Identify Vulnerabilities. Enforce Policies. Detect Anomalies.

Analyst Coverage

“Cybercriminals are known to steal SSH keys or manipulate which keys are trusted to gain access to source code and other valuable intellectual property” Read More

“Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.” Read More

"Basically, the enterprise is a sitting duck."

"PKi is under attack...Advanced and persistent adversaries go for keys" Read More

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Read More

"No CISO could consider having tens of thousands of unknown network ports open and have no way to control them. But that’s the alarming reality today with regards the trust established by keys and certificates..." Read More

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Read More

"Technology critical to cloud computing is in clear and present danger...attacks on Secure Shell (SSH) keys present the most alarming threat arising from failure to control trust." Read More

“Certificates can no longer be blindly trusted” Read More

“Just because something is digitally signed doesn't mean it can be trusted.”

“Enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or respond to an attack.” Read More

TrustAuthority SSL

In recent years, malware designed to steal cryptographic keys and digital certificates has grown explosively. Two forces have driven this growth. Cyber-criminals have found that they can use keys and certificates to infiltrate networks far more effectively. The keys and certificates also make their unauthorized activities look normal, drastically decreasing the chance of detection. One in five organizations has already fallen prey to a key- or certificate-based attack in the last two years.

Venafi TrustAuthority, part of Venafi Trust Protection Platform, identifies SSL certificate vulnerabilities, enforces enterprise policies, provides a secure self-service portal, and detects certificate-based anomalies with ongoing monitoring. TrustAuthority performs network- and agent-based scanning to identify all SSL certificates, signed by multiple Certificate Authorities (CAs), across the enterprise network and out to the cloud. By deploying TrustAuthority, enterprises take the first step in securing and protecting digital certificates: establishing a well-regulated and visible state in which anomalies can be easily detected. TrustAuthority enables organizations to:

  • Increase threat intelligence
  • Reduce the attack surface
  • Detect certificate-based anomalies and untrustworthy CAs
  • Recover faster from compromise

What It Does

TrustAuthority identifies and fixes existing SSL certificate vulnerabilities, as well as detects certificate-based anomalies with continuous monitoring.

As a first step, TrustAuthority identifies certificates across the enterprise and in the cloud, discovering the configuration and location of each certificate. It completes this step by gathering data from CAs and by performing network- and agent-based scans.

Next, TrustAuthority enforces enterprise policies and fixes certificate vulnerabilities. It detects certificates that do not comply with enterprise policies for certificate attributes such as key length, hashing algorithm, validity periods, and authorized CAs. It replaces these vulnerable certificates with new, compliant certificates.

TrustAuthority enables organizations to establish a baseline of normal certificate usage. In addition, with TrustAuthority organizations can gain control of the certificate issuance process. TrustAuthority’s secure self-service portal with easy-to-use wizards enables administrators and application owners to request and receive certificates. The self-service portal aligns certificate request processes with enterprise policies, eliminating errors, oversights, and vulnerabilities. Granular control of certificates and policies considerably reduces your risk of data breaches, compliance audit failures, and system outages.

Discovery and CA Import

TrustAuthority maintains a complete inventory of all the keys and certificates in your organization. It performs network- and agent-based discovery and automatically imports server certificates from all CAs on a scheduled basis. With a complete and accurate certificate inventory, IT security teams can quickly identify and respond to targeted attacks and eliminate system outages. They gain visibility into certificates in use or near expiration and can discover mismanaged keys that are exposed to unauthorized access.

Policy-based Enforcement

TrustAuthority applies secure key and certificate policies across the enterprise. In this way, it protects your network against attacks that exploit poorly configured keys and certificates or outdated cryptographic technologies. It provides a robust policy framework for workflow processes as well as for certificate attributes such as key length, validity period, and cryptographic hash type.

Notifications and Alerts

Proactive and timely notifications alert administrators to events such as the impending expiration of a certificate. TrustAuthority also validates that all monitored certificates are properly installed and configured.

Support for multiple CAs, Applications, and Platforms

TrustAuthority provides multi-vendor support that spans across the widest range of CAs, applications, hardware security modules (HSMs), and platforms. It integrates directly with leading industry applications and CAs, ensuring seamless certificate requests, installations, enrollments, renewals, and validations.

