X.509 certificates are digital certificates that use the X.509 public key infrastructure (PKI) specification to derive private and public key pairs for various applications. They’re used by web-application systems, and mobile and IoT devices for authentication and encryption purposes. The most common application of this specification is SSL/TLS certificates and are used to authenticate the identity of the web-application owner as well as secure communication between the application and the end-user online. Accepted by operating systems and browsers worldwide, these certificates represent the foundation of trust online.
Since 2017, the industry has seen a 37% increase in SSL/TLS certificates and by the end of 2018, a projected 80% of all web pages loaded in Google Chrome will use. 1 Most enterprises now manage close to hundreds – or even thousands – of certificates on a regular basis in their network infrastructure. Given their finite lifespans, it is crucial that these certificates be monitored, tracked and renewed on-time to avoid expensive application outages. However, the maintenance required isn’t the only challenge posed by the growing number of certificates – security is also a significant concern. The trust that they represent can be misused by cybercriminals for phishing, making them a potential target for theft. Thus, bringing in the need for efficiently managing these SSL/TLS certificates and their keys. Not just SSL/TLS certificates, but managing certificates that involve people, devices, and IoT systems while also taking into account an enterprises’ certificate volumes and issuance velocity.
The major problem plaguing certificate management teams worldwide is the lack of the right information at the right time. Whether it be poor visibility of expiring/vulnerable certificates, or the inability to locate those certificates on-time, such crucial information is often improperly documented when manual or homegrown management methods come into play, leaving ample room for expensive certificate-related issues. And, the risks aren’t limited to non-compliant and undocumented certificates. They also extend to human errors that can cause misconfigurations, especially when teams take shortcuts to compensate for time-consuming business workflows.
“By 2020, enterprises that use dedicated X.509 certificate management tools will suffer 70% fewer certificate-related issues and only half the time managing these issues as compared to enterprises using spreadsheet-based management methods.” – Gartner
While there are many tools on the market today, some are more effective than others for your unique infrastructure. It is critical that teams take a hard look at the specific capabilities they need to evaluate before purchasing.
Discovery – The hardest part of mitigating a certificate-related issue is not identifying the certificate, but it is often locating it on-time. Similar to any application, a certificate too does not reside on a single device. It is distributed across load balancers, firewalls, web servers, containers and multi-cloud environments. You need a tool that can discover certificates across all devices in the infrastructure, regardless of the Certificate Authority or device type, to build an inventory automatically. Information such as locations, associated applications, expiry date, signatures, etc. should also be automatically captured. And, users need the ability to schedule periodic discoveries to keep inventory updated with new information on undocumented and rogue certificates.
Ownership – The second most common reason for a certificate-related issue (after tracking and locating the certificate) is identifying the certificate owner. Often times, renewal requests get buried among other services inquires in an owner’s inbox, leading to an inevitable (and unnecessary) outage. Properly assigning certificate owners and escalations, designing an approval workflow, and creating a simplified certificate enrollment process is crucial to successfully implementing a standardized certificate management system. The tool must easily integrate with your existing solutions and replicate your unique business processes, while also allowing your teams to self-service certificate requests and automate certificate enrollment.
Validation – Rogue, non-compliant certificates pose a serious threat to an enterprise’s security posture. Most often, these certificates find their way into an infrastructure through two primary avenues – uncontrolled certificate procurement and insufficient policy enforcement. Users must have the ability to continuously validate certificates against known vulnerabilities and flag non-compliant certificates. The tool should have the ability to not only define your business policies in the form of approved Certificate Authorities, encryption algorithms, hashes and people – it must also enforce, validate and report on them, in time, to mitigate non-compliant certificates.
Life Cycle Management – Application portfolios now include emerging technologies such as IoT and containers in a quest to deliver exceptional digital experiences. But, at the center of any digital experience lies availability and digital trust – both of which in some way require proper certificate lifecycle management. There are two primary entities involved in certificate management – 1) the Certificate Authority (CA), and 2) the End-device. An effective management tool must easily integrate with both your approved CAs and the end-devices to truly simplify certificate enrollment and provisioning. Any lifecycle action such as issuing, renewing, revoking, regenerating, reissuing and deleting must be supported out-of-box for any CA/device and should also see minimal human intervention to avoid misconfigurations.
DevOps Integration – Digital transformation has changed the way applications get packaged and delivered to customers. From using multi-cloud heterogeneous environments for delivering applications to using rapid CI/CD environments for packaging them, agility has become the primary focus for most enterprises. This focus has inadvertently created challenges for teams to incorporate critical security measures, such as implementing a well-documented, policy-based, compliant certificate infrastructure for their applications, within their DevOps tools, which makes way for shortcuts and non-compliant certificates. Thus, it is paramount that the certificate management tool can integrate with your existing DevOps tools and simplify the certificate enrollment process. This means not only issuing a new certificate, but also automatically provisioning them to the necessary applications.
Auditing and Reporting – Certificates and their keys are important to maintain the sanctity of an enterprise’s digital trust. Any access to them, human or device, must be regulated and audited. Any tool that you choose must provide your team with role-based access to your certificates and should also granularly limit the operations that each role can perform on a particular certificate or device. All changes with respect to a certificate and device should be audited by the tool, and any critical events must be automatically reported back to the respective teams. Apart from this, the tool should also send periodic reports on the expiry and compliance status of your certificates to respective certificate owners.
