Buying digital certificates, or public key certificates, can be a complex process. A digital certificate binds a public key with an identity and plays an essential role in securing communications over the internet and other networks. This enables a user or device to verify with whom they are communicating, while ensuring that those communications are private.
Every security pro knows how digital certificates work, but very few know how to securely manage them from creation to retirement or revocation. New products and vendors are appearing that promise scalable and secure lifecycle management of certificates. There are in-house, open source, cloud-based or subscription-based options, but can they truly deliver? Enterprises need to understand what managing the lifecycle of a digital certificate entails before they can buy digital certificates that meet specific needs and ensure robust certificate management going forward.
Digital certificates explained
The number of digital certificates required to operate in today's connected world continues to grow, and it's forcing organizations to reassess how they manage the lifecycle of their certificates. If certificates issued from an internal certificate authority (CA) or purchased from a third-party CA aren't carefully managed, they can quickly put an organization at risk to system outages due to missed renewals and data breaches due to compromise or misuse. Certificates, particularly those used for public-facing services, that are left unmonitored and unmanaged can expire or be replaced by rogue or invalid certificates. These situations can lead to error messages that undermine customer trust, service downtime or hackers attacking services and their users.
Alarmingly, paper- or spreadsheet-based key management systems are used by 57% of companies, according to the Ponemon 2016 Global Encryption Trends Study. This type of manual process is no longer sufficient. Without an automated system, creating a complete list of all the keys and certificates in use, finding and restricting access privileges, and ensuring periodic rotation are Herculean tasks. That's why many IT departments have lost control of the digital certificates within their organization; very few have enterprise-wide visibility.
Certificate lifecycle management involves a multitude of tasks, including certificate request and renewal, approval and rejection, generation and distribution, monitoring, revocation and expiration. The NIST Special Publication 800-57 Part 1 Revision 4 provides comprehensive insight into the tasks and infrastructure needed to manage cryptographic keys and certificates. Certain tasks -- such as renewing certificates, maintaining and updating certificate revocation lists, and running online certificate-status protocol services -- all require specialist skills.
Digital certificates can be vital to business operations, enabling online transactions and machine-to-machine interactions over untrusted networks. This means there must be 24/7 support to resolve problems -- like a certificate verification failure -- that require immediate attention, and avoiding outages of IT services must be a high priority. Standards like the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates and the Mozilla CA Certificate Policy layout how those responsible for certificate management need to operate.
Digital certificate features
There's a shortage of internal IT staff who are qualified and have the necessary resources to properly manage and secure an organization's digital certificates. That's forcing many enterprises into outsourcing the job to a specialist third-party provider or into deploying a product in-house that can automate many of the day-to-day tasks. When deciding to buy digital certificates and assessing potential certificate management tools, the three most important features probably are the ability to discover existing certificates across the entire IT infrastructure, configuration and vulnerability scanning, and automated tracking and renewal. Any product should also generate a detailed audit trail to demonstrate to auditors that certificates are managed across the enterprise in accordance with its defined policies. Before any organization can monitor and manage its key and certificate assets, it needs to determine where they are located and deployed within their environment: in the data center, on servers and desktops, on mobile and IoT devices and in the cloud. This is best done using an automated tool.
Entrust Discovery, for example, can be deployed either on premises or as a feature of its Entrust Cloud platform. Venafi offers various enterprise-key and certificate management tools that automate the provisioning, monitoring, validation and management of digital certificates and encryption keys across heterogeneous environments. Its tools also provide a discovery feature that enables administrators to locate already issued keys and certificates.
Once a full inventory has been built, the next task is to check that keys and certificates are installed and properly configured. GlobalSign offers a cloud-based certificate management platform that offers centralized control of all the different types of digital certificates used across a typical organization. Another product is the CSS Certificate Management System, which can be deployed in-house or as a component of managed services to control all aspects of certificate lifecycle across multiple platforms. A web-based tool that can help to consolidate, control, manage, monitor and audit the entire life cycle of SSH keys and SSL certificates is ManageEngine Key Manager Plus. In an attempt to lower the cost of certificate management, HydrantID has begun offering an SSL certificate subscription service. A subscription to the HydrantID service gives an enterprise access to a cloud platform for managing all the different SSL certificates they may need, with certain types of certificates priced on a monthly basis. The aim is to allow enterprises to manage all their certificates centrally and reduce the risk of failing to renew them due to poorly managed internal certificate records.
Organizations that choose to operate their own certificate authority need to put in place physical as well as logical security controls to ensure the security and integrity of their root signing keys and certificates. Enterprises already using Microsoft Active Directory Certificate Services or other in-house certificate services such as IBM's PKI (public key infrastructure) Services for z/OS should consider deploying a hardware security module (HSM) such as Gemalto's SafeNet HSM to provide a secure hardware storage location to protect the CA and any subordinate CAs' private keys from illegal access, theft and tampering. HSMs are used by all major certificate service providers and help safeguard the integrity of the entire PKI, certificates, and PKI-dependent applications. Running an internal CA is not a decision to be taken lightly though. Most public CAs specializing in outsourcing offer features such as Active Directory integration and cost-effective certificate options for internal purposes, eliminating the hassle of managing an internal CA while offering technical expertise and the latest in security technologies.
One department that will require a very responsive CA is application development. Certificates are usually needed throughout each stage of the development, testing and implementation lifecycle, and delays in their generation can hold up subsequent phases. Those developing cloud-based applications for internal users or customers should make full use of the key services offered by their cloud provider. For example, Amazon Web Services' Key Management Service (KMS) makes it easy to create and control the keys used to protect the data stored on its servers, with logs of all key usage. Like KMS, Microsoft's Azure Key Vault stores keys in HSMs.
For small organizations with limited financial resources that want to buy digital certificates, there is a new certificate authority called Let's Encrypt, offering a free, automated, CA service provided by the Internet Security Research Group, a public benefit organization. Its certificate management client runs on the administrator's own web server and automates the certificate issuance and install process. The management client automatically takes care of certificate renewal, enabling those who don't necessarily have the skills, budget or time to install a web server certificate and configure their server to use HTTPS. Let's Encrypt issues domain validated (DV) certificates, meaning that only the ownership of the domain is verified. An extended validation (EV) SSL certificate, which activates both the padlock and the green address bar in modern browsers, requires CAs to carry out additional checks to establish the legal identity as well as the operational and physical presence of the website owner. Where an EV certificate is not required, a DV certificate is better than none at all.
The bottom line
The more that devices and applications become encryption key- and certificate-enabled, the higher the risk of poor certificate management causing serious problems for data privacy, security and accessibility. In the Ponemon Study, 53% of respondents rated the management of keys at a fairly high pain level, mainly because there is no clear ownership of the key management function, a lack of skilled personnel and isolated or fragmented key management systems. The implementation of an enterprise-key and certificate tool to manage and automate many aspects of the lifecycle of an organization's certificates will reduce the overall cost and complexity of managing them across modern-day, distributed environments. It will prevent service outages, while freeing up administrators' time to respond to more serious certificate-related events, like Heartbleed, or to perform updates to meet changing compliance requirements, such as SHA-1 migration.
For organizations set to buy digital certificates, there are plenty of products and vendors offering customizable features and packages, and it's time to check them out. Otherwise, certificate-related incidences will be preoccupying already overstretched IT teams.
Can Google's Certificate Transparency cure some key certificate ills?
How browsers handle SSL certificate revocation
For more in-depth study of certificates, read our guide
Dig Deeper on PKI and digital certificates