Question 1

How granular is your platform’s role-based access control (RBAC) system?

Accepted Answer

RBAC is an integral part of our low-code network automation platform. It allows users to specify the modules and functionalities that each member can access, while providing the necessary read/modify control for managing devices and other digital assets.

Question 2

Can I migrate my certificates from a spreadsheet using your certificate lifecycle automation solution?

Accepted Answer

Yes, there is an option to upload your certificates using a spreadsheet. However, we recommend running a certificate discovery to track down undocumented SSL certificates as well.

Question 3

How secure are my private keys when I implement your certificate lifecycle automation solution?

Accepted Answer

You have two choices – use our AES-256 encrypted database or use your HSM. Both ways ensure total security. We also integrate with leading password vaults for seamless device management.

Question 4

How do you handle privileged access management with your certificate lifecycle automation solution?

Accepted Answer

If you need to elevate a user’s privilege on a device temporarily, specify the duration and initiate a request. When the time period you specified passes, the keys and any on-going sessions will be automatically terminated.

Question 5

Which cloud vendors do your platform support?

Accepted Answer

It primarily depends on which solution you are using. However, we support AWS, Google Cloud, Microsoft Azure and OpenStack.

Question 6

Can your certificate lifecycle automation solution manage certificates on web servers and app servers?

Accepted Answer

Yes. Not just web and app servers. Our certificate management solution allows users to easily manage and renew certificates across load balancer, firewall, container, and IoT and multi-cloud environments, thus helping maintain compliance and avoid downtime.

Question 7

What is closed-loop automation?

Accepted Answer

In closed-loop automation, the system automatically performs certain tasks until the necessary intent is achieved. Our platform helps you automate time-consuming, repetitive tasks and is capable of verifying that intent has been achieved with minimal human intervention.

Question 8

What do you mean by low-code automation?

Accepted Answer

Our entire platform is built on a low-code architecture. This enables you to quickly develop automation workflows and reports catering to your business needs with minimal effort. Additionally, any new feature requests will be supported faster owing to minimal coding requirements.

Question 9

What are the application delivery vendors supported by AppViewX?

Accepted Answer

The AppViewX Platform is the industry’s first platform to manage, automate and orchestrate best-in-class and open-source application delivery services. It supports both traditional and non-traditional ADCs from leading vendors - A10 Networks, Akamai Technologies, Amazon Web Services (Elastic Load Balancers), Brocade, Cisco, Citrix, F5 Networks, HA Proxy, NGINX, Radware.

Question 10

What is Public-key Cryptography?

Accepted Answer

Public-key cryptography, or asymmetric cryptography, is a network data encryption scheme that has two keys – public and private key – as its working parts. The encryption scheme is classified asymmetric since it uses non-identical key pairs for the process. In this scheme, the public key, which can be shared publicly across the network to forge a connection, is used for encryption, while the private key, which is the exclusive property of the owner and should be kept secret, is used for decryption. The essence of this scheme lies in that though the two keys are mathematically related, you cannot derive the private key from the public key. This means only the person to whom the message is intended, i.e. the one who possesses the private key, can decrypt the message. Public-key cryptography is employed to guarantee data integrity and to prevent hackers from breaking into in-transit data in networks.

Question 11

What is Public Key Infrastructure (PKI)?

Accepted Answer

The PKI is a bundle of technologies, policies, and processes that facilitate the deployment of public-key cryptography in a network. The main purpose of a PKI is to ensure that all communication that takes place over a network (between a server and a client) is private and encrypted. It provides a framework for the implementation of data security techniques like encryption and digital signatures, and employs digital certificates to check the validity of various network endpoints. A digital certificate binds the public key to the entity it’s destined for, like a website or a service, and is a proof of an entity’s authenticity.

Question 12

What are Public and Private Keys?

Accepted Answer

Public keys and private keys are the working parts of Public-key cryptography. Together, they encrypt and decrypt data that resides or moves in a network. The public key is truly public and can be shared widely while the private key should be known only to the owner. In order for a client to establish a secure connection with a server, it first checks the server’s digital certificate. Then, the client generates a session key that it encrypts with the server’s public key. The server decrypts this session key with its private key (that’s known only to the server), and the session key is used by the client-server duo to encrypt and decrypt messages in that session. In case of email communication, the sender’s private key signs the message while the recipient’s public key verifies the sender’s signature. This is why the private key should be kept secret– exposing it will pave the way for hackers to intercept and decrypt data and messages.

