16 September, 2021

The time to automate your digital certificate management has arrived

By Avesta Hojjati, Head of Research and Development, DigiCert

When it comes to PKI and certificate management, it requires a lot of attention and careful scrutiny. Any organization needs to monitor scores, hundreds and thousands of certificates, each with its own specifications, lifespan, and settings. It is a complex task that few are capable of on their own. That failure, in the form of unforeseen expirations or outages, comes at a high price.

Certificate outages are a common problem. In 2019, 60 percent of organizations experienced a certificate-related outage.

New developments, as well as old problems, are forcing greater attention to certificate management. The adoption of new technologies, such as Internet of Things devices, is behind an exponential expansion in business certificate needs. Additionally, major browsers recently halved the maximum certificate lifespan from two years to just one. If companies weren’t paying attention to certificates before, they must now.

Certificate management automation is one way to mitigate the threats involved in a critical task. But organizations often run into trouble along the way, stalling their automation plans, stopping them altogether, or, at best, failing to reap the rewards automation offers.

The main problem that organizations encounter when trying to automate is knowing their own environment. In February, The Ponemon Institute published a study showing that 74 percent of organizations could not tell which certificates they were using. Not surprisingly, 55 percent of its respondents have suffered more than four certificate outages in the past four years.

Organizations need to know their environments inside and out: they need to know where their nodes are located, they need to know what kinds of web servers and operating systems they use, and they need to know how certificates are used within their environment. Many, sadly, do not.

Nor is it always an easy job. There is great diversity within business networks. While one department can use an Apache web server, another can use nginX. Those kinds of nuances also need to be tailored to spread automation throughout the environment.

That task is also becoming more difficult. Companies are growing with a diverse set of new technologies, such as IoT or APIs. They also have unique requirements and configurations and must be mapped and adapted when planning for automation.

A recent survey found that 80 percent of organizations expect TLS usage to grow 25 percent over the next five years. That’s due in part to this growing complexity within the company. That complexity carries risks if it is managed improperly. Another survey revealed that 85 percent of CIOs believe that increasing complexity within IT systems will make certificate outages that much more damaging.

Many organizations are unaware of these complexities within the corporate network. Without concentrated effort, you will lose the promises of automation or risk the expiration and outages of your undiscovered certificates.

Mainly, they need to gain visibility in their environments, and specifically in their certificates; which ones do they have; how they are used and how they are configured. A certificate management platform with discovery tools can help here.

Certificate discovery tools use sensors and agents to scan a network to find all TLS / SSL certificates within a given environment, regardless of the certificate authority that issued them. They will discover a wealth of information, including certificate statuses, issuing authorities, host IP addresses and ports, security ratings, expiration dates, vulnerabilities, and other security issues. Because each certificate is unique, the information collected here can help you map the rest of your environment.

Once all of your certificates have been discovered, they can be organized in a central management platform and the work of automating renewal, revocation, request, provisioning and update functions can begin. From there, companies can start using standardized automation protocols such as Automated Certificate Management Environment (ACME), Simple Certificate Enrollment Protocol (SCEP), or Secure Transport Enrollment (EST), or even through REST API to install certificate management agents on your servers

Contact us to find out more about our solutions.