How Do I Find & Inventory My Certificates?

August 12, 2011 by Scott Shetler     No Comments

This entry is part 4 of 5 in the series SSL Certificate Management

In previous posts, I’ve discussed why you’d want to inventory your certificates. Now let’s discuss how you can inventory your certificates.

Historically, we’ve found a lot of prospective customers using a spreadsheet to maintain a listing of certificates, owners and expiry dates. There are problems with this approach: data is manually collected; information becomes outdated quickly; often data that is required is not collected at all; and it’s also challenging to receive reliable email notifications from a spreadsheet.

A better way to solve the problem is to leverage various data collection tools and store all the data in a centralized, secure application. I refer to various data collection tools because there really isn’t a single method you can use to collect certificate information in a heterogeneous environment (i.e., multiple certificate types and trust models issued from multiple sources).

Active SSL certificates can usually be detected by a port-scanner utility, but it’s more difficult to obtain certificates on cold backup machines. User certificates can be collected by querying a common certificate store like Microsoft CAPI. This method, however, neglects users of other operating systems (e.g., Mac, Linux). Code-signing certificates usually need to be manually collected.

You can also import lists of issued certificates from CA sources, but that doesn’t tell you if the certificates are deployed and where. So, no one method is enough to inventory this broad collection of certificates — rather, you need a tool that can employ multiple methods.

In attempting to inventory your certificates, a few questions come to mind:

  • Do you need to inventory ALL your digital certificates, or just SSL certificates (helps determine which collectors you need to use)?
  • Which information do you need to collect? , Do you need key size, expiry date, trust path, signing algorithm, certificate extensions, Subject Alt Names, certificate type, etc.? And what will you do with the information (e.g., compare to policy, use data to generate new certificate, etc.)?
  • What type of data collection is available to you? Do you already have a scanner? Are you able to get lists of certificates from your CA? Do you have a CAPI query tool available?

The answers to these questions — and the degree to which the certificate management issues are a pain to your organization — go a long way to help determine the appropriate solution for you.

Entrust has a product called Entrust Discovery that allows you to scan your network to collect all certificate infor-mation, manually import certificates like code-signing certificates, and in the near future will import data from CAs and automatically query CAPI for user certificates. All this certificate data is centrally stored in a secure, Web-based application that provides email notifications, reporting, policy comparisons and more.

About

Entrust senior product manager Scott Shetler has worked in various areas of software management for 16 years. He leverages his background in product and service management at Entrust to manage the Certificate Services family of products, which have grown more than 30 percent under his tenure. He gained vast experience in software as a service (Saas) and product management while at solution providers Necho Systems in Toronto and Workstream Inc in Ottawa.

Add to the Conversation