Skip to main content
banner image
venafi logo

Why You Need More than Certificate Authority Management Solutions

Why You Need More than Certificate Authority Management Solutions

November 15, 2018 | Diederik Klijn

With organizations virtually drowning in the rising tide of machine identities, most are looking for management solutions that will help them stay afloat. On this topic, I have become involved in multiple conversations during the past few weeks. Many organizations ask me about the advantages of using certificate life cycle management solutions that are provided by the vendor of the certificates, or, in other words, the issuing certificate authority (CA).

At first this solution seems to make sense. What better place to monitor the expiration dates of certificates than the interface of the CA that is issuing them? It’s like a one stop shop for both certificates and management. But the challenge is that most organizations do not use only a single CA. So, they may end up with two or more one-stop shops. That alone creates a certain level of management complexity.

In fact, giving further thought to the question of CA management solutions, it does not seem to make all that much sense. Although those solutions may be certainly be able to provide alerts on expiration dates, they have certain other limitations in providing additional critical information about the certificate inventory, most notably where they are installed, how many times they have been copied, and who owns them. In my opinion, this is a critical flaw.

While they do provide a focused view of a limited certificate population, many external CA delivered platforms have difficulty providing management capabilities that span both internal and external CAs. As I mentioned above, this means that administrators will need to use multiple tools that may—or may not—provide the same mechanisms for alerting on certificates that are going to expire.

Most so-called certificate life cycle management solutions will have the basic capabilities to create, revoke and report on certificates, However, in a lot of cases they are lacking proper support for automated installation (provisioning) of certificates, especially on third-party devices such as TLS inspection systems or load balancers.

While onboarding, most companies are eager to help their new customers get going. Certificate authorities are no exception. But if the customer decides to migrate away from that CA, then that same level of eagerness and assistance is no longer available to them. This begs the question: once you decide to change CAs, what kind of migration services can you expect from a vendor locked-in solution?

Not surprisingly, you’ll find that built-in CA management systems will not be able to help you fine tune your CA usage. In other words, they will not allow administrators to move certificates from the one CA to another. This is a critical functionality in the case of a security event that requires immediate attention, such as a breach, a vulnerability or a CA distrust or error. For this level of engagement you’ll need to move beyond simple certificate management to a robust platform for machine identity protection.

After discussing certificate management strategies this many of my customers, they tend to agree that a solution provided by the CA vendor is not the best alternative. Without a doubt they provide certain functionality which is very useful and important. It’s just that CA management solutions are more limiting than you’d realize at first glance. For true certificate life cycle management, you’ll need to extend your strategy to manage and protect across the entire machine identity environment and ecosystem. For that you’ll need a CA-agnostic solution.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Trust anchors, DarkMatter, Mozilla, trust store, certificate authority

What Are Trust Anchors and How Can They Protect You?

DLP Protect Humans Ignore Machines

DLP Strategies Protect Human Identities but Ignore Machine Identities

devops and cloud security

Slow IT vs Fast IT: Resolving Chaos around Machine Identities

About the author

Diederik Klijn
Diederik Klijn

Diederik is a Sales Manager for Northern Europe at Venafi. He is currently leveraging his two decades of experience in IT Security to solve cybersecurity challenges revolving around machine identities in northern Europe.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat