With organizations virtually drowning in the rising tide of machine identities, most are looking for management solutions that will help them stay afloat. On this topic, I have become involved in multiple conversations during the past few weeks. Many organizations ask me about the advantages of using certificate life cycle management solutions that are provided by the vendor of the certificates, or, in other words, the issuing certificate authority (CA).
At first this solution seems to make sense. What better place to monitor the expiration dates of certificates than the interface of the CA that is issuing them? It’s like a one stop shop for both certificates and management. But the challenge is that most organizations do not use only a single CA. So, they may end up with two or more one-stop shops. That alone creates a certain level of management complexity.
In fact, giving further thought to the question of CA management solutions, it does not seem to make all that much sense. Although those solutions may be certainly be able to provide alerts on expiration dates, they have certain other limitations in providing additional critical information about the certificate inventory, most notably where they are installed, how many times they have been copied, and who owns them. In my opinion, this is a critical flaw.
While they do provide a focused view of a limited certificate population, many external CA delivered platforms have difficulty providing management capabilities that span both internal and external CAs. As I mentioned above, this means that administrators will need to use multiple tools that may—or may not—provide the same mechanisms for alerting on certificates that are going to expire.
Most so-called certificate life cycle management solutions will have the basic capabilities to create, revoke and report on certificates, However, in a lot of cases they are lacking proper support for automated installation (provisioning) of certificates, especially on third-party devices such as TLS inspection systems or load balancers.
While onboarding, most companies are eager to help their new customers get going. Certificate authorities are no exception. But if the customer decides to migrate away from that CA, then that same level of eagerness and assistance is no longer available to them. This begs the question: once you decide to change CAs, what kind of migration services can you expect from a vendor locked-in solution?
Not surprisingly, you’ll find that built-in CA management systems will not be able to help you fine tune your CA usage. In other words, they will not allow administrators to move certificates from the one CA to another. This is a critical functionality in the case of a security event that requires immediate attention, such as a breach, a vulnerability or a CA distrust or error. For this level of engagement you’ll need to move beyond simple certificate management to a robust platform for machine identity protection.
After discussing certificate management strategies this many of my customers, they tend to agree that a solution provided by the CA vendor is not the best alternative. Without a doubt they provide certain functionality which is very useful and important. It’s just that CA management solutions are more limiting than you’d realize at first glance. For true certificate life cycle management, you’ll need to extend your strategy to manage and protect across the entire machine identity environment and ecosystem. For that you’ll need a CA-agnostic solution.