I’ve spent a tremendous amount of time talking to customers about certificate management, and their certificate management problems consistently boil down to the following three issues:
1. Certificates Expiring Unexpectedly
Application owners lie awake at night worrying that an application will go down or be otherwise inaccessible, and there’s any number of reasons why this could occur. Do you identify with any of these?
- Employee movement means an expiry notification gets ignored
- Expiry notification gets deleted by accident from a mobile device
- Expiry notification is received and the primary certificate is renewed, but any certificate copies for load-balancing are neglected, or even worse, unknown
- The expiring certificate is issued from a rogue CA that has no expiry notifications
2. Compliance Concerns
Security officers usually are subject to security policy, part of which applies to their SSL certificates. Typically, they are required to prove compliance to said policy, but struggle with that for the following reasons:
- They don’t have an accurate inventory of certificates because there are multiple sources issuing certificates within their environment
- They are unable to easily review the attributes of all certificates to compare against policy — for example, they may want to ensure they are only using 2048-bit certificates
- Or even worse, they may unknowingly have weak cryptography deployed that makes you vulnerable to a data breach
- They are unable to consolidate to a single source policy vendor because it’s challenging to find all the other rogue certificates within the environment
3. General Certificate Management Chaos
Are you receiving notifications from different systems/vendors, at different times, with different content and different escalations? Are you leveraging different management consoles? Do you have different systems for publicly trusted and non-publicly trusted certificates? Are you managing your certificates with a spreadsheet?
If you’ve identified with any number of these problems listed, you are not alone. Organizations usually find a way to deal with one or two of these problems, but haven’t found any magic bullets.
Stay tuned for Parts 3 through 5 in this series where I’ll discuss what you can do to solve these problems.