X.509 certificates and keys are an area of focus in this age when cyberattacks are on the rise. Private keys are casually stored in devices handling SSL/TLS termination, and in most cases, in plain text without basic encryption. It is surprising that most enterprises still use manual methods for certificate renewal and SSL certificate generation, which means that there are people who have full access to a key and its passphrase, or worse, they have a plain text version of the key. The key and certs are stored in various devices and appliances that are managed independently. This raises a concern that an attack on the device or tool storage can compromise private keys. Anyone who has access to the keys can decrypt traffic that flows to the original site, and they can set up phishing sites and steal information and sessions, resulting in a security nightmare.
The U.S. Federal Government developed Federal Information Processing Standards (FIPS 140) that specify requirements for cryptographic modules to ensure that all federal agencies adhere to the same guidelines regarding security and communication. FIPS 140 specifically discusses the hardware and software components of cryptographic modules. FIPS-compliant devices store the private keys securely based on the required level of compliance, which deters an attacker from getting access to the sensitive private key in a reusable format.
AppViewX Encryption Complies with FIPS Requirements
AppViewX’s Certificate Lifecycle Automation solution acts as a certificate discovery tool that helps in discovering certificates and helps in certificate lifecycle management through periodic certificate expiry alerting, renewing SSL/TLS certificates automatically, and revocation. It supports all major commercial certificate authorities (CAs). The solution has a built-in, OpenSSL-based PKI that can be used for internal testing and deployments.
AppViewX is a unique combination of application configuration management and X.509 certificate management tool in a single system. It also supports SCEP, ACME, EST, Ansible, Chef and Puppet certificate enrolments. SSL/TLS certificates are automatically renewed and pushed to the devices through a workflow engine that can implement automatically or with manual intervention to simplify the whole process. Certificates and renewals are validated by a monitor that checks for intermediate certificates and valid CA configurations on the devices, enabling complete certificate lifecycle management.
AppViewX protects the private keys in a secure part of the database, which is encrypted using the AES-256 algorithm. It encrypts each private key with independent keys and stores it in the database with a randomly generated key. Alternatively, the keys can be stored in a hardware security module. Applications can auto-deploy using the REST API to automate the application deployment and certificate generation process to restrict human access to keys.