates not exposed to a port on the network.

The process of identifying all SSL/TLS certificates in a business ecosystem should create a centralized inventory of all issued certificates. Additionally, it should identify certificate owners and map these certificates to the web servers and apps where they are being used.

Define responsibilities and policies

The proliferation of DevOps, microservices, containers and IoT devices has created a new category of certificate owners. These frequent users are not knowledgeable about the best practices for managing the certificates they own. With security teams being outnumbered by the certificate owners in DevOps, it is imperative to enforce consistent policies and responsibilities across the board. Defining clear roles and responsibilities for certificate owners and ensuring consistent policies for every team involved in the certificate lifecycle is the only way to avoid “blame games” that result from gaps in certificate management. These policies should include:

  • Role-based access and permissions for certificate owners
  • Audit all user and certificate-related activities
  • Enforce standardized certificate templates and practices
Detect vulnerabilities and respond

Having visibility into the certificate ecosystem and assigning clear and consistent policies can assist organizations spotting vulnerabilities and mitigating them before becoming a threat. Poorly managed certificates that are close to expiration or weak cryptographic keys pose significant security risks. For example, an expired certificate disabled TLS inspection systems that enabled the notorious breach at Equifax. By continuously monitoring the status of the certificates and having an early warning system an organization can:

  • Find vulnerable certificates (e.g., those signed with weak algorithms, like SHA-1)
  • Prevent outages due to certificate expiration by notifying certificate owners beforehand
  • Respond to cryptographic incidents such as CA or algorithm compromise
Automation and self-service

The sheer number of certificates and the complexity of effectively managing the entire certificate lifecycle make manual processes time consuming and error prone. Clearly, manual processes are not adequate for the modern business environment. Organizations need to invest on an automation solution to prevent certificate outages, free up IT resources and end-users from hours of manual tasks related to certificate requests, issuance, provisioning, and renewal. In addition, automated certificate management can enable self-service workflows for users to request and renew certificates prior to expiration, automate provisioning and installation of certificates on network endpoints and schedule reporting to certificate owners or PKI admins.

The Venafi TLS Protect solution can help discover all your TLS certificates and corresponding private keys so you can protect these machine identities across your infrastructure. By automating the replacement of expiring certificates, you can eliminate outages and quickly respond to vulnerabilities, CA compromise, or other errors.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Cost of a Machine Identity Data Breach with Yahoo!

Consequences from the Yahoo Data Breach

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more