Question 13

What are SSH keys?

Accepted Answer

SSH (Secure Shell) keys provide remote access to devices, like servers and ADCs (Application Delivery Controller – a device placed between web/application servers and client machines to perform load balancing, rate shaping, SSL offloading, etc.), that make up the network infrastructure. They resemble passwords in that they grant controlled access–deciding who gets to do what. Similar to passwords, SSH keys also require policies, provisioning, and termination.

Question 14

What is the Need for SSH keys Protection?

Accepted Answer

A typical Fortune 500 company has several million SSH keys that provide access to its network devices–an overwhelming number to manage. Protecting and managing SSH keys is of paramount importance because these keys provide access to some of the most critical of an organization, likeservers, databases, firewalls, payroll systems, etc. If they fall into the wrong hands, hackers could get their hands on the core network infrastructure, manipulate the critical devices, and either bring the network down or make away with sensitive organization and client data.

Question 15

What are Hardware Security Modules (HSM)?

Accepted Answer

Hardware Security Modules (HSM) are tamper-proof physical devices that safeguard secret digital keys and help in strengthening asymmetric/symmetric key cryptography. They’re used in achieving high level of data security and trust when implementing PKI or SSH. HSMs provide an additional layer of security by storing the decryption keys separate from the encrypted data. This way, even when a breach occurs, data that’s encrypted doesn’t get exposed.

Question 16

What are Digital Certificates?

Accepted Answer

Digital certificates are a proof of an endpoint’s authenticity, like a server or a user. For example, if a browser requests a website, how do we know that the page that’s returned to us is the genuine one? Digital certificates provide the stamp of genuineness by binding the public key with the entity (server or client) that owns it, provided the entity possesses the corresponding private key. Digital certificates are issued by a Certificate Authority (CA).

Question 17

Types of Digital Certificates

Accepted Answer

There are three types of Digital Certificates; namely 1.TLS/SSL Certificate, 2.Code Signing Certificate, 3.Client Certificate

Question 18

What is TLS/SSL Protocol?

Accepted Answer

TLS (Transport Layer Security), and its now-deprecated predecessor TLS/SSL(Secure Socket Layer), are cryptographic protocols that provide secure communication over computer networks. A website that’s TLS-enabled is preceded by ‘HTTPS,’ where ‘S’ stands for ‘Secure.’ All information that flows between the browser and an HTTPS website is private, encrypted, and protected against all kinds of interception. TLS uses PKI to verify server/host/domain authenticity.

Question 19

What is TLS Handshake?

Accepted Answer

For a client to establish a secure connection with a server, the two parties first perform a “handshake” using asymmetric cryptography. In the beginning of the handshake, the server sends its digital certificate across to the client on receiving its request to connect. The client checks the certificate for problems, and on finding none, encrypts a “session key” with the server’s public key (that’s found on the certificate). The server decrypts this session key with its private key (that’s known only to it). Now, both the server and the client knows the session key, and this key is used to encrypt and decrypt all messages that are exchanged in that particular session. The session key is discarded after the session terminates.

Question 20

What are TLS/SSL Certificates?

Accepted Answer

TLS/SSL certificates are a type of X.509 certificates used to verify the legitimacy of a server-side endpoint in browser-server communication. In complying with the X.509 standard, a typical TLS/SSL certificate contains the owner’s public key, the subject or the owner name, serial number, the name of the CA, the validity period (start and end date), and a digital signature with the CA’s private key.

Question 21

What are TLS/SSL Certificate Functions?

Accepted Answer

TLS/SSL certificates are the fundamental concept of PKI and act as security checkpoints in network communication. Essentially, these certificates bind the public key to the corresponding owner, which could be a server, domain, or host. Before binding, the key has to be verified to belong to the purported owner, the onus of which lays on the Certificate Authority (CA) that issues these certificates. Once the authenticity of the entity (say website) being requested has been verified, the browser uses the public key of that website to initiate a secure connection with it.

Question 22

What is the need for TLS/SSL Certificates?