Crypto-agility – Cryptographic agility refers to the ability of an IT infrastructure to evolve and adopt alternatives to their current cryptographic primitive quickly. The most common example of this can be the migration to SHA-2. In addition to this, a CA compromise or deprecation can also push enterprises to move to a more secure and trusted PKI. In such cases, improper documentation of all certificates in the infrastructure can cause an incomplete transition to a trusted PKI, causing browser issues and temporary application unavailability. That’s why a representative tool must not only successfully discover and map deprecated certificates, but also automatically replace, provision, validate and finally report the migration status to the respective teams.
The AppViewX Solution
The AppViewX Platform helps enterprise IT manage and automate the entire lifecycle of their internal and external PKI. Our Certificate Lifecycle Automation solution provides extensive visibility into the certificate and encryption key infrastructure which helps protect the enterprise from threats to the business. Application, network, and security engineers may self-service and initiate automation workflows that deliver compliance and true business agility.
Rogue, unknown and unmanaged certificates often lead to unplanned application outages, and can also serve as easy targets for cybercriminals. The AppViewX platform enables on-demand discovery of certificates from servers, clients, and ADC devices through a variety of modes, such as IPs, subnets, URLs and managed device (ADC) logins. The discovered certificates are then automatically converted into an inventory with the required information attached. You can schedule these discoveries at your convenience or choose a midnight sync option to keep your inventory updated each day.
To minimize human access to critical private keys, you can choose between a FIPS-compliant, AES 256 encrypted key-store or an industry-standard HSM for their storage. Properly documenting every certificate is the first step to preventing expensive certificate-related issues, and our Certificate Lifecycle Automation solution’s auto-discovery helps you do just that.
When multiple stakeholders are involved, lackluster collaboration and improper ownership mapping can spoil any attempt to prevent certificate issues. The threat of expiring certificates aside, weak certificates and unregulated access can also compromise the security of your application infrastructure. The AppViewX platform helps you administer policies – such as recommended cryptographic techniques, CAs, and workflows – consistently across the infrastructure to validate and eliminate non-compliant certificates. You can also delegate access, design requestor/approver workflows and apply granular visibility to individual certificates or certificate groups to enable efficient management. The platform’s integration with external directory systems like AD, LDAP, and RADIUS makes it even easier to assign access to appropriate stakeholders, improving operational efficiency and cross-team collaboration.
Certificate Lifecycle Management
Not every certificate in your inventory requires active management. Some may only need to be monitored. To cater to these requirements, the AppViewX platform offers two inventory tracking modes – Manage and Monitor. Monitor mode allows you to view reports and receive alerts on the expiry status and validity of certificates. While in Manage mode, you can perform a variety of certificate lifecycle actions, such as pushing, revoking, renewing, etc., in addition to the alerting and reporting capabilities of the Monitor mode. If you wish to renew expiring certificates manually, you can choose the people who should be notified under both modes, or you can choose to renew certificates automatically.
Our Certificate Lifecycle Automation solution can also represent necessary certificate-related information graphically, in one holistic view. This view provides you with the certificate’s chain of trust and all connected devices with intuitive single-click actions that trigger all lifecycle automation workflows (like renewing and pushing). Your teams can use our built-in, low-code automation workflows to self-service certificate requests. These workflows can be customized to meet your unique business requirements and also integrated with popular ITSM systems to enhance the workflow experience. For example, during a renewal workflow, the platform automatically connects with the appropriate CA to issue a new certificate and pushes it to the required devices with minimum human intervention. This ensures the new certificate is received well before expiry, which is crucial to preventing unplanned outages. There are similar pre-built workflows to help you automate the identification, migration and validation of certificates during a deprecation.
Agility has become critical to surviving in an application-centric world, but not at the cost of skimping on standard certificate enrollment measures. The AppViewX platform integrates with leading DevOps tools like Ansible, Terraform, Chef and Puppet to simplify and quicken certificate enrollments while also ensuring strict policy compliance. The newly issued certificates can be automatically pushed and associated with necessary SSL profiles on end-servers, wherever they may reside. You can also enable DevOps teams to generate internal certificates for your test applications and use the built-in CA switch functionality to migrate to trusted external certificates before going live. This allows our Certificate Lifecycle Automation solution to ensure standardized, policy-based certificate provisioning across all end-points.
Auditing and Reporting
Unauthorized actions on critical certificates can expose your enterprise to security vulnerabilities. The AppViewX platform helps you track and audit every single event related to a certificate’s management in its audit logs to prevent unauthorized actions. And to enhance reporting capabilities, the centralized dashboard helps you gain necessary insights like Certificate Expiry by Month, Certificate Expiry by Certificate Authority, Certificate Compliance, etc. to manage your certificate infrastructure efficiently. This dashboard is dynamic and can be customized based on the data most important to you. The information on the dashboard can also be converted into reports and can be sent to anyone as frequently as you choose, automatically.
The number of certificates in your infrastructure is growing with no signs of slowing down. An expiry or any certificate-related issue will not only cause an application outage but also has the potential to cripple your trust-based systems, which may even include your crucial intrusion prevention system that prevents breaches. It is recommended you re-evaluate your current certificate management methods with our checklist above and invest in a dedicated certificate management tool that can truly adapt to your unique business requirements. For more information on our Certificate Lifecycle Automation solution, please visit https://www.appviewx.com/solutions/certificate-lifecycle-automation/.