All tech oriented organizations need to secure their assets. Whether it be an application that processes sensitive information, a website that acts as brochure-ware or a large database. Besides these, they also need to secure other forms of data storage and communication such as emails, credit card transactions and instant messaging. This is where digital certificates come into play. It’s a way to identify (web)servers, applications, devices and other network components, basically everything a system or human being uses to access information based systems. As the number of “digital products” emerges, organizations demand more certificates. All of these need to be managemed as well, just like other assets. Let’s find out the how, what and why of certificate management.
Digital certificates are also called Public Key Certificates, Identity Certificates or SSL Certificates. They are critically important to establish safe connections to websites, applications, network infrastructure and other devices. In essence, digital certificates guard the ownership and authenticity of the component or system it protects.
It’s not enough to create your own certificate (called a self signed certificate). You need a trusted organization called a Certificate Authority to sign valid certificates so the authenticity can be guaranteed.
How it works
To explain how a digital certificate works, let’s take a look at a website that uses the HTTPS (secure) protocol to serve its pages to customers. The process of authentication and establishing the secure connection between the visitor and the webserver itself is called the “handshake process”.
- First of tall, the client (webbrowser) requests the website which is protected by the webserver and its certificate.
- The webserver sends the certificate and the public key to the client.
- Following, the client checks the validity of the certificate (it should not be expired, revoked or not matching with the owner and the domain which it protects) as well as the Certificate Authority.
- In return, the client sends a session key to the server. And if the server accepts this, it acknowledges the connection and encrypts this message.
- From this moment in time, the client and server trust each other and they can now communicate in a safe way since all traffic is encrypted.
Luckily end-users do not have to worry (much) about this process, since the steps are carried out by the browser. On the server side, things become a bit more complicated. Since the number of protected devices grows significantly and applications are running in a hostile (cloud) environment, certificate management is vital for digitally oriented organizations.
Certification management entails everything an organization needs to do to manage the certificates throughout their software application projects for all of the stages of the development processes.
The following stages / activities comprise full certificate lifecycle management:
- Certificate generation based on the issuer requests.
- Provisioning of the generated certificates.
- Scan and locate certificates across all systems. This is called discovery.
- Inventory: aggregate certificates and their management identities.
- Monitor existing certificates: reporting and auditing about it are also part of this stage.
- Secure storage of the private key by encrypting it and keeping it in a safe place.
- Renewal of certificates before they expire.
- Revocation: invalidate certificates which are marked as “revoked”.
Sine the number of stages to handle certificates in a consistent and secure way are huge, all of this is not a simple task.
Although certificate management is not easy, a lot of companies use a manual process to handle every stage. This leads to a lot of time-consuming activities in which developers lose valuable time, security operators are busy administrating those activities and lot of more inefficiencies. It also leads to a huge communication overhead. Besides these, there are other drawbacks:
- Private key storage solutions might be insufficient. Since the private key is a very important asset to secure, it’s unacceptable that these keys are stored in unsecured storage locations. The human factor in this step is poses a great risk.
- Your certificates must be visible to maintain them. Having them scattered all across the various systems of the organization leads to problems when it comes to trust structures. Do you remember the article about secrets management?
- Auditing certificates which are handled manually is a problem: there are no reliable or tracking mechanisms so there is no clear view on who generates or modifies these certificates.
Relationship with DevOps
In DevOps, application (infrastructure) is provisioned on the fly. This also applies for the certificates which are needed to protect whatever is running on them. If certificate management is not automated, then companies cannot benefit from DevOps to the fullest extend. The consequence is that teams will (temporarily) deploy insecure application solutions thus making your organization more vulnerable to attackers.
It’s obvious that certificate automation helps to reduce the pain of manual certificate management. Typical certificate management solutions support the following activities:
Acquisition: scan the entire network of the on-premises data-center or cloud environment for certificates. Bad or invalid certificates should be removed since they can be exploited fairly easily.
Inventory: once all certificates are identified they need to be stored using a centralized certificate management system. It’s vital that this system is extremely secure and that only authorized persons have access to it. Never store certificates on a local hard-drive which is controlled to an individual user.
Discovery: the discovery process should be repeated every now and then to make sure any installed certificates are discovered. All of the meta-data for each certificate should be recorded and the user of the certificate management system should get an alert when issues occur.
It’s vital to only allow trusted certificates and to block unwanted certificates, even if they have been added to the certificate management solution. Security steps to achieve this should also be automated as much as possible.
Issuers who request a new certificate do not want to follow a lengthy procedure which includes a bunch of documents and manual approvals. It would be much more convenient to trigger a pipeline with the needed parameters to generate the certificate of choice. This pipeline can also include several validation steps such as validating the domain name, the name of the issuer or application (does it exist in the Configuration Management Data Base) and the intended expiry date.
Besides this, it can also check if the intended certificate is a so called “wildcard certificate” that serves multiple domain names.
The approval step is an important one. CI/CD pipeline allow manual approval steps that send out a notification towards the person who needs to approve or reject the certificate. It’s possible to link a ticket with details about the purpose and scope of the new certificate. This helps to make an informed decision. At the same time it serves as an audit trail of who has approved the certificate at a certain date.
Renewal and revocation
Certificates need to be renewed after their validity period is over, otherwise they stop working. Normally this is needed every 1 – 2 years. Certificate management solutions offer the creation of Certificate Signing Requests which provides essential information to generate and validate certificates. Automatically create new certificates help to speed up here.
And last but not least: revocation. Any certificate that is not valid anymore, should be discarded as soon as possible. However, not before the owner of the certificate gets a notification so he/she can take action if needed.
As of now there are several tools that offer solutions to make the life or security experts who are tasked with certificate lifecycle management a bit easier. Some well known tool names below help to get started.
- Sectigo, which was formerly known as Comodo SSL. This global player offers a Certificate Lifecycle Management Platform to support the following key topics: the management of certificates itself, securing digital identities, automated lifecycle management, integrate, automate and storage solutions for various technologies, enabling solutions (f.e. authentication, signing, encryption & compliance).
- Nexus Smart ID PKI. As stated on their website, Nexusgroup offers: “a flexible and scalable solution that can be used by any organization to issue, manage and validate certificate-based digital identities for mixed endpoint environments that include people, infrastructure and things.“
- Strongkey has been around for 20 years now. It specializes in cloud key management by offering it’s SaaS solution that isolates individual customers (tenants). Their hosted solution includes: Public Key Infrastructure (PKI), Key Management Service (KMS), Cloud HSM, Tokenization as a service.
Besides these dedicated solutions, there are popular (secrets) management solutions that offer the same capabilities or a subset of them. Think of Azure KeyVault to handle digital identities, AWS secrets manager to handle all kinds of secrets for your applications. And let’s not forget HashiCorp Vault which is a dedicated secret management solution for all your needs.
Digital certificates serve two main functions. First, encryption of the data that flows between two systems. And secondly: verification of the digital identity to make sure the information you see actually comes from the entity it says it comes from. Since the number of “to be protected websites”, applications and other devices grows, the number of digital certificates also increases. Certificate management should be automated and supported by specialized tools. With the ideas presented here, I hope you have better understanding of why digital certificates are important for your organization and why you need to secure them.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to email@example.com.