How granular is your platform’s role-based access control (RBAC) system?

RBAC is an integral part of our low-code network automation platform. It allows users to specify the modules and functionalities that each member can access, while providing the necessary read/modify control for managing devices and other digital assets.

Can I migrate my certificates from a spreadsheet using your certificate lifecycle automation solution?

Yes, there is an option to upload your certificates using a spreadsheet. However, we recommend running a certificate discovery to track down undocumented SSL certificates as well.

How secure are my private keys when I implement your certificate lifecycle automation solution?

You have two choices – use our AES-256 encrypted database or use your HSM. Both ways ensure total security. We also integrate with leading password vaults for seamless device management.

How do you handle privileged access management with your certificate lifecycle automation solution?

If you need to elevate a user’s privilege on a device temporarily, specify the duration and initiate a request. When the time period you specified passes, the keys and any on-going sessions will be automatically terminated.

Which cloud vendors do your platform support?

It primarily depends on which solution you are using. However, we support AWS, Google Cloud, Microsoft Azure and OpenStack.

Can your certificate lifecycle automation solution manage certificates on web servers and app servers?

Yes. Not just web and app servers. Our certificate management solution allows users to easily manage and renew certificates across load balancer, firewall, container, and IoT and multi-cloud environments, thus helping maintain compliance and avoid downtime.

What is closed-loop automation?

In closed-loop automation, the system automatically performs certain tasks until the necessary intent is achieved. Our platform helps you automate time-consuming, repetitive tasks and is capable of verifying that intent has been achieved with minimal human intervention.

What do you mean by low-code automation?

Our entire platform is built on a low-code architecture. This enables you to quickly develop automation workflows and reports catering to your business needs with minimal effort. Additionally, any new feature requests will be supported faster owing to minimal coding requirements.

What are the application delivery vendors supported by AppViewX?

The AppViewX Platform is the industry’s first platform to manage, automate and orchestrate best-in-class and open-source application delivery services. It supports both traditional and non-traditional ADCs from leading vendors - A10 Networks, Akamai Technologies, Amazon Web Services (Elastic Load Balancers), Brocade, Cisco, Citrix, F5 Networks, HA Proxy, NGINX, Radware.

What is Public-key Cryptography?

Public-key cryptography, or asymmetric cryptography, is a network data encryption scheme that has two keys – public and private key – as its working parts. The encryption scheme is classified asymmetric since it uses non-identical key pairs for the process. In this scheme, the public key, which can be shared publicly across the network to forge a connection, is used for encryption, while the private key, which is the exclusive property of the owner and should be kept secret, is used for decryption. The essence of this scheme lies in that though the two keys are mathematically related, you cannot derive the private key from the public key. This means only the person to whom the message is intended, i.e. the one who possesses the private key, can decrypt the message. Public-key cryptography is employed to guarantee data integrity and to prevent hackers from breaking into in-transit data in networks.

What is Public Key Infrastructure (PKI)?

The PKI is a bundle of technologies, policies, and processes that facilitate the deployment of public-key cryptography in a network. The main purpose of a PKI is to ensure that all communication that takes place over a network (between a server and a client) is private and encrypted. It provides a framework for the implementation of data security techniques like encryption and digital signatures, and employs digital certificates to check the validity of various network endpoints. A digital certificate binds the public key to the entity it’s destined for, like a website or a service, and is a proof of an entity’s authenticity.

What are Public and Private Keys?

Public keys and private keys are the working parts of Public-key cryptography. Together, they encrypt and decrypt data that resides or moves in a network. The public key is truly public and can be shared widely while the private key should be known only to the owner. In order for a client to establish a secure connection with a server, it first checks the server’s digital certificate. Then, the client generates a session key that it encrypts with the server’s public key. The server decrypts this session key with its private key (that’s known only to the server), and the session key is used by the client-server duo to encrypt and decrypt messages in that session. In case of email communication, the sender’s private key signs the message while the recipient’s public key verifies the sender’s signature. This is why the private key should be kept secret– exposing it will pave the way for hackers to intercept and decrypt data and messages.

SSH (Secure Shell) keys provide remote access to devices, like servers and ADCs (Application Delivery Controller – a device placed between web/application servers and client machines to perform load balancing, rate shaping, SSL offloading, etc.), that make up the network infrastructure. They resemble passwords in that they grant controlled access–deciding who gets to do what. Similar to passwords, SSH keys also require policies, provisioning, and termination.

