Digital certificates are electronic credentials that are used to certify the identities of individuals, computers, and other entities on a network. Because they act as machine identities, digital certificates function similarly to identification cards such as passports and drivers’ licenses. For example, passports and drivers’ licenses are issued by recognized government authorities, whereas digital certificates are issued by recognized certification authorities (CAs).
Private and public networks are being used with increasing frequency to communicate sensitive data and complete critical transactions. This has created a need for greater confidence in the identity of the person, computer, or service on the other end of the communication. In addition, these valuable communications must be protected while they are on the network. Although accounts and strong passwords provide a certain level of assurance in the identity of the entity on the other end of the network, they offer little or no protection while data is in transit. In comparison, digital certificates and public key encryption identify machines and provide an enhanced level of authentication and privacy to digital communications.
All digital certificates have a finite lifespan and are no longer recognized as valid upon expiration. Certificates may have varying periods of validity and are often set to expire anywhere between one and three years based on company policy and/or cost considerations. Minimally, certificates need to be replaced at the end of their life to avoid service disruption and decreased security. However, there may be a number of scenarios where a certificate needs to be replaced earlier (e.g., Heartbleed bug, SHA-1 end-of-life migration, company mergers, change in company policy).
Although the use of certificates is widespread, many organizations lack adequate oversight of SSL certificates which can be disastrous. If a certificate fails to work properly, the vulnerability can be exploited by malicious actors to launch man-in-the-middle attacks and intercept sensitive information causing an organization an unthinkable damage in sales, everyday business and most important in customer confidence and trust. In addition, the organization could be fined for non-compliance with the various legislative regulations, such as GDPR.
Consequently, managing SSL/TLS certificates across complex networks to ensure protection and prevent unanticipated failures is a requirement for all businesses. Employing a lifecycle management system ensures a consistent approach and allows for the use of automation, which increases the efficiency and effectiveness of certificate management.
The life cycle of a certificate can be broken into distinct stages, as discussed in the following sections.
Certificate enrollment is initiated by a user request to the appropriate CA. This is a cooperative process between a user (or a user's PKI software, such as an e-mail or Web browser application) and the CA. The enrollment request contains the public key and enrollment information. Once a user requests a certificate, the CA verifies information based on its established policy rules, creates the certificate, posts the certificate, and then sends an identifying certificate to the user. During the certificate distribution the CA sets policies that affect the use of the certificate.
When a certificate is used, the certificate status is checked to verify that the certificate is still operationally valid. During the validation process, the CA checks the status of the certificate and verifies that the certificate is not its Certificate Revocation List (CRL).
A certificate issued by a CA includes an expiration date that defines how long the certificate is valid. If a certificate needs to be revoked before that date, the CA can be instructed to add the certificate to its CRL. Reasons a certificate might need to be revoked include the certificate being lost or compromised, or the person the certificate was issued to leaving the company.
When a certificate reaches its expiration date, and if the certificate policy allows it, it is renewed either automatically, or by user intervention. When renewing a certificate, you must choose whether or not to generate new public and private keys.
When a certificate is no longer in use, the certificate and any backup copies or archived copies of the certificate should be destroyed, along with the private key associated with the certificate. This helps ensure that the certificate is not compromised and used.
Certificate auditing involves tracking the creation, expiration, and revocation of certificates. In certain instances, it can also track each successful use of a certificate.
Organizations without proper certificate lifecycle management can face security and management gaps such as multiple and disjointed authorization mechanisms, and certificates that get lost in the system, expire and cause lost revenue and reputation.
At the core of an effective certificate lifecycle management system is defining a strict management program for your organization. As machine identities, certificates are the base of network security and play an important role in online trust. A fortified SSL security framework cannot be completed in just one step or by a single individual. Distributed teams are often tasked with ensuring security and compliance and add a complex layer of management into the process of managing SSL/TLS security. Powerful and customizable certificate management workflow functions are needed to streamline and simplify the process of administering SSL/TLS security across the enterprise.
In order for a certificate lifecycle management to be effective all certificates need to be consolidated into a single management system such as the Venafi Trust Platform. With this solution in place, administrators may perform continuous monitoring of systems and certificates, and generate an audit for governance and compliance purposes. What is more, this approach reduces the overall cost and complexity of managing SSL certificates across a distributed environment.