With so much changing in the world, it’s important to stay up to date with the best ways to keep certificates safe. That’s one of the reasons that NIST 1800-16 outlines the most recent official guidelines. These best practices should be standard implementation for any professional organization dealing with certificate management. While the full version can be found here, the following few standards provide a good head start.
Inventory: NIST recommends one central inventory location to keep track of all TLS server certificates.
This recommendation presupposes that visibility of all certificates has been acquired through an environment scan and that all existing certificates have been found. Proper visibility involves accounting for the following:
Visibility should also provide ownership information for each certificate, as well as mapping certificates back to their servers. Once certificates are accounted for and aggregated into that one inventory, it is important to organize the findings for maximum efficacy. You can group the certificates by environment—such as ‘test’ and ‘production’—or by business function, which will allow for easier tracking.
Private Key Security: The private key to any TLS server must always remain uncompromised.
Many times, private keys are stored in plaintext files, and even when encrypted, the passwords to these files are themselves stored in plaintext. In previous blogs, I have recommended that you store private keys in equipment regulated to the FIPS 140-2 standard. This would include Hardware Security Models (HSMs). However, many organizations have not adopted this practice due to the large number of TLS servers that require private keys.
When the system is mission-critical however, the protocol is to secure the private key in an HSM. In all other situations, access to plaintext-stored passwords should only be given to authorized personnel who have completed training on private key security practices. This should be on a strictly role-based, least privilege approach.
Proactive Certificate Renewal: Certificates should be renewed prior to expiration.
This involves a multi-step process: requesting, installation and testing. These should be initiated proactively well before the expiration date—if something goes awry, the old certificate can be used to plug the gap (if not expired) until the new one can be installed correctly. This avoids last minute fire drills on the part of supporting teams, as well as preventable downtime should the certificate expire. In regulation, NIST puts it thus:
Automated Enrollment and Installation: Several options for automation in certificate management should be provided.
This is due to the inherent risks of manual certificate management and the need to spin up instances quickly in the cloud. The following options are possible avenues for automation:
Reporting and Analytics: Reporting should be implemented to spot anomalies and plan for certificate management risks.
Triggered automated notifications serve well to warn of immediate risks, but dashboards help in pre-planning. Adequate reporting should cover the following areas:
This watchdog approach ensures that in an environment where certificates are automatically being requested, renewed, and deployed, something doesn’t mistakenly slip off the tracks and remain undetected. This takes full advantage of the vast amount of data automation gathers and synthesizes it in a way that is easy to catch outlying, and potentially dangerous, trends.
Continuous Monitoring: The certificates, along with all certificate management processes, should be monitored for incident or error.
Continuous monitoring ensures gaps get watched within the PKI structure surrounding your certificate management. This ties together all areas—the elements of your certificate management process, all CAs and automation. The best monitoring systems will present easy-to-read dashboards warning of expiration times and alerting responsible parties of mission-critical next tasks. Forgetting the details, at the tip of the spear monitoring should be actionable. The three areas outlined by NIST are:
There are a few unifying themes among so many individual standards and guidelines—three of these are visibility, intelligence and automation. One cannot protect what one cannot see (visibility). One cannot organize what one does not know (intelligence/reporting), and the risks are too great if one does it all by hand (automation). If most of this seems like monitoring and oversight, you’re right. It is.
Once correct security levels have been put in place (key lengths, correct storing of private keys, etc.), then the most important part of keeping certificate management running is to simply automate all correct processes and watch for flaws. For example, there isn’t a need for a hundred single-handed mechanics, when ten mechanics on an assembly line will do. Set up your ‘assembly line’ of automation, free up the other 90 employees, and monitor for errors. Anything else, now, would be below industry standard for contemporary certificate management.
Venafi TLS Protect is a solution that discovers all certificates within your environment, providing the intelligence necessary to fully automate your certificate installation and management process. Interested in learning more? Download the TLS Protect data sheet now.