7 Common Mistakes: TLS Certificate Management


Digital certificates protect data and applications, and when they fail (often due to easy-to-overlook oversights in managing them) they can cause serious damage to an organization. Let’s explore some of the typical oversights that IT teams need to be aware of when dealing with digital certificates.

1. Not having a complete inventory of your certificates

You cannot manage what you can’t see. When you don’t have visibility into your complete certificate inventory, or when certificates are not properly documented, and are managed using spreadsheets and homebrew tools, you are likely to run into trouble. This is especially true since the number of certificates grows exponentially with the number of devices an organization uses.

2. Using outdated and deprecated protocols

When protocols or crypto-algorithms become outdated or have been compromised, most global business applications stop support for these protocols and demand that all dependent parties upgrade or adapt to the latest standards supported. Sometimes, older protocols continue to be supported (For example, TLS 1.0 and 1.1), though the newer ones are recommended. But without complete visibility into your environment, you won’t necessarily know which security certificates or protocols need to be updated. As a result, many organizations continue to use outdated certificates or support deprecated protocols, unaware of their status, until a certificate gets compromised or an outage occurs due to unsupported ciphers.

3. Relying on short key lengths

Finding the right key length can be a tricky balance between the right application fit, strength, and speed. Shorter keys may be a bit faster, and can offer some compatibility benefits, but they are also more vulnerable to attacks, including brute force searches. Certificate Authorities issue their own recommendations and will not accept keys that are shorter than a certain length. As hacking tools become more sophisticated, so do the requirements for key lengths. Staying on top of the industry and CA authority guidelines is a good way to ensure that your keys are strong enough to withstand an attack.

4. Using self-signed certificates

Using self-signed certificates, instead of those issues by a trusted authority, can be an appealing option – mostly because they don’t cost anything…at least in the short run. The problem is not the certificates themselves, but the lack of visibility into where these keys are installed and hosted. Often, teams forget how many of these certificates they have, and eventually, they fall out of compliance with the company’s security policies. What starts out as a free option may become very costly if one or more of these certificates becomes a gateway for an attacker to gain entry into your network.

Related Articles:   Are Your X.509 Certificates Secure? Are They Compliant?

5. Lack of certificate protection policies and practices

We’ve talked about how the lack of proper policies for safeguarding digital certificates can lead to security breaches – both from external attackers and from within the organization. Safely storing certificates and keys using a HSM is among the best ways to ensure that your keys remain safe.

6. Overly long certificate lifespans

Certificates expire for a reason. Just like passports or driver’s licenses, they need to be periodically updated to get the information in them verified. Naturally, the shorter the certificate’s validity period, the more secure it is. Last month, Apple announced that starting September 1, 2020, their Safari browser would no longer trust SSL/TLS certificates with validity longer than 1 year (plus a short grace period). The discussion about capping the certificate lifespan to one year has been going on at the CA/B Forum for a while, and it looks like leading browser vendors are getting behind it.

7. Managing certificates manually

This point ties right back to the first item on this list – lack of visibility. Manually maintaining long spreadsheets of certificates is time-consuming and error-prone; and is bound to lead to security slip-ups. The only way to streamline the TLS certificate management process is to take advantage of Certificate Lifecycle Automation and Management solutions.

AppViewX can offer the following services:

  • Discovery – to get you an inventory of every certificate in your environment along with critical details including the TLS version, Cipher suite details, and end points affected by Heartbleed vulnerabilities;
  • Reporting – with an application-centric view of all your certificates, their status, and expiration dates;
  • Audit and Compliance – the ability to audit each certificate’s procurement, usage, and access to keys.

These capacities can not only help you avoid costly mistakes related to TLS certificate management, but put consistent and repeatable processes in place to ensure maximum security for your organization.

Want to learn more? Visit: https://www.appviewx.com/products/cert/

Want more great content?

Subscribe to our blog to get tech tips, industry news, and thought leadership articles right in your inbox!