Skip to main content
banner image
venafi logo

PKI for non-PKI experts: What You Need to Know about Ongoing Maintenance

PKI for non-PKI experts: What You Need to Know about Ongoing Maintenance

PKI basics
January 31, 2017 | Allen Marin

This is part three of a blog series on easy and intuitive PKI (Public Key Infrastructure) operation for non-security administrators. In part one, I explored the reasons why you should empower system admins to manage encryption for their own applications. Then in part two, I gave practical advice to systems admins on how to get started. And now I’m going to outline the easy steps system admins can take to keep keys and certificates secure and compliant for the systems and applications they manage.  

As a system admin, you’re actively managing the environment for your application to meet your defined service levels. So, it just makes sense for you to manage the keys and certificates that protect them, as well. Once you get all these critical security assets under control and up to policy, you will need to start thinking about how you can keep them secure and operational over the long haul.

The next step you need to think about is what I call monitoring for assurance. But you shouldn’t have to manually review the list of keys and certificates every day to make sure they’re all safe and current. Instead, you want to be notified when an expiration date is approaching or something looks suspicious. This is easy if you have a solution that actively monitors your certificate environment for you and lets you know when you need to take action without the manual and tedious legwork.

Here’s what you’ll need to be on the lookout for: certificates that are out of date or out of compliance with security policy. You need advanced notice when certificates will be expiring so you can replace them before they cause an application outage, which can be both expensive and embarrassing.

You’ll also want to be immediately notified of any anomalies such as a mis-issued or rogue certificate that have found their way into your environment. These irregularities could indicate a certificate compromise that would allow cyber criminals to hide in encrypted traffic, spoof a website, deploy malware, and steal data. While these alerts may be the result of a simple mistake, not knowing about and fixing anomalies is likely to impact your application sooner or later.

In addition to automatically notifying you when your attention is needed, a good certificate management solution should also simplify management by automating routine actions. This would include the process of requesting, renewing, or revoking certificates for your applications.

Depending on your knowledge of PKI and your level of responsibility, your organization might elect to automate all or only some of these actions for you. The level of shared responsibility will be defined by the security or PKI teams: they create the policies and procedures at play between themselves and system administrators like yourself. It should be noted, however, that ultimate responsibility for enterprise encryption—and the keys and certificates that enable it—rests with the PKI team.

Ideally, you will now have control of your own certificate environment. After all, you’re in the best position to manage it wisely, since you have the largest stake in maximizing the uptime and security of your application. Does your organization give you access to a certificate management solution that puts you in the driver’s seat? 

Read part IV of this blog series to learn how to simplify dressing compliance requirements. 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Allen Marin
Allen Marin

Allen Marin writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more