Four Tips to Solving Certificate Problems — Without Creating New Ones

Machine identities are exploding as businesses shift to the cloud, adopt containerization, and use more mobile and IoT devices. As mismanaged certificates cause painful outages and disruptions, the challenge of managing digital certificates is rising to critical for many organizations and leaders.

Keyfactor’s 2023 State of Machine Identity Management report shows that executive support for certificate management is improving, yet more organizations say they lack the adequate staffing to deploy and maintain their public key infrastructure. 

Even in the security realm, managing cryptography and public key infrastructure are niche specialties. A lack of proper tooling makes certificate lifecycle management (CLM) more difficult for general security and IT teams, significantly detracting from their primary responsibilities and duties. 

Keyfactor’s new Certificate Lifecycle Automation Buyer’s Guide helps organizations navigate the market of CLM solutions to identify solutions that keep their certificate usage on track.

The day-to-day office work of almost any unit within a business runs on a patchwork of tools and shadow IT assembled by users to support their workflows. It’s not their fault. They are trying to be as productive as possible. They are too busy staying above the tide of work to step back and identify a better way.

The teams managing certificates are often no different. They are likely using a combination of these solutions:

Though a digital tool, spreadsheets are still heavily manual and burdensome when used to track thousands upon thousands of certificates. Plus, spreadsheets only track certificates your team knows about — they don’t account for unknown certificates lurking in the far reaches of the systems landscape. And while widely used, spreadsheets lack any type of smart notification process or any concept of PKI automation.

A certificate authority (CA) is an entity that generates, signs, and issues digital certificates. Often, a CA vendor will offer a tool for managing certificates from that particular CA. However, most organizations use several CAs. Respondents to Keyfactor’s 2023 State of Machine Identity report used nine CAs on average — managing nine different tools is barely a step up from using spreadsheets. 

While open-source CA tools can be flexible and low-cost, they rarely cover the full spectrum of use cases within an organization. They still don’t supply centralized visibility and control across all CAs and certificates in use by the enterprise. 

Better solutions are out there, and those seeking them must understand two key truths about certificate lifecycle management to identify the right choice for their organization. 

• Every certificate matters: According to the  2023 State of Machine Identity Management report, the average organization has over a quarter-million certificates. Any one of them could cause an outage by expiring unexpectedly.
• Your solution must be a perfect fit: A tool that does only 90% of what’s needed is 100% wrong. If a solution can’t give you total visibility, lay the groundwork for automating certificate lifecycles, and deploy in a way that fits your environment, it will create more problems than it solves.

Every organization has its own unique set of needs. However, in searching for a certificate lifecycle management solution, there are a few universal pitfalls to avoid. 

Using several CAs isn’t a bug -it’s a feature. Using multiple CA vendors provides redundancy if one CA fails or becomes compromised. Multiple CAs grant more flexibility in creating revocation processes and more service options that help fit an organization’s particular security needs.

That said, organizations must find a CLM platform that can issue and manage certificates from all the CAs used by the organization — and those the organization might use in the future. 

Failure to do so will require the adoption of multiple tools, which doesn’t achieve centralization and creates unnecessary redundancies, maintenance work, and costs.

Several protocols accelerate the issuance and renewal parts of the certificate lifecycle, but they are far from a complete solution. ACME, EST, SCEP, and other protocols are basically process frameworks that allow communication with certificate authorities. You can think of these as different languages that different CAs are designed to speak in. 

While these protocols help with basic automation, they don’t provide organization-wide visibility. They also don’t offer the functionality needed to revoke certificates en masse or automate endpoint configurations that bind the certs and the roots of trust management. 

Avoid middleware architecture that sits between CAs and end devices. These vendors only manage certificates issued by their platform and won’t manage certificates that already exist in your environment. That would require the redeployment of all certificates through their tool and re-engineering workflows to go through their solution. 

This path is risky and laborious. Remember, it’s good to use multiple CAs, yet this method forces organizations to use just one if they are to achieve fully centralized visibility.

Instead, look for modular, loosely coupled solutions that act as certificate orchestrators rather than transaction pipelines or bottlenecks. 

How a solution can (or can’t) be deployed is just as important as what it can do. Whether an organization is running on-premise or in the cloud, or through a multi-cloud or hybrid architecture, the solution should be flexible enough to deploy there without changes. 

While many organizations have embraced the cloud to one degree or another, legacy PKI infrastructures are likely still hosted on-premise. Most organizations need the ability to run parts, if not all, of their CLM infrastructures in the cloud while still managing on-premise assets.

It’s worth evaluating your infrastructure and growth requirements when evaluating a deployment model. An ideal solution will expand with your organization’s growth and cryptographic requirements over time.

Keep in mind, visibility remains the biggest challenge for organizations building CLM maturity. That means that as they search for solutions, they don’t know the full extent of their certificate landscape. Security leaders want to avoid buying a tool, then finding out they need something else, or discovering their new solution only covers 90% of their needs (or requires a drastic upheaval of current processes and workflows). 

To see what else organizations should consider — and the key features they should look for — check out our new Certificate Lifecycle Automation Buyer’s Guide.

There are a few green flags that any solution should offer.

• It should proactively discover, log, and monitor every certificate across the entire organization, entirely eliminating the risk of undetected certificates.
• It should centralize the management of all certificates. That means it should be able to control all certificates from a single hub.
• It should automate the lifecycles of keys and certificates, removing the manual maintenance burden of spreadsheets, multiple vendor CA tools, and open-source solutions.