In my 15+ years working with PKI and TLS certificates, never has there been so much news about the importance of managing and protecting digital identities. From the recent Microsoft Teams outage to the recent revocation of 3 million+ TLS certificates by Let’s Encrypt, it’s hard to ignore.
With the recent trend of Zoom-bombings, even my non-tech friends are realizing the importance of privacy and security, thinking twice about their passwords and checking for that lock icon in their browser.
In some cases, they just didn’t know what to do, but knew they could ask me for guidance on how to better protect themselves. In the world of cybersecurity, NIST is that trusted source.
When it comes to PKI – which we specialize in at Keyfactor – NIST provides several security guidelines and recommendations. We follow these guidelines and others to ensure that our company meets industry standards for protecting customer data, and to ensure that our end users can avoid costly security breaches and certificate-related outages through the use of our Keyfactor Command product.
5 Tips for Managing TLS Certificates at Scale
Based on NIST guidelines and best practices, here are five things you should consider when managing TLS certificates in your organization:
01 | Know the importance of TLS certificates
Knowledge is power. To effectively address your security challenges related to TLS certificates, the people in your company need to know why it’s important to properly manage them.
That means understanding what happens if a certificate expires or if it’s compromised, and the risk that creates for the business. Consider that network downtime costs roughly $300,000/hour, and that a stolen SSL/TLS certificate can cause serious damage in the hands of an attacker.
Stolen certificates can be used to compromise networks or create fake websites, cause harm to your customers, and loss of revenue and reputation for the business.
02 | Centralize inventory of TLS certificates
With the rise of DevOps and automation of infrastructure provisioning, certificates are often issued without any centralized knowledge of where they are installed, when they expire or what policies they comply with. That makes TLS certificate management a much larger and more complex problem.
Start with visibility. Getting an inventory of TLS certificates is the first step in getting a lay of the land and preventing the next outage. This can be accomplished with a certificate management solution via several means, including:
- Synchronizing with CA databases
- Scanning SSL/TLS endpoints
- Inventorying key and certificate stores
03 | Define ownership and policies
As I mentioned earlier, most end users aren’t knowledgeable about best practices for the issuance and use of TLS certificates. PKI is typically driven by a single team, but that team must have a way of enforcing consistent policies and knowledge across all departments.
That means defining responsibilities for certificate owners and approvers, and ensuring that every team – from network engineers to developers – have a consistent set of ‘rules’ to follow. A certificate management solution like Keyfactor Command can help to:
- Assign certificate owners with role-based access and permissions
- Audit all user and certificate-related activities
- Enforce standardized certificate templates and policies
04 | Focus on detection and prevention
By utilizing all of these techniques, organizations can then gain awareness of where they might be vulnerable – such as near-expired certificates or weak keys – by utilizing proper reporting and monitoring tools to:
- Find vulnerable certificates (e.g., those signed with weak algorithms, like SHA-1)
- Prevent outages due to certificate expiration by notifying certificate owners beforehand
- Respond to cryptographic incidents such as CA or algorithm compromise
05 | Adopt automation and self-service
Manual processes are certainly more effective than no processes at all, but humans make mistakes. Not only does automation help to prevent outages, it also frees up IT resources and end-users from hours of manual tasks related to certificate requests, issuance, provisioning, and renewal.
Keyfactor Command provides several methods of automation:
- Self-service workflows for users to request and renew certificates prior to expiration
- Automated provisioning and installation of certificates on network endpoints
- Scheduled report generation and delivery to certificate owners or PKI admins
NIST Recommended Best Practices
If you’re an IT security professional, you’re probably familiar with NIST. Below is a list of NIST recommendations for TLS certificate management, and how Keyfactor can help ensure your PKI deployment and operations are following best practices.
| NIST Recommendation | How Keyfactor Can Help |
| Inventory | Several tools help you to inventory certificates via real-time CA synchronization, network-based discovery, and inventory of key and certificate stores. This brings all certificates into a single dashboard for easy management.