Security and Compliance Reports

With TrustAuthority, security teams can easily identify certificate-based anomalies and quickly remediate issues related to weak signing algorithms, weak key length, excessive validity period, impending expirations, and more. They gain visibility into the root certificates that are trustworthy or untrustworthy within your environment. By detecting root certificates that should not be trusted, organizations can prevent attacks that leverage root certificates.

Audit Reporting

Automated reporting on all logged key and certificate events provides visibility into the status of controlled encryption assets. Administrators can troubleshoot problems easily, perform operational reviews, verify compliance with corporate policies and regulations, and respond quickly to audit requests.

RESTful API Reference

Organizations can rapidly integrate TrustAuthority into third-party systems. A complete reference guide to its RESTful API helps organizations integrate TrustAuthority seamlessly into custom solutions.

Why It’s Important

TrustAuthority helps organizations secure their certificate inventory. By gaining insight into the certificate inventory and applying policies to certificates, organizations can reduce their risk exposure, both decreasing the chance of a data breach and decreasing the impact if a breach does occur.

Increase Threat Intelligence

TrustAuthority provides a complete inventory of all keys and certificates, enabling you to identify your organization’s security gaps and mitigate threats.

  • Discover mismanaged and rogue keys that are exposed to unauthorized access
  • Discover keys that use weak encryption, rendering them vulnerable to well-known exploits

Reduce Organizational Risk

You can reduce your organization’s attack surface and respond faster to attacks by rapidly replacing compromised certificates.

  • Control the full certificate lifecycle
  • Gain clear insight into any key and certificate within the datacenter, on desktops, or in the cloud
  • Enforce robust policies and ensure administrators configure cryptographic keys and certificates according to secure standards

Compliance and Audit Success

TrustAuthority ensures certificates comply with standards such as the Payment Card Industry Data Security Standard (PCI-DSS). It also ensures that certificates follow National Institute of Standards and Technology (NIST) recommendations, such as the use of 2048-bit keys.

  • Enforce policies that control approved CAs, key lengths, validity periods, cryptographic hash types, workflow processes, and much more
  • Log all key and certificate events for auditing and reporting

How It Works

Network-based Discovery

Administrators simply enter an IP address or range of IP addresses and define the relevant ports to inspect. The network discovery engine systematically and non-invasively queries each host for certificates from any CA (including Secure Sockets Layer [SSL], Extended Validation [EV] SSL, Transport Layer Security [TLS], Simple Mail Transfer Protocol [SMTP], and self-signed certificates). It collects information about the certificates and presents a status report. Administrators can then easily identify systems that are at risk or require attention, as well as place discovered certificates under control. They can also schedule ongoing surveys of the infrastructure, which alert them whenever anything new is found.

Agent-based Discovery

TrustAuthority includes a high-performance agent discovery system that enables administrators to schedule scans for certificates in designated local directories on servers and machines. TrustAuthority brings the discovered certificates under control. It enforces enterprise policies, establishes a baseline of normal certificate usage, and continuously monitors certificates that are already protected as well as new certificates that enter the system.

Automatic CA Import

TrustAuthority automatically imports SSL certificates from all CAs on a scheduled basis, keeping its certificate inventory up to date. TrustAuthority also updates certificates to the new versions when certificates are renewed at the CA.

Continuous Monitoring

TrustAuthority continuously monitors keys and certificates to improve an organization’s inventory, asset, and risk management processes. The flexible notification and escalation functionality allows administrators to send dynamically generated messages, and it automatically determines owners and escalation paths. You can also easily configure monitoring to validate the work of administrators, as well as to verify that systems are functioning properly, using the appropriate keys and certificates, and complying with policies.

Brokered CA Certificate Requests and CSR generation

With TrustAuthority your organization can control the entire renewal and rotation process for SSL certificates from multiple CAs. TrustAuthority provides full, end-to-end automation of the certificate lifecycle—from the CA all the way to the targeted application or platform. Administrators can automatically replace expired certificates and out-of-date keys on targeted platforms, eliminating formerly manual processes, including key and Certificate Signing Request (CSR) generation, CSR submission to CAs, CA approval, and issued certificate retrieval. Administrators can also easily migrate certificates from one CA to another; workflow approvals and reviews regulate the complete process. Centralized and automated lifecycle control not only helps reduce administrative costs, but also eliminates errors due to manual processes and ensures compliance with corporate policies and regulations.

The Immune System for the Internet