In previous posts, I’ve discussed why you’d want to inventory your certificates. Now let’s discuss how you can inventory your certificates.
Historically, we’ve found a lot of prospective customers using a spreadsheet to maintain a listing of certificates, owners and expiry dates. There are problems with this approach: data is manually collected; information becomes outdated quickly; often data that is required is not collected at all; and it’s also challenging to receive reliable email notifications from a spreadsheet.
A better way to solve the problem is to leverage various data collection tools and store all the data in a centralized, secure application. I refer to various data collection tools because there really isn’t a single method you can use to collect certificate information in a heterogeneous environment (i.e., multiple certificate types and trust models issued from multiple sources).
Active SSL certificates can usually be detected by a port-scanner utility, but it’s more difficult to obtain certificates on cold backup machines. User certificates can be collected by querying a common certificate store like Microsoft CAPI. This method, however, neglects users of other operating systems (e.g., Mac, Linux). Code-signing certificates usually need to be manually collected.
You can also import lists of issued certificates from CA sources, but that doesn’t tell you if the certificates are deployed and where. So, no one method is enough to inventory this broad collection of certificates — rather, you need a tool that can employ multiple methods.
In attempting to inventory your certificates, a few questions come to mind:
- Do you need to inventory ALL your digital certificates, or just SSL certificates (helps determine which collectors you need to use)?
- Which information do you need to collect? , Do you need key size, expiry date, trust path, signing algorithm, certificate extensions, Subject Alt Names, certificate type, etc.? And what will you do with the information (e.g., compare to policy, use data to generate new certificate, etc.)?
- What type of data collection is available to you? Do you already have a scanner? Are you able to get lists of certificates from your CA? Do you have a CAPI query tool available?
The answers to these questions — and the degree to which the certificate management issues are a pain to your organization — go a long way to help determine the appropriate solution for you.
Entrust has a product called Entrust Discovery that allows you to scan your network to collect all certificate infor-mation, manually import certificates like code-signing certificates, and in the near future will import data from CAs and automatically query CAPI for user certificates. All this certificate data is centrally stored in a secure, Web-based application that provides email notifications, reporting, policy comparisons and more.