What is the Need for SSH keys Protection?

A typical Fortune 500 company has several million SSH keys that provide access to its network devices–an overwhelming number to manage. Protecting and managing SSH keys is of paramount importance because these keys provide access to some of the most critical of an organization, likeservers, databases, firewalls, payroll systems, etc. If they fall into the wrong hands, hackers could get their hands on the core network infrastructure, manipulate the critical devices, and either bring the network down or make away with sensitive organization and client data.

What are Hardware Security Modules (HSM)?

Hardware Security Modules (HSM) are tamper-proof physical devices that safeguard secret digital keys and help in strengthening asymmetric/symmetric key cryptography. They’re used in achieving high level of data security and trust when implementing PKI or SSH. HSMs provide an additional layer of security by storing the decryption keys separate from the encrypted data. This way, even when a breach occurs, data that’s encrypted doesn’t get exposed.

What are Digital Certificates?

Digital certificates are a proof of an endpoint’s authenticity, like a server or a user. For example, if a browser requests a website, how do we know that the page that’s returned to us is the genuine one? Digital certificates provide the stamp of genuineness by binding the public key with the entity (server or client) that owns it, provided the entity possesses the corresponding private key. Digital certificates are issued by a Certificate Authority (CA).

Types of Digital Certificates

There are three types of Digital Certificates; namely 1.TLS/SSL Certificate, 2.Code Signing Certificate, 3.Client Certificate

What is TLS/SSL Protocol?

TLS (Transport Layer Security), and its now-deprecated predecessor TLS/SSL(Secure Socket Layer), are cryptographic protocols that provide secure communication over computer networks. A website that’s TLS-enabled is preceded by ‘HTTPS,’ where ‘S’ stands for ‘Secure.’ All information that flows between the browser and an HTTPS website is private, encrypted, and protected against all kinds of interception. TLS uses PKI to verify server/host/domain authenticity.

What is TLS Handshake?

For a client to establish a secure connection with a server, the two parties first perform a “handshake” using asymmetric cryptography. In the beginning of the handshake, the server sends its digital certificate across to the client on receiving its request to connect. The client checks the certificate for problems, and on finding none, encrypts a “session key” with the server’s public key (that’s found on the certificate). The server decrypts this session key with its private key (that’s known only to it). Now, both the server and the client knows the session key, and this key is used to encrypt and decrypt all messages that are exchanged in that particular session. The session key is discarded after the session terminates.

What are TLS/SSL Certificates?

TLS/SSL certificates are a type of X.509 certificates used to verify the legitimacy of a server-side endpoint in browser-server communication. In complying with the X.509 standard, a typical TLS/SSL certificate contains the owner’s public key, the subject or the owner name, serial number, the name of the CA, the validity period (start and end date), and a digital signature with the CA’s private key.

What are TLS/SSL Certificate Functions?

TLS/SSL certificates are the fundamental concept of PKI and act as security checkpoints in network communication. Essentially, these certificates bind the public key to the corresponding owner, which could be a server, domain, or host. Before binding, the key has to be verified to belong to the purported owner, the onus of which lays on the Certificate Authority (CA) that issues these certificates. Once the authenticity of the entity (say website) being requested has been verified, the browser uses the public key of that website to initiate a secure connection with it.

What is the need for TLS/SSL Certificates?

An TLS/SSL certificate lends the stamp of authenticity to your websites. The HTTPS padlock lets your visitors know that your website is secure and all information that they may share with it is private and encrypted. This is especially vital when your website handles confidential user information like logins and passwords, financial details, personal data, etc. Aside from the security aspect, having an TLS/SSL certificate also helps in SEO and makes your website rank higher in searches, as they’re perceived to be more secure than HTTP websites.

Types of TLS/SSL Certificate

There are two classifications of TLS/SSL certificates:- 1. Based on the number of domains or subdomains to support, 2. Based on the level of assurance needed

Self-signed Certificates

Other than TLS/SSL certificates signed by a CA, there’s also something called self-signed certificates. These certificates are signed by the owner of the server themselves. Though they offer the same level of encryption as a CA-issued certificate, they are usually not trusted by clients which are configured to recognize only certificates issued by a known CA. In case a connection does get established between a self-signed certificate server and the browser, the owner of the server remains anonymous. Self-signed certificates can be created by hijackers as well.

What is Certificate Management?

