Skip to main content
banner image
venafi logo

PKI Bootcamp: Why Can’t that PKI Team Get It Right?

PKI Bootcamp: Why Can’t that PKI Team Get It Right?

PKI bootcamp
February 15, 2017 | Paul Turner

As we’ve discussed in the previous blog, most PKI teams are maligned in their organizations because of certificate outages. Whenever there’s an outage due to a certificate expiring, executives shake their heads and say, “Why can’t that PKI team get it right? Certificates can’t be that complicated! I mean, it is just a freakin’ expiration date! They know it is coming!”

Hmmm. Let’s have a look at why PKI teams may need a little help.

In most large organizations, PKI teams typically have two to five people (usually closer to two than five). In addition to managing certificate authorities (CAs), these small teams are tasked with supporting hundreds of administrators with thousands of systems and corresponding certificates, normally spread across multiple geographical locations.

Why_Can't_That_PKI_Team_Get_It_Right.PNG

In order to fully install or replace a certificate, you need sufficient access to the system where it will be used so you can install it. Though PKI teams have responsibility to manage the CAs that issue certificates, they rarely have any access to the systems where those certificates are deployed. Those systems are controlled and managed by system administrators working in or with lines of business. As you can imagine, it is literally impossible for a team of two to five people to know on which systems thousands of certificates have been deployed and to keep track of who owns those systems, especially amidst regular reorgs. 

When the PKI team knows that a certificate is nearing expiration, they’re stuck calling around trying to find the owner and/or following up with the owner when they don’t take action. Doing this for a handful of certificates is challenging enough. Doing it for thousands is mind boggling. In addition to the certificates that the PKI team knows about (because they’ve been issued through the approved CAs), system administrators will often generate their own certificates (self-signed or from an unapproved CA) that the PKI team is not aware of, leading to BIG surprises when they expire, and plenty of security risk.

And yet, even with this impossible situation, most executives still hold PKI teams accountable for outages caused by certificate expirations, even when they are not. However, because system administrators are not held accountable, there is no incentive for them to take responsibility for their certificates. You can see how this is a recipe for failure.

In future blogs, I’m going to expand on the risks this situation creates and best practices for certificate management. In the meantime, it is worth summarizing here one of the most important changes most organizations need to make to minimize their risk and turn certificates into a security asset instead of a security and operational liability:

  • Make lines of business and systems administrators responsible and accountable for the management of certificates.
  • Make sure they know what they need to do, through education and well-defined policies.
  • Make the PKI team accountable for providing all the services necessary for these lines of business to be successful.

We’ll refer to this as the “governance best practice” in future posts. In my opinion, it is one of the most important elements of the successful use of certificates as a security infrastructure in medium to large organizations. 

Read my next blog to learn where you may be at risk.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

NIST TLS Infosec Guidelines

New NIST TLS Management Guidelines for InfoSec [Expert Advice]

NIST Guidelines TLS

What Executives Need to Know about New NIST Guidelines for TLS Management

Best Practices for Securing SSH: Defining SSH Policies

About the author

Paul Turner
Paul Turner

Paul Turner is Head of Services at Epuio. His extensive background in the Security industry, most recently in PKI and SSH, enable him to help large enterprises successfully manage their keys and certificates.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat