Certificate Lifecycle Management: a Best Practices Checklist

X.509 certificates and their keys are critical to application security, but in today’s business environment, busy IT professionals don’t have the bandwidth to manage them efficiently. This is where our PKI resolutions cheat sheet come in handy. In this sheet, we give you the “8 things” that you need to focus on to keep unauthorized users at bay. Make sure you visit them on a daily basis.

I Will Document and Report the Usage of Every Certificate

The hardest part of mitigating a certificate-related issue is not identifying the certificate, but it is often locating it on-time. When a certificate is distributed across multi-cloud, heterogeneous environments, it is necessary to capture information such as locations, owners, associated applications, expiry date, and signatures, diligently. Not just capture, but also send periodic reports on the state and status of each certificate to their respective stakeholders.

I Will use Secure “EVERYTHING”

A PKI is only as strong as its underlying foundation. This foundation is made up of server protocols (TLS v1.2, v1.3), encryption algorithms (RSA, ECDSA), key lengths (2048-bit) and hash functions (SHA-2). From Chrome 72, Google is officially deprecating support for TLS v1.0 and v1.1. And, to avoid any potential issues in the future, it is best to enable TLS v1.3 (for avoiding protocol downgrade attacks), and have RSA 2048-bit key with SHA-2 hash for your SSL/TLS implementation (though there’s still debate if it’s time to switch to ECDSA).

I Will Protect my Private Keys

When a private key is uncovered by malicious actors, valuable data is compromised through the impersonation of an enterprise’s servers. Be it key storage or transmission, please do not leave critical keys lying in your logs, especially your email and chat. It is best advised to use a central key escrow like an encrypted software vault or an HSM to ensure maximum protection. Restrict human access to these keys and always use secure protocols to push these keys where necessary.

I Will Not Use Self-signed and Longer Validity Certificates

In most enterprises, requesting a certificate and servicing it, is still a pain. And, in the interest of time, teams end up generating SSL/TLS certificates on their own (and not from a reliable CA). Usually with longer validity periods to avoid frequent certificate renewals. And this is where the issue begins. Such certificates are often poorly documented. In the event of a deprecation (such as SHA-1), these certificates tend to miss migration and can cause unnecessary outages.

I Will Make It Easy for Devops to Request Certificates

Agility has become the primary focus of most enterprises. This focus has inadvertently created challenges for teams to incorporate critical security measures, such as implementing a well-documented, policy-based, compliant certificate infrastructure for their applications, within their DevOps tools. This makes way for shortcuts and non-compliant certificates. Thus, you need to make it easier and quicker for your DevOps teams to request and provision new certificates, maybe try introducing a self-service portal?

I Will Traverse CT Logs

The Certificate Transparency (CT) program maintains a log of all SSL/TLS certificates ever issued, opening it up to the scrutiny of domain owners (like you), certificate authorities and domain users. This CT program was precisely how the Google Chrome team was able to identify the mis-issuance of over 30,000 certificates by Symantec, for which the CA responsible lost its place in the trusted Certificate Authority Program. It is important you go through these logs periodically, and identify mis-issued certificates for your domain.

I Will Use a CAA Record

Any Certificate Authority (CA) that is publicly accepted by the browser’s root certificate program can theoretically issue a valid SSL/TLS certificate for your domain. If you wish to whitelist only specific CAs, the Certificate Authority Authorization (CAA) process allows you to select an exclusive list of CAs permitted to issue your SSL/TLS certificates. This prevents unauthorized CAs from issuing legitimate certificates for your domain. We have a dedicated guide that can help you create and manage these records efficiently.

I Will Plan to Automate My Certificate Management

Gartner estimates that over 70% to 99% of data breaches today are caused by internal misconfigurations. This is primarily due to the amount of manual work involved in setting up and managing certain systems, like a PKI infrastructure (Equifax breach?). With increasingly complex certificate infrastructures and equally widening skills gap, low-code automation is going to transform and secure your digital transformation for the future. With minimal training, anyone can translate their complex business use-cases into easy-to-use automation workflows that can orchestrate their entire PKI.

Control Your Certificates Before They Go Rogue! GET STARTED

About AppViewX CERT+

CERT+ helps enterprise IT manage and automate the entire lifecycle of their internal and external PKI. CERT+ provides extensive visibility into the multi-vendor certificate and encryption key infrastructure which helps protect the enterprise from threats to the business. Application, network, and security engineers may self-service and initiate automation workflows that deliver compliance and true business agility.


  • certificate lifecycle management
  • Certificate Management
  • Digital Certificate Management