Skip to main content
banner image
venafi logo

Education Center - Key and Certificate Management Best Practices

Key and Certificate Management Best Practices

Organizations of all sizes and industries maintain extensive financial, customer and mission-critical business data. However, when sensitive information is misused or compromised, organizations will often pay a heavy price. Recent high-profile security breaches have cost millions in revenue and lost opportunities. These fears, along with new security standards and regulations, have driven IT professionals to deploy encryption more broadly.


The problem is that, having done so, the encryption keys used to secure data become the figurative “keys to the kingdom.” The key (and not the data itself) becomes the entity that must be safeguarded. Efforts to manage these keys manually, however, represent a significant security risk and become operationally challenging, especially as encryption is deployed across disparate systems and applications.


Organizations are struggling to properly manage and control these rapidly multiplying certificates and keys to prevent security breaches, system downtime and other disasters. It’s a catch 22 situation - but it doesn’t have to be.


Before we can solve the problem of enterprise key and certificate management (EKCM), we must first fully understand the challenges faced:


  • Certificates that are not renewed and replaced before they expire can cause serious downtime and outages

  • Private keys used with certificates must be kept secure or unauthorized individuals can intercept confidential communications or gain unauthorized access to critical systems. Failure to ensure proper segregation of duties means that admins who generate the encryption keys can use them to access sensitive, regulated data

  • Regulations and requirements (like PCI-DSS) demand stringent security and management of cryptographic keys and auditors are increasingly reviewing the management controls and processes in use

  • The average certificate and private key require four hours per year to manage, taking administrators away from more important tasks and costs hundreds of thousands of pounds per year for many organizations

  • If a certificate authority is compromised or an encryption algorithm is broken, organizations must be prepared to replace all of their certificates and keys in a matter of hours

  • The rollout of new projects and business applications is hindered because of the inability to deploy and manage encryption to support the security requirements of those projects

The critical starting point in any certificate and private key management strategy is to create a comprehensive inventory of all certificates, their locations and responsible parties. This is not a trivial matter because certificates are deployed in a variety of locations by different individuals and teams – it’s simply not possible to rely on a list from a certificate authority. Taking a four step approach will ensure that no certificates are missed:


Step 1: Import from Certificate Authorities

Gather what you already know about the certificates from existing certificate authorities. It is very dangerous to assume that an import from your known CAs will provide an accurate inventory of all certificates; it’s merely a starting point that must be augmented by discovery.


Step 2: Perform Network Discovery

Perform a network discovery to find certificates that are present on a listening port such as HTTPS. Start by gathering your network address ranges and then collect a list of ports to check. You can initially check on port 443, but there are many ports on which certificates are commonly presented. To discover certificates on your network, you can also use Venafi as a Service.


Step 3: Agent-based Discovery

Many certificates are not discoverable via network ports, such as client-side certificates used for mutual authentication on SSL. Finding these certificates typically involves performing file system scans on server and client systems with a locally-installed agent.


Step 4: Individual Import from Admins

Network and agent-based discoveries can take time and it may not be possible to perform them in all corporate locations. That makes it critical to educate administrators and make sure they are proactively reporting any certificates they are aware of and adding them to the inventory.


Sounds simple! Just remember that performing an inventory is not a one-time event. You should repeat the steps above weekly to ensure the inventory is up to date.


As you’re developing your inventory, establish a correlation of who the contacts and owners are for certificates. Wherever possible assign groups as the contacts instead of individuals to avoid a single point of failure. Some helpful sources include certificate authorities, tracking spreadsheets, and even a CMDB. Define clear responsibilities for maintenance of certificate contact information.


An important method for preventing in-service expirations is to establish a central monitoring function that ensures certificates are replaced prior to expiration by automatically notifying responsible groups. Only when the new certificate has been installed and the application has been reset to use the new certificate prior to the time of expiration is the risk of downtime averted.


Expiration reports should be sent to certificate owners each month that show a list of all certificates expiring in the next 90 days. Individual expiration notifications should be sent if action has not been taken on an individual certificate within 30 days of expiration. If action has not been taken within 20 days prior to expiration, escalation to additional parties should be added. At 10 days from expiration, notifications should be sent to a NOC or other corporate group that is responsible to respond to the crisis until it is resolved.


Establish standard practices for enrollment and provisioning that maximize reliability and repeatability, ensure security and compliance to policy, and minimize load on your administrators. There are easily 20 or more steps involved in issuing or renewing a certificate. These steps must be standardized and implemented in compliance with policy every time.


Errors are inevitable when the steps outlined above are performed manually. In addition, confidently ensuring the security of the private key is very challenging when these operations are performed manually. Automated methods of certificate enrollment and provisioning exist and should be considered.


EKCM best practice is crucial to your organization if you’re to avoid the complications, embarrassment and expense of your security being compromised. Make sure you have a clear understanding what the risks that apply to your organization are. By prioritizing them, and clearly communicating the importance of addressing them in your organization, you can accelerate the implementation and adoption of best practices since all stakeholders will understand the implications of not doing so.




Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more