When it comes to managing digital certificates, it’s a nebulous dilemma, says a Keyfactor executive.
“Many organizations today still don’t have basic visibility into all the certificates that are being used within their organization, let alone the ones that need to be managed,” said Chris Hickman, chief security officer at Keyfactor. “They think they know how many, but when they actually go out and use a platform like ours to do a complete inventory, there are usually many hundreds if not thousands of more certificates.”
Related:
What are digital certificates and how do they work?
Just like passports, digital certificates are a basic method of authenticating an entity’s identity. Through checking the unique digital signatures embedded in these certificates, the receiver can rest assured that the information they download is from an approved source. Digital certificates are issued by certification authorities (CA) and need to be renewed on a regular basis. When a digital certificate expires, so does the identity of the entity it’s attached to.
Digital certificates are commonly used to verify the identity of websites. They typically use either SSL or TLS protocol and are checked automatically by the browser. If the browser notices an expired or invalid certificate, it would prompt the user with a big warning to not trust the website. Imagine Amazon’s main page being blocked due to an expired certificate, yikes!
Yet, even when a company has plenty of resources to oversee certificate validity, bad certs could still slip through the comb. The 2017 Equifax breach, one of the most prolific and dangerous breaches in recent memory, sat undetected for 76 days due to an expired certificate. For more recent examples, Spotify was down for an hour when a TLS cert expired, and some suspect that an expired cert killed thousands of Samsung Blu-ray players after a firmware update.
If companies keep playing the blame game, it’s going to get nowhere. The key is to understand the certificate structure and ensure that when a cert is updated, it should be installed on every relevant branch.
“A lot of organizations have traditionally kept an eye only on one or two certificates…But what they fail to do is realize that there is a chain of certificates across these technologies, that while one might only show up in a browser, for instance…every application or every device that’s touched along the way to present that to the user also has certificates.”
To illustrate, Hickman described updating and distributing a cert across load balancers. Even when the cert has been renewed, if it isn’t installed on all the load balancers, the ones that are left out could run into service issues.
Beyond keeping websites functional, digital certificates can be used to sign documents, establish remote connections, authenticate devices in a network and much more. The situation is even more complex when factoring in self-signed certificates, which are issued and managed internally by an organization.
“It’s a big challenge for organizations to not only be able to renew the certificates,” underscored Hickman. “There’s a manual set of steps that they need to do to go get that certificate, bring it to the device, deploy it on that device, make sure it’s properly configured and working and complete. It’s a monstrous task across a typical IT landscape today that is multi-vendor.”
Hickman recommended two considerations to alleviate headaches surrounding certificates:
- Make a determination of whether a cert needs to be issued by a certification authority or an internal public key infrastructure. For certain enterprise applications, it may not be a good idea to use a publicly rooted certificate. Before registering a certificate from a CA, understand what audience it addresses.
- Do an inventory check to see what certificates have been issued, what they’re being used for, what cryptographic standards they’re using, and what new tech is around the bend.
Digital certificate technologies are continuously evolving, and although digital certificates and public key infrastructures (PKI) have been around for a long time, there isn’t anything on the horizon that could replace it. With that said, Hickman said it will need to adapt to emerging new techs in the future.
“There’s no move towards changing the technology, there will be changes within the technology,” Hickman said. “When quantum supremacy is actually realized…the way we use crypto today is going to essentially be invalidated. So PKI will need to emerge to a new set of cryptographic standards. But the core technology and the underlying infrastructure? I don’t see changing for a long time.”