|
| Ownership | A centralized console makes it easy to define certificate owners and assign role-based permissions. Certificates can be grouped and tagged with custom metadata tied to specific business departments or applications.
|
| Approved CAs | Direct integrations to public and private CAs (such as Microsoft CA) ensure that users issue certificates only from trusted and authorized sources. Our cloud-hosted PKI gives the added benefit of dedicated, managed CA infrastructure.
|
| Validity Periods | Shorter validity periods reduce risk, but also increase risk of outages. Automated expiration alerts and the flexibility to use server- or device-side private key generation ensures proper security and reduces the risk of outages.
|
| Key Length and Signing Algorithms | Customizable dashboards and reports allow your teams to quickly identify and replace certificates that make use of unauthorized key lengths. Certificates can be revoked and re-issued or renewed from a trusted and authorized CA.
|
| Subject DN and SAN Requirements | Administrators can automatically enforce the addition of a SAN to certificate requests, even if one is not initially supplied, to ensure web server certificates will be accepted by browsers without error.
|
| Automation | Self-service interfaces and automation tools allow users to automate the renewal and provisioning of certificates to end-devices either on-demand or at a configurable time before expiration.
|
| Certificate Request Review
|
Configurable workflows for pending certificate requests can be used to require approval, escalate notifications, and audit all stages of certificate issuance.
|
| Private Key Security | Support for on-device key generation (ODKG) reduces risks related to storing and securing private keys. HSM integration and comprehensive auditing ensures that only authorized personnel can gain access to keys if needed.
|
| Rekey/Rotation | Automated renewal and integration with privileged access management (PAM) tools allows you to perform sensitive renewal and re-key operations without requiring manual admin intervention.
|
| Proactive Certificate Renewal | Continuous monitoring, scheduled reports, expiration alerts and escalations can be configured to be sent prior to expiration. One-click or no-click renewal automation makes this process even simpler.
|
| Crypto-Agility | Certificates can be re-issued or renewed from a new CA template configured within the Keyfactor platform. Administrators can easily track down and replace all affected keys and certificates.
|
| Revocation | A built-in certificate search engine allows authorized users to quickly search and revoke a certificate or group of certificates as needed directly from the console.
|
| Continuous Monitoring | Real-time synchronization with CAs, SSL network scans, and certificate store inventory mean all the certificates in your environment can be continuously monitored for availability, expiration, and key strength.
|
| Logging TLS Server Certificate Management Operations | Keyfactor provides an audit record of the lifecycle of the certificates from issuance, deployment, removal, revocation, and metadata updates. You can also track and audit any user-related activities and configuration changes within the platform.
|
| TLS Traffic Monitoring | Securing TLS traffic is reliant on correctly implementing TLS across the network. The decision to monitor TLS traffic does introduce some extra security risks. Keyfactor Command provides controls to ensure your TLS endpoints are monitored to provide alerts when certificates are unavailable, about to expire, or out of compliance with the latest strong encryption.
|
| Certificate Authority Authorization | In addition to configuring a CAA record, Keyfactor offers several CA policy modules that can be used to put further guardrails on certificate issuance, such as whitelisting where certificate requests are allowed to come from and a validated SCEP handler to ensure the challenge response has not been tampered with.
|
| Certificate Transparency | Keyfactor offers CT log integration that easily identifies the presence of CT-logged certs in the Keyfactor database. There are multiple open-source CT-log data sets for public CA sources that can be utilized to provide greater accuracy. By combining this with a complete, continuously synchronized inventory of all issued certificates, regardless of whether they were issued through Keyfactor or not, this provides a powerful comparison capability to help identify fraudulent certificates. |
| CA Trust by Relying Parties | Keyfactor Command can inventory a variety of keystores, including the trusted root keystores on a variety of operations. Once inventoried, it is a simple matter to see what has been found and automate the removal of specific certificates from these (and other!) keystores. Automated addition of certificates is also supported, to save time and reduce the risk of human error. |