Certificate Management is the process of managing digital certificates and their associated keys. An enterprise can have hundreds of thousands of certificates installed across multiple devices in its network – servers, clients, firewalls, Application Delivery Controllers, etc. They can be of many types (TLS/SSL certificate, code signing certificate, client certificate), many kinds (OV, EV, etc.), and sourced from varied vendors. Since certificates are inherent in enforcing network security, managing them diligently is vital. “Managing” here means monitoring certificates right from when they’re requested through their lifecycle–issuance, provisioning, renewal, and revocation–and taking necessary actions along each step.

Stages in Certificate Lifecycle

Like passwords and keys, certificates also go through a cycle. They’re created, provisioned into the infrastructure, and have a finite validity period after which they expire. The stages involved in a TLS/SSL certificate’s lifecycle are: 1.Certificate Request, 2.Certificate Issuance, 3.Certificate Provisioning, 4.Certificate Scanning, 5.Certificate Revocation/Renewal

CAs are trusted entities that issue digital certificates. The CA signs the certificates, and the signature is verified by a client before establishing a connection with the organization’s server. CAs are tasked with seeing the domain control verification (DCV) process through and verifying that the public key that the certificate is issued for really belongs to the subject that requests it. CAs are an integral part of the PKI and help in keeping the internet secure and transparent.

A public CA is a third-party entity that issues certificates for a fee after doing the necessary checks on the organization requesting a certificate. The checks by default include domain validation, and Third-party CAs have their own public-private key pairs with which they sign the certificates. Most of the well-known CAs are recognized by servers and clients; therefore, certificates signed by them are immediately validated by the entity initiating a secure connection. Publicly-signed certificates offer a higher level of assurance since they are issued by a recognized CA, and are generally used for securing websites and other endpoints involving direct user interaction.

What is a Private CA?

When an organization creates its own local CA without going for an external one, it’s called a private CA. In this case, the certificates are signed with the private key of the organization’s root certificate(the foremost certificate created to sign other certificates). Private CAs can be created to issue certificates for an organization’s internal network where discretion is required, and only a select group of users are involved. They may include VPNs, sensitive databases, secure mail servers, etc. In general private CAs can be employed in cases where the general public or a wide audience aren’t the target users.

What is Certificate Scanning?

Scanning involves discovering all the certificates that are installed across various endpoints in your network. Every scan records the key details of certificates like their location, health, type, days to expiry, their position in the chain of trust, etc. They provide insights into the security map of the network infrastructure, and help detect major flaws. Most certificate scanning platforms are vendor-agnostic, and also support networks that span multiple geographies.

What is the Purpose of Certificate Scanning?

Certificates play a major role in fostering network security, and it’s imperative to ensure they’re up and running fine. A network is made up of interconnected points, so even if a single certificate installed in one device expires, the entire security infrastructure breaks down; previously private communications are no longer encrypted, and hackers have a field day accessing your organization’s and your clients’ most confidential information. Some of the most devastating network outages and data breaches in the world, like those of LinkedIn and Equifax, have been caused by a lone certificate that expired unknown to the organization.

Why do I need Software to Scan Certificates? Can’t I do it manually?

When you scan certificates manually, you are likely to be storing the details of your keys and certificates along with their expiry dates in spreadsheets, and track them from time to time. You could even configure an alert to be triggered when a certificate is about to expire. However, storing your private keys in a spreadsheet is a hazard in itself, as spreadsheets are quite easy to break into. Hackers who get access to your private keys could break into your servers, control and manipulate all the private transactions that happen in your organization’s network, and steal your data.

What is X.509 Standard?

X.509 is a standard defining the format of public-key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures. An X.509 (also called digital) certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

FIPS (Federal Information Processing Standards) are publicly announced standards developed by the United States Federal Government for use in computer systems by non-military government agencies and government contractors.* They’ve been developed to ensure computer security and interoperability.

What is SHA, and what are SHA-1 and SHA-2?

SHA is the acronym for Secure Hash Algorithm, used for hashing data and certificate files. Every piece of data produces a unique hash that is thoroughly non-duplicable by any other piece of data. The resulting digital signature is unique too as it depends on the hash that’s generated out of the data. For the course of the actual communication, symmetric cryptography is used, where the same key that hashes or encrypts data is used to decrypt it.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It was drawn up by a consortium of major card payment players like Visa, MasterCard, American Express, Discover Financial Services, and JCB, who are also its board members.