Accepted Answer

An TLS/SSL certificate lends the stamp of authenticity to your websites. The HTTPS padlock lets your visitors know that your website is secure and all information that they may share with it is private and encrypted. This is especially vital when your website handles confidential user information like logins and passwords, financial details, personal data, etc. Aside from the security aspect, having an TLS/SSL certificate also helps in SEO and makes your website rank higher in searches, as they’re perceived to be more secure than HTTP websites.

Question 23

Types of TLS/SSL Certificate

Accepted Answer

There are two classifications of TLS/SSL certificates:- 1. Based on the number of domains or subdomains to support, 2. Based on the level of assurance needed

Question 24

Self-signed Certificates

Accepted Answer

Other than TLS/SSL certificates signed by a CA, there’s also something called self-signed certificates. These certificates are signed by the owner of the server themselves. Though they offer the same level of encryption as a CA-issued certificate, they are usually not trusted by clients which are configured to recognize only certificates issued by a known CA. In case a connection does get established between a self-signed certificate server and the browser, the owner of the server remains anonymous. Self-signed certificates can be created by hijackers as well.

Question 25

What is Certificate Management?

Accepted Answer

Certificate Management is the process of managing digital certificates and their associated keys. An enterprise can have hundreds of thousands of certificates installed across multiple devices in its network – servers, clients, firewalls, Application Delivery Controllers, etc. They can be of many types (TLS/SSL certificate, code signing certificate, client certificate), many kinds (OV, EV, etc.), and sourced from varied vendors. Since certificates are inherent in enforcing network security, managing them diligently is vital. “Managing” here means monitoring certificates right from when they’re requested through their lifecycle–issuance, provisioning, renewal, and revocation–and taking necessary actions along each step.

Question 26

Stages in Certificate Lifecycle

Accepted Answer

Like passwords and keys, certificates also go through a cycle. They’re created, provisioned into the infrastructure, and have a finite validity period after which they expire. The stages involved in a TLS/SSL certificate’s lifecycle are: 1.Certificate Request, 2.Certificate Issuance, 3.Certificate Provisioning, 4.Certificate Scanning, 5.Certificate Revocation/Renewal

Question 27

What is a CA?

Accepted Answer

CAs are trusted entities that issue digital certificates. The CA signs the certificates, and the signature is verified by a client before establishing a connection with the organization’s server. CAs are tasked with seeing the domain control verification (DCV) process through and verifying that the public key that the certificate is issued for really belongs to the subject that requests it. CAs are an integral part of the PKI and help in keeping the internet secure and transparent.

Question 28

What is a Public CA?

Accepted Answer

A public CA is a third-party entity that issues certificates for a fee after doing the necessary checks on the organization requesting a certificate. The checks by default include domain validation, and Third-party CAs have their own public-private key pairs with which they sign the certificates. Most of the well-known CAs are recognized by servers and clients; therefore, certificates signed by them are immediately validated by the entity initiating a secure connection. Publicly-signed certificates offer a higher level of assurance since they are issued by a recognized CA, and are generally used for securing websites and other endpoints involving direct user interaction.

Question 29

What is a Private CA?

Accepted Answer

When an organization creates its own local CA without going for an external one, it’s called a private CA. In this case, the certificates are signed with the private key of the organization’s root certificate(the foremost certificate created to sign other certificates). Private CAs can be created to issue certificates for an organization’s internal network where discretion is required, and only a select group of users are involved. They may include VPNs, sensitive databases, secure mail servers, etc. In general private CAs can be employed in cases where the general public or a wide audience aren’t the target users.

Question 30

What is Certificate Scanning?

Accepted Answer

Scanning involves discovering all the certificates that are installed across various endpoints in your network. Every scan records the key details of certificates like their location, health, type, days to expiry, their position in the chain of trust, etc. They provide insights into the security map of the network infrastructure, and help detect major flaws. Most certificate scanning platforms are vendor-agnostic, and also support networks that span multiple geographies.

Question 31

What is the Purpose of Certificate Scanning?

