If you are in the IT business, chances are you are subject to compliance and some form of security policy. One example our customers run into is ensuring they are moving from a 1024-bit key size to 2048-bit key sizes in their certificates.
While most companies should have a policy in place to ensure they are only purchasing 2048-bit certificates, most are unable to ensure only purchasing-approved certificates are introduced into their environment. This may occur for the following reasons:
- Even in a centralized environment, self-signed certificates can be introduced through new hardware being implemented
- Acquisitions often result in multiple certificate vendors in a newly consolidated environment
- Often, production certificates are last-minute purchases and processes are circumvented to put an application live quickly
So, in this mixed-certificate environment, organizations require a means to accurately identify their existing certificate inventory. Once inventoried, they need to be able to search the inventory to identify items that are outside of security policy, and rectify the situation.
Realistically, the challenge here is how to inventory all certificates and store the information in a single searchable system. Once the information is in the single system, it’s fairly easy to run pre-determined or ad-hoc queries to identify non-policy items, and then highlight them to management should they not be resolved in a timely fashion.
Entrust has a product called Entrust Discovery that allows you to scan your network to collect all certificate information, centrally store it, and automate your policy comparisons to ensure that you are and remain in compliance.