CSR (Certificate Signing Request) is the message that’s sent to the CA in order to get a digital certificate created. A CSR is often generated on the same server on which the certificate is to be installed. Before creating a CSR, the applicant must first generate a public-private key pair. The public key is included in the CSR and is used by the CA to create the certificate while the private key (to be kept private again) is used to sign the information contained in the CSR.

What are the Steps Involved in Verification?

After the CSR is generated and sent to the CA, the CA conducts a verification process before issuing the certificate. The steps involved in verification depends on the type of certificate requested.

What is a Certificate Chain?

Certificate chain (or Chain of Trust) is made up of a list of certificates that start from a server’s certificate and terminate with the root certificate. If your server’s certificate is to be trusted, its signature has to be traceable back to its root CA. In the certificate chain, every certificate is signed by the entity that is identified by the next certified along the chain.

Links in the Certificate Chain

Root CA: Root CAs (called “trust anchors” in X.509 terminology) hold the highest position in the trust tree and are recognized by all clients (browser/OS) at all levels. Root CAs are responsible for identifying intermediate CAs and verifying their trustworthiness. The root CA uses its certificate’s private key to sign the certificates of the intermediate CAs (or, in the case of unchained certificates, the server certificate) under it. The trustworthiness of the root CA is thus “passed down” to the intermediate CAs; any CA that is validated by the root CA is automatically trusted by its clients. Intermediate CA: The intermediate CA is the “middle-man” between the root and server certificates. The intermediate CA certificates are either signed by the root CA, or by another intermediate CA certificate signed by a root CA. The intermediate certificate, in turn, signs the server certificate. There is often one, or more, intermediate CA certificate in a chain. For the server certificate to be compatible with all its clients, the intermediate certificate has to be installed on the server. If not, it might prevent some browsers, mobile devices, applications, etc. from trusting the server certificate. Server Certificate: This is the certificate that’s publicly issued server to specific domains that the user needs authorization for. The server certificates are signed by the intermediate CA, and can be traced back to the root CA. When the Chain of Trust is verified, the client makes a secure connection with the server.

How do I Download my Certificate Files?

Once the certificates are issued, they will be available for download from the owner’s account with the CA. Sometimes, the CA will send a link to the account holder or any other authorized person from which the certificate files can be downloaded.

Can I install the same TLS/SSL Certificate on Multiple Servers?

It depends on the CA and the certificate license. To install the same certificate on multiple servers, first install the certificate files to the server where the CSR was originally generated. Then import the files (along with the private key) to the respective servers. This way, your servers will each have a copy of the certificate with its private key installed on it. Since this process involves copying the private key into the servers, it has to be done very carefully in a way the private key is not exposed. The key can be copied through SSH commands, or it may be packed with the certificate into a PKCS#12 archive (aka “PFX file”) with password-based encryption: this will give decent protection for the key while it transits between the two servers if the password is random enough.

What is the Maximum Validity Period of TLS/SSL Certificates?

The maximum validity period of TLS/SSL certificates is currently at 825 days (2 years, 3 month, and 5 days). The validity period was sheared from 10 years down to 5 years, and finally to 2 years, owing to the security concerns associated with protracted validity periods. An organization may undergo many changes over the course of 5 or 10 years–mergers and acquisitions, management shuffles, or employees leaving. In such a scenario, domain names are subject to change, and so are certificate ownerships. If a certificate that has a 5-year validity were deployed for the old domain name, it has to be revoked, and a new CSR has to be raised for the new domain. Sometimes, organizations may forget to revoke old certificates. The website may now have a different domain, but the old domain would still be valid because its certificate is still active. Hackers could use those domains to create their own websites that look like they belong to the organization. They can get unsuspecting people to visit those websites and surrender their data, which would go straight to the hackers’ systems.

Do I have to Generate a new CSR to get my Certificate Renewed?

It is recommended that you generate a CSR each time you renew your old certificates. Though some web servers may allow you to use the old CSR, generating a new one takes care of incorporating new encryption methods and hashing algorithms into the new certificates.

When is Certificate Revocation and when should I do it?

Certificate revocation is the act of invalidating a TLS/SSL before its scheduled expiration date. A certificate should be revoked immediately when its private key shows signs of being compromised. It should also be revoked when the domain for which it was issued is no longer operational.

