Skip to main content
banner image
venafi logo

PKI for non-PKI experts: How Do You Get Your Systems Up to Policy?

PKI for non-PKI experts: How Do You Get Your Systems Up to Policy?

PKI advice
January 13, 2017 | Allen Marin

This is part two of a blog series on easy and intuitive PKI (Public Key Infrastructure) operation for non-security administrators. In part one, I explored the role of system admins in managing encryption for their respective applications. The goal of that blog was to empower system admins and application owners to manage the keys and certificates for their own environment. Now I’m going to give practical advice to systems admins on how to get started.  

As a system administrator, you may now have responsibility for managing the digital certificates that enable secure connections with your applications. But these certificates and the PKI surrounding them is not your specialty. And frankly, it doesn’t have to be. You just need to know enough about PKI to secure your applications with certificates.

But you also need to know how your certificates impact your organization’s overall security. If you don’t get it right, you could actually increase security risks, undermining the reasons that you’re using certificates in the first place. Where do you start?

First, you need to know which of your applications need secure connections and, therefore, certificates. With that information, you can create a complete inventory of applications and their associated certificates. You will then have an accurate picture of what you need to manage and protect.

Auditors will also be interested in this information, so in addition to establishing an inventory of the certificates protecting your applications, servers, and/or devices, make sure you include the metadata associated with the certificates. This metadata is readily available, so just make sure you capture that.

Once this simple inventory is in place, you’ll be able to quickly see whether all requisite systems and devices have certificates and whether those certificates are valid. You’ll also want to know when they expire, so you can avoid embarrassing and costly application outages.

Knowing exactly which certificates you are responsible for is the first step in assuring that your environment is up to date and well protected. However, you still need to make sure it complies your organization’s PKI security policies.

The policies I’m talking about here are those defined by the team who oversees certificate management across the enterprise. Their job is to ensure the environment meets internal and regulatory requirements around securing data in transit. So, they define overall policy requirements around crypto libraries, hashing algorithms, key length, validation period—all that crypto black magic that may be outside of your immediate focus.

You need to know which attributes your policies require, so you can make sure the certificates in your inventory meet those requirements. With your up-to-date inventory, you should be able to identify which, if any, fall short and might lead to a security risk or application outage. When that happens, you’ll simply need to request replacements from your PKI team.

Sound difficult? Not necessarily. With the right solution, creating and maintaining a certificate inventory for your applications and systems should be fairly simple and straightforward. All you need is a current and accurate view of your environment and an understanding of the policy requirements that it should comply with.

Armed with this information, you can go forth and conquer PKI. You’ll have what you need to maintain an accurate, up to date inventory to make sure your applications remain online and well protected. And you won’t have to be a PKI expert to do it. 

Read part III of this blog series to learn what you need to know about ongoing maintenance.

Like this blog? We think you will love this.
Featured Blog

What Is a Private Key?

How Are Private Keys Used?<

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Allen Marin
Allen Marin

Allen Marin writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more