Accepted Answer

Certificates play a major role in fostering network security, and it’s imperative to ensure they’re up and running fine. A network is made up of interconnected points, so even if a single certificate installed in one device expires, the entire security infrastructure breaks down; previously private communications are no longer encrypted, and hackers have a field day accessing your organization’s and your clients’ most confidential information. Some of the most devastating network outages and data breaches in the world, like those of LinkedIn and Equifax, have been caused by a lone certificate that expired unknown to the organization.

Question 32

Why do I need Software to Scan Certificates? Can’t I do it manually?

Accepted Answer

When you scan certificates manually, you are likely to be storing the details of your keys and certificates along with their expiry dates in spreadsheets, and track them from time to time. You could even configure an alert to be triggered when a certificate is about to expire. However, storing your private keys in a spreadsheet is a hazard in itself, as spreadsheets are quite easy to break into. Hackers who get access to your private keys could break into your servers, control and manipulate all the private transactions that happen in your organization’s network, and steal your data.

Question 33

What is X.509 Standard?

Accepted Answer

X.509 is a standard defining the format of public-key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures. An X.509 (also called digital) certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

Question 34

What is FIPS?

Accepted Answer

FIPS (Federal Information Processing Standards) are publicly announced standards developed by the United States Federal Government for use in computer systems by non-military government agencies and government contractors.* They’ve been developed to ensure computer security and interoperability.

Question 35

What is SHA, and what are SHA-1 and SHA-2?

Accepted Answer

SHA is the acronym for Secure Hash Algorithm, used for hashing data and certificate files. Every piece of data produces a unique hash that is thoroughly non-duplicable by any other piece of data. The resulting digital signature is unique too as it depends on the hash that’s generated out of the data. For the course of the actual communication, symmetric cryptography is used, where the same key that hashes or encrypts data is used to decrypt it.

Question 36

What is PCI DSS?

Accepted Answer

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was drawn up by a consortium of major card payment players like Visa, MasterCard, American Express, Discover Financial Services, and JCB, who are also its board members.

Question 37

What is CSR

Accepted Answer

CSR (Certificate Signing Request) is the message that’s sent to the CA in order to get a digital certificate created. A CSR is often generated on the same server on which the certificate is to be installed. Before creating a CSR, the applicant must first generate a public-private key pair. The public key is included in the CSR and is used by the CA to create the certificate while the private key (to be kept private again) is used to sign the information contained in the CSR.

Question 38

What are the Steps Involved in Verification?

Accepted Answer

After the CSR is generated and sent to the CA, the CA conducts a verification process before issuing the certificate. The steps involved in verification depends on the type of certificate requested.

Question 39

What is a Certificate Chain?

Accepted Answer

Certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate. If your server’s certificate is to be trusted, its signature has to be traceable back to its root CA. In the certificate chain, every certificate is signed by the entity that is identified by the next certified along the chain.

Question 40

Links in the Certificate Chain

Accepted Answer

Root CA: Root CAs (called “trust anchors” in X.509 terminology) hold the highest position in the trust tree and are recognized by all clients (browser/OS) at all levels. Root CAs are responsible for identifying intermediate CAs and verifying their trustworthiness. The root CA uses its certificate’s private key to sign the certificates of the intermediate CAs (or, in the case of unchained certificates, the server certificate) under it. The trustworthiness of the root CA is thus “passed down” to the intermediate CAs; any CA that is validated by the root CA is automatically trusted by its clients. Intermediate CA: The intermediate CA is the “middle-man” between the root and server certificates. The intermediate CA certificates are either signed by the root CA, or by another intermediate CA certificate signed by a root CA. The intermediate certificate, in turn, signs the server certificate. There is often one, or more, intermediate CA certificate in a chain. For the server certificate to be compatible with all its clients, the intermediate certificate has to be installed on the server. If not, it might prevent some browsers, mobile devices, applications, etc. from trusting the server certificate. Server Certificate: This is the certificate that’s publicly issued server to specific domains that the user needs authorization for. The server certificates are signed by the intermediate CA, and can be traced back to the root CA. When the Chain of Trust is verified, the client makes a secure connection with the server.

Question 41

How do I Download my Certificate Files?

Accepted Answer

Once the certificates are issued, they will be available for download from the owner’s account with the CA. Sometimes, the CA will send a link to the account holder or any other authorized person from which the certificate files can be downloaded.

Question 42

Can I install the same TLS/SSL Certificate on Multiple Servers?