Buying a TLS/SSL certificate from a CA

You can go to the website of your preferred CA and choose a certificate that best suits your needs from the options listed. The next step would be to generate a CSR. Once that’s submitted, the CA will contact the owners of the domains that the certificate has been requested for and take the necessary verification steps.

Why are IoT Devices Considered more threat-prone than Conventional Electronic Devices?

IoT devices aren’t like conventional electronic devices, say laptops and smartphones that have built-in security functions. IoT devices are of myriad types and may use many different, non-standard software and vendor-oriented technologies that make implementing security measures in them challenging. Some devices might transmit data in its unencrypted form, making it easy for hackers to launch their attacks.

What are the Key Security Requirements for IoT?

The key security requirements of IoT are: 1.Ensuring the confidentiality and integrity of data traveling between connected devices – to make sure that data is not tampered with while it’s in transit between devices. 2.Providing each device a verifiable identity – through digital certificates and signatures. 3.Meeting industry-specific compliance requirements – to make sure the IoT devices meet the regulations laid down by each industry it’s used in.

What are the Advantages of Introducing a PKI to IoT Devices?

PKI (Public Key Infrastructure) offers a one-size-fits-all solution for all IoT devices, however unique they are. It employs X.509 digital certificates to identify devices, authenticate them, and encrypt data that flows between them. It removes the need for passwords and protracted authorization checks – devices can just identify each other with their public key and start exchanging data.

How can I manage PKIs for IoT?

Digital certificates do not ensure security by themselves — their efficacy depends on how well they’re managed. In-house PKI management is not a viable option for IoT devices owing to their sheer number. A factory could easily be using thousands of IoT devices, and managing their certificates in-house levies an unnecessary strain on resources. Moreover, even one expired or compromised certificate left neglected can wreak havoc on the whole network, leading to outages and potentially hidden rampant attacks.

SafeNet AT | AppViewX

Digital Certificate and Key Lifecycle Management and Automation with SafeNet Assured Technologies

AppViewX and SafeNet AT Joint Solution

DOWNLOAD BRIEF

AppViewX and SafeNet AT’s partnership helps enterprises overcome the challenges brought by managing private keys in a complex infrastructure. For enhanced security and compliance, private keys must be encrypted before they are stored in an enterprise’s infrastructure.

Our combined solution gives the enterprise multiple options that cater to the specific needs of that infrastructure. AppViewX acts as the automation and orchestration engine for the lifecycle management of X.509 certificates, and SafeNet AT aids in the security of the private keys associated with those certificates.

Solution Highlights

Certificate Management with Encrypted Private Key Storage in AppViewX

This solution is useful for enterprises seeking to generate and store private keys inside AppViewX and limit their encryption to the HSM device for optimum resource utilization. Before being stored in an AES-256 encrypted database, the private keys undergo multiple layers of encryption by Data Encryption Key (DEK), Key Encryption Key (KEK) and Master Encryption Key (MEK). While the encrypted private key, encrypted DEK, and encrypted KEK reside inside AppViewX, the MEK is stored inside the HSM and cannot be retrieved. This solution is suitable for all ADC and server devices.

Certificate Management in AppViewX and Private Key Storage in SafeNet AT

Enterprises can use this solution to assign AppViewX to certificate management activities while HSM is used to both generate and store private keys in the name of added security. The private key generated within the HSM cannot be removed and is completely shielded from tampering. This particular solution is suitable for all supported devices that can initiate direct communication with the HSM and use a key identifier to access private keys.

Benefits

Encrypt and protect private keys using an industry-standard, FIPS 140-2 certified HSM
Manage and automate multi-vendor X.509 certificates across multiple devices
Gain visibility and control across all certificates and its keys
Enforce policies and ensure compliance across the network
Deliver secure, encrypted communications faster by reducing certificate deployment time by up to 70%

About SafeNet Assured Technologies

SafeNet Assured Technologies, LLC protects the U.S. Federal Government’s most sensitive information systems. As a U.S. based company, SafeNet Assured Technologies’ mission is to provide high assurance data security products and technologies to the Federal Government. Defense, intelligence, and civilian agencies trust SafeNet Assured Technologies to provide encryption-based identity and authentication solutions, secure sensitive data and networks, and enable assured information sharing.

SafeNet AT

Digital Certificate and Key Lifecycle Management and Automation with SafeNet Assured Technologies

AppViewX and SafeNet AT Joint Solution

Solution Highlights

Benefits

About SafeNet Assured Technologies

Social Networks

Sign Up To Hear From Us