SSL Certificate Management 101

Certificate management is crucial for ensuring the security, integrity, and authenticity of your organization’s digital communications and transactions. As your teams use more apps and connected tools, the need for effective SSL certificate management becomes even more critical. 

What is an SSL Certificate? 

Certificates are like a passport held by digital tools. These passports validate the identity of these tools when interacting with other machines. The certificate is issued by a trusted authority (known as Certificate Authority) and is only valid for a certain period, at which time they expire and stop working. 

SSL certificates—or their modern incarnation, TLS certificates—are a type of certificate most often applied to websites both public and internal. SSL certificates enable your browser to encrypt traffic between you and a website’s web server. This encryption protects data traveling between the two, providing data integrity and confidentiality. You can see how this is important when sending, say, banking information over the Internet. 

But SSL certificates apply to much more than just websites and browsers. They facilitate encryption for intranets, VPNs, mobile applications, smart devices, email clients, and more.

Other use cases also include: 

• Protect internal confidential information.
• Provide password-free, secure wifi access with a VPN
• Protect and secure access to POS systems
• Enhance the authentication security of network switches and routers
• Authenticate and authorize IoT devices with automated certificate management.
• Secure cloud-based applications across multiple providers and environments
• Encrypt email signing and protect email users from phishing
• Protect end-users from downloading and installing compromised software

Due to the expanding landscape of digital infrastructure and business processes, the volume of certificates present in the average company’s environment can number in the hundreds of thousands. Organizations are challenged to monitor these certificate expirations and issue new certificates before old certificates become invalid and disrupt service. 

To add to the challenge, the certificate lifespans are shrinking. A decade ago, the typical certificate enjoyed a lifespan of five years. As cyber attackers have grown more capable, recommended lifespans have shrunk down to about a year. Google has announced it will adopt a 90-day lifespan for TLS certificates, which will almost undoubtedly become the new standard for the rest of the industry.

That means certificates will expire at a quicker interval, and security teams will spend more time managing them.

Who needs Certificate Management?

Certificates are embedded in the very DNA that makes our digital world possible. They play a vital role in the encryption process, making data transfer and communication safe and trustworthy. However, the teams managing enterprise certificates may not have a good grasp of them.

The average organization is using over a quarter-million certificates at any given time, and most organizations don’t know how many keys and certificates they have.

So who handles SSL certificate management? Usually, certificates fall to IT and security teams, but sometimes they’re managed by risk and compliance teams, given the business implications of a certificate-related outage. 

But just as often, there is no defined team handling certificate management.

In this scenario, departments creating and issuing certificates are left to their own devices in procuring certificate vendors and tools. These teams are just trying to get work done and usually neglect to document or track their certificates, which increases the risk of an outage. It’s never the certificates you know about that do damage — it’s the ones you don’t know about. 

Risks of Poor Certificate Management

As organizations grow, so do their certificates, causing many to use ad hoc and manual digital certificate management approaches. Manual approaches like spreadsheets become increasingly taxing to maintain as the volume of certificates grows. For teams managing certificates alongside their primary duties, it creates a no-win situation.

• Manual means you don’t proactively discover hard-to-find certificates that the user doesn’t know about. 
• While some rudimentary alerts may be set up within manual tools, they don’t help streamline the whole lifecycle from creation to issuance to revocation.
• They don’t enable bulk certificate creation or revocation. 

This leads to the risk of device downtime, increased incident response costs, and potential harm to your brand. It takes organizations an average of over 4 hours and $15 million to recover from a certificate-related outage. Remember: it only takes a single expired certificate to bring things to a halt. 

Best Practices for SSL Certificate Management 

These risks to both time and money can be mitigated by implementing best practices to maintain a secure and well-organized network of SSL certificates. 

• Begin by establishing visibility into the whereabouts of all certificates across the network, ensuring a comprehensive understanding of their distribution. 
• Clearly define certificate ownership and delegate responsibility for overseeing the entire certificate lifecycle to ensure accountability. 
• Streamline certificate requests and approvals by implementing self-service enrollment, thereby simplifying the process. 
• Embrace automation to enhance efficiency throughout the certificate lifecycle, incorporating alerts, renewals, and provisioning into a seamless automated workflow. 

By adhering to these best practices, organizations can fortify their SSL certificate management, reducing risk and ensuring a robust security posture.

What to look for in an SSL Certificate Manager

Solutions exist that drastically reduce the resources required to proactively manage certificates and automate their entire lifecycles. As you vet solutions that will work best for your organization, there are a few questions you should be sure to ask.

1. Does the certificate manager support more than one Certificate Authority (CA)?

Certificate Authorities are trusted organizations that issue digital certificates. The average organization uses nine CAs, which is usually far too many. Your tool should track certificates across all the CAs you use. Many tools provided by CA vendors only work for certificates issued by their particular CA. Even open-source tools seldom work with a broad range of CAs. 

2. Can the certificate manager conduct network-based discovery of certificates?

This is a fancy way of asking if the tool can find rogue certificates that have been issued outside of standard processes. Remember, it’s the undiscovered certificate that poses the biggest risk. Your tool should be able to inventory key and certificate stores across network devices and cloud services.

3. How will the certificate manager integrate with your existing infrastructure?

The less you have to change in order to adopt the tool, the better. And modern tools should be able to deploy without impacting existing infrastructure like firewalls and port configurations. It should also integrate with your target systems, like AWS and Azure KeyVault, IIS, Citrix, F5, and others. 

4. How disruptive is the task of removing or adding CAs to your public key infrastructure (PKI)?

PKI is the broader cryptographic infrastructure that certificates are part of. If a CA, certificate, or encryption algorithm is compromised, the tool should be able to deploy new ones quickly, with minimal disruptions, and at scale. 

5. What automation can the certificate manager enable?

The more you can automate SSL certificate management, the better. The right tool has the flexibility to offer both agented and agentless automation, a substantial library of APIs, and support for a wide range of standard protocols like Windows auto-enrollment, ACME, and SCEP. 

The Future of SSL Certificates

As more business processes shift to a digital format and innovations like cloud computing, IoT devices, and DevOps add depth and complexity to this landscape, the more important certificates and cryptography will become. Without a certificate management strategy, outages become more likely, more disruptive, and more expensive.