Accepted Answer

It depends on the CA and the certificate license. To install the same certificate on multiple servers, first install the certificate files to the server where the CSR was originally generated. Then import the files (along with the private key) to the respective servers. This way, your servers will each have a copy of the certificate with its private key installed on it. Since this process involves copying the private key into the servers, it has to be done very carefully in a way the private key is not exposed. The key can be copied through SSH commands, or it may be packed with the certificate into a PKCS#12 archive (aka “PFX file”) with password-based encryption: this will give decent protection for the key while it transits between the two servers if the password is random enough.

Question 43

What is the Maximum Validity Period of TLS/SSL Certificates?

Accepted Answer

The maximum validity period of TLS/SSL certificates is currently at 825 days (2 years, 3 month, and 5 days). The validity period was sheared from 10 years down to 5 years, and finally to 2 years, owing to the security concerns associated with protracted validity periods. An organization may undergo many changes over the course of 5 or 10 years–mergers and acquisitions, management shuffles, or employees leaving. In such a scenario, domain names are subject to change, and so are certificate ownerships. If a certificate that has a 5-year validity were deployed for the old domain name, it has to be revoked, and a new CSR has to be raised for the new domain. Sometimes, organizations may forget to revoke old certificates. The website may now have a different domain, but the old domain would still be valid because its certificate is still active. Hackers could use those domains to create their own websites that look like they belong to the organization. They can get unsuspecting people to visit those websites and surrender their data, which would go straight to the hackers’ systems.

Question 44

Do I have to Generate a new CSR to get my Certificate Renewed?

Accepted Answer

It is recommended that you generate a CSR each time you renew your old certificates. Though some web servers may allow you to use the old CSR, generating a new one takes care of incorporating new encryption methods and hashing algorithms into the new certificates.

Question 45

When is Certificate Revocation and when should I do it?

Accepted Answer

Certificate revocation is the act of invalidating a TLS/SSL before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational.

Question 46

Buying a TLS/SSL certificate from a CA

Accepted Answer

You can go to the website of your preferred CA and choose a certificate that best suits your needs from the options listed. The next step would be to generate a CSR. Once that’s submitted, the CA will contact the owners of the domains that the certificate has been requested for and take the necessary verification steps.

Question 47

Why are IoT Devices Considered more threat-prone than Conventional Electronic Devices?

Accepted Answer

IoT devices aren’t like conventional electronic devices, say laptops and smartphones that have built-in security functions. IoT devices are of myriad types and may use many different, non-standard software and vendor-oriented technologies that make implementing security measures in them challenging. Some devices might transmit data in its unencrypted form, making it easy for hackers to launch their attacks.

Question 48

What are the Key Security Requirements for IoT?

Accepted Answer

The key security requirements of IoT are: 1.Ensuring the confidentiality and integrity of data traveling between connected devices – to make sure that data is not tampered with while it’s in transit between devices. 2.Providing each device a verifiable identity – through digital certificates and signatures. 3.Meeting industry-specific compliance requirements – to make sure the IoT devices meet the regulations laid down by each industry it’s used in.

Question 49

What are the Advantages of Introducing a PKI to IoT Devices?

Accepted Answer

PKI (Public Key Infrastructure) offers a one-size-fits-all solution for all IoT devices, however unique they are. It employs X.509 digital certificates to identify devices, authenticate them, and encrypt data that flows between them. It removes the need for passwords and protracted authorization checks – devices can just identify each other with their public key and start exchanging data.

Question 50

How can I manage PKIs for IoT?

Accepted Answer

Digital certificates do not ensure security by themselves — their efficacy depends on how well they’re managed. In-house PKI management is not a viable option for IoT devices owing to their sheer number. A factory could easily be using thousands of IoT devices, and managing their certificates in-house levies an unnecessary strain on resources. Moreover, even one expired or compromised certificate left neglected can wreak havoc on the whole network, leading to outages and potentially hidden rampant attacks.

Federal BOD 19-02: Certificate outages are now federally-recognized threats!

Sprinting towards compliance : What’s the BOD all about?

Not just for the bureaucracy

The solution: Certificate Lifecycle Management

About the Author

Allan Roy

Want more great content?

Related Articles

Social Networks

Request a Demo