Why do you need to manage your digital certificates efficiently?
Yahoo!, MySpace, Target, LinkedIn, Dropbox, and Sony all have something in common. They lost millions of user accounts to hackers. The core of all these attacks was weak cryptographic controls. An enterprise is only as strong as its weakest link, so security leaders need to be on top of their enterprise’s cybersecurity. Digital certificates protect access to your devices and applications. Any lapse in their management can bring your organization a loss of reputation, revenue, productivity, and even customers. You can avoid these problems and ensure that your digital certificates are not your weakest link by following our recommendations below.
1. Gain visibility into your entire certificate infrastructure
Visibility is paramount for efficient certificate management. Search your environment for certificates regularly and make sure all the certificates that are discovered are being maintained in an inventory. The inventory must contain necessary information on the certificate type, expiration date, root/intermediate certificate, and deployment. Monitor the validity of each certificate (root, intermediate, and end user) in your certificate chain to establish a chain of trust. The possibility that one SSL certificate can potentially expire before others can corrupt the entire chain. Track the expiration dates of your certificates judiciously and renew certificates at least 30 days in advance. After renewal, verify that the expired certificate is not active and is removed from the system.
2. Remove unused, unknown, and rogue certificates
Unused certificates are those that have been bought to secure an application or a device but not deployed. However, unknown certificates are undocumented certificates which can become rogue when issued by rogue intermediate CAs with a legitimate root certificate. While building your inventory, if you come across any unused or unknown certificates, remove them immediately. Avoid problems with unused or unknown certificates by maintaining control over the certificate purchase process. For example, when your developers or DevOps need to procure certificates for internal testing, restrict the use of free SSL to decrease the likelihood of unknown certificates. Also, ensure that the person responsible for a particular certificate is always marked in the inventory.
3. Avoid using weak cryptographic techniques
Encryption techniques determine the security of your infrastructure. RSA, DSA, ECC, SHA1, SHA2, and MD5 are some of the commonly used techniques. It is important to replace all certificates that use encryption techniques that have a proven vulnerability. Some known vulnerabilities are SHA1, MD5, RC4, and 1024-bit or lesser RSA keys. Higher bit lengths demand higher computing power, so choose your encryption wisely. ECC offers smaller keys with higher security. Provide restricted access to your private keys within the organization and rotate it frequently. When obtaining self-signed certificates, limit the validity of each certificate to less than 1.5 years, since longer expiration dates give hackers enough time to exploit a certificate. Also, regularly check for out-of-compliance certificates against static certificate revocation lists (CRLs) or the dynamic Online Certificate Status Protocol (OCSP) and remove them.
4. Diversify digital certificate vendors
As the saying goes, don’t put all your eggs in one basket. Do not trust your security with a single vendor. When a vendor is compromised, you become vulnerable. Some vendors that offer certificates are Symantec, Comodo, DigiCert, GlobalSign, etc. Choose vendors and certificates that suit your business needs and budget. Try to purchase a unique certificate for each server and never share or copy certificates among your servers. Although wildcard certificates are convenient, it is better to avoid them for your domain as they are difficult to manage. If even one subdomain gets compromised, all subdomains protected by that certificate go down. Also, anyone can create a subdomain under your name and be protected by your certificate, which creates risks.
5. Establish secure SSL protocols when configuring servers
Although this is a step before certificate management, these configurations will help you take full advantage of your certificates. As you probably know, HTTPS is HTTP over a SSL/TLS protocol. There are various versions of these protocols. Some are weak and some are very secure. Common protocols in use are SSL v3.0, TLS v1.0, TLS v1.1, and TLS v1.2. Stop using SSL v3.0 immediately. Attackers can take advantage of a design flaw in SSL v3.0 and it is vulnerable to the POODLE attack. Client browsers always support the latest protocols but when a TLS negotiation to your server is unavailable, it will fall back to SSL v3.0. This is why it is important for your server to always supports the latest protocols. If your server needs to renegotiate a SSL connection, it is better to disable client-side renegotiation and save yourself from DDoS attacks.
6. Automate certificate lifecycle management
Digital certificates will proliferate as new business use cases arise. Manually managing these certificates on a spreadsheet can lead to mistakes and increase overhead. The solution is to use an automated certificate management utility to discover, issue, renew, revoke, and install certificates, and also to get notified on the certificates’ validity and expiration. Since you need to purchase certificates from multiple vendors, the tool should support multiple certificate authorities. It should also give you the agility to respond to new security vulnerabilities (such as Heartbleed) and easily perform migration activities (such as SHA1 to SHA2 migration). By investing in a certificate lifecycle automation tool now, you can reduce the overall complexity of your digital certificate infrastructure.
Businesses are facing pressures to encrypt traffic between the application and user. With increasing SSL applications and with Google ranking HTTPS websites better than standard websites, the number of digital certificates are going to proliferate. These certificates will be your last level of defense against hackers. Hence, it is important you leverage this guide to foolproof your digital certificate management. Take control of your certificates and do not let any malicious user conceal their exploit in your encrypted traffic.
To know about SSL certificate management solutions from AppViewX, please visit https://cert.appviewx.com.