Organizations are reliant on digital communications secured using X.509 certificates for their day-to- day operations. Certificates are used for user authentication, secure communications using Secure Sockets Layer (SSL), program-to-program and machine-to-machine communications, digital signature, and code signing. Many unseen internal and external services performing their daily duties are authenticated and trusted based on a relatively simple process involving the verification that an issued certificate is still active.
Expired X.509 certificates result in a number of system maladies, ranging from a simple error message on a screen to an abrupt termination of service. This can lead to abandoned e-commerce transactions or the loss of trust in a company's Web presence. Many organizations that have an unplanned certificate expiry typically focus on other systemic causes, such as hardware/software issues, long before they begin to consider an expired X.509 certificate as the source of troubles. This typically results in significant delays in identifying and resolving the root cause of a system outage.
During the past few years, another form of X.509 certificate-related problem has come forward in security news — that of the compromised public certificate issuing authority. Because of threatened or actual compromises at DigiNotar, Comodo and others, previously issued certificates from these public providers have had to be revoked, either individually or, at worst, en masse, with an entire certificate issuance infrastructure losing complete trustworthiness. This latter case invalidated all currently issued and active X.509 certificates from that certificate authority, and necessitated a complete reissuance of X.509 certificates from an alternate issuer. Organizations should be explicitly aware of the potential for significant impact on their operations should they be associated with such an incident. Knowing the specific provenance of each and every X.509 certificates in use within an organization is critical in ensuring the timely reissuance of certificates, thus minimizing downtime. It is also necessary to have a suitable management interface to remotely installed certificates, and to trust root certificate lists so they too can be replaced if compromised (see "Certificate Authority Breaches Impact Web Servers, Highlighting the Need for Better Controls"). Many organizations scramble to remove a trusted root when a compromise takes place. Organizations need to understand their internal process for removing a trusted certificate or root from browsers and applications. While browsers are relatively easy to fix by waiting for the browser patch with the removed/deleted/revoked root, applications typically involve more work and, thus, more planning.
One of the first steps in identifying compromised certificates is to identify ALL certificates and evaluate each relying server for certificate validity. However, many organizations do not have a good understanding of their inventory of digital certificates or where they are. They may rely on spreadsheet-based manual methods to track certificates, but the spreadsheet method is deficient in that it does not record or track anything that is not entered into it. The commercial certificate authorities and public key infrastructure (PKI) software vendors do provide some rudimentary certificate management. For example, they may notify the original individual corporate purchaser of an imminent certificate expiry, but not be able to handle cases where that individual has changed roles or left the organization.
Several commercial certificate authorities, PKI and certificate management solution providers offer Certificate Management System (CMS) software that can be used to discover, identify, track, notify, and ultimately automatically renew and audit the installation of new X.509 certificates. In general, the functions of this software are:
A limited number of certificates can be managed manually using a spreadsheet or other basic tools, but many features, such as discovery, will be missing. If this method is chosen, specific individuals or roles need to be assigned to managed certificates on groups of machines, and scheduling reminders set for certificate renewal before the installed certificates expire.