Certificate Lifecycle Management Reading Time: 12 minutes

Introduction to CertSecure Manager: Encryption Consulting’s Flagship Certificate Management Solution

Certificates have become a key component in today’s cyberspace where each component requires a certificate to confirm its identity. From users to servers to applications, every part of the organization requires a certificate to function as intended. While this enhances the Organization’s overall security, as the organization grows it becomes difficult to manage such certificates which includes renewing them, revoking them and sometimes issuing certificates on a large scale.

While MDM solutions like Intune can make it easier to issue required certificates to machines and technologies like auto-enrollment can provide certificates to users and machines as well, the problem arises when we need to issue those certificates to servers and applications.

PKI serves as the backbone of these certificates. While some certificates are issued by public CAs, majority of the certificates are issued by private CAs, and managing such private CAs becomes the responsibility of the SOC team (or other security team) which increases the operational complexity of the overall process.

In this blog let us take a deeper dive into the world of certificate management, some of the best practices, some common challenges and finally how Encryption Consulting can help with their expertise as well as with our own CertSecure Manager solution

What is a Certificate Lifecycle Management solution?

As we already established above, every organization needs a proper valid certificate to function which is trusted by the whole organization. These certificates would be issued to end-entities such as users, computers, networking equipment, servers, applications and so on. If the underlying PKI which is providing trust and visibility of these certificates is facing an outage, then none of the components of the organization will work. Employees cannot get into buildings without proper smartcards, people cannot use VPNs, machines, servers and applications will cease function and it will be a complete chaos.

Managing these certificates and their underlying infrastructure is crucial for the organization to function normally. These certificates go through phases from issuance to revocation where each phase of the lifecycle is crucial for the organization to maintain properly. And if a certificate which is about to expire isn’t monitored or renewed timely then it may cause unforeseen outages in the server/application using said certificate. Hence proper monitoring, ownership and renewal of certificates becomes important.

The stages of the certificate lifecycle are as follows:

  • Discovery

    The discovery phase of the certificate lifecycle involves searching the network for missing, expired, compromised, or unused certificates that must be revoked, renewed, or replaced. This is an important part of the process, as it finds gaps in the security of certificates and relays these gaps to the monitoring phase, allowing for the sealing of these breaches. Normally, this phase also deals with the inventorying of certificates to help in future Discovery phases, along with any certificate audits that may occur.

  • Creation/Purchasing

    This is the phase where the certificate is created. An online user, organization, or device requests a certificate from a Certificate Authority, which contains the public key and other enrollment information needed to enroll the user. The CA then verifies the given information and, if it is legitimate, creates the certificate. The Certificate Authority used to create the certificate can be owned by the organization that desires the certificate, or by a third-party. If the certificate is obtained from a third-party, then it must be purchased from them.

  • Installation

    The installation of the certificate is straightforward, but still just as important. The certificate must be installed in a secure, but reachable, location, as users attempting to verify the authenticity of the certificate must have access to it. When the certificate is installed, the CA puts policies in place to ensure the security and proper handling of the certificate.

  • Storage

    As previously mentioned, when the certificate is installed, it must be in a secure location to prevent compromise. It should not, however, be so secure that the users that need to read the certificate cannot reach it. The proper policies and regulations to implement for storage of certificates will be discussed later in this document.

  • Monitoring

    Monitoring is one of the most important stages of the certificate lifecycle. This is an almost constant phase where the certificate management systems, whether automatic or manual, watch for breaches, expirations, or compromises of digital certificates. The Monitoring stage uses the inventory created in the Discovery phase to keep track of when certificates should be revoked, renewed, or replaced. The certificate management system then moves those certificates to the next phase, which can be renewal, revocation, or replacement.

  • Renewal

    Renewal of a certificate occurs when the expiry date of the certificate is reached. This occurs naturally with certificates, as best practice is to not use a certificate for more than 5 years at the most. Certificates can be set to renew automatically, or a list can be kept of certificate expiration dates and the administrator of the certificates can renew it at the proper time.

  • Revocation

    If a certificate is found to be compromised, stolen, or otherwise negatively affected, then that certificate will be revoked. When a certificate is revoked, it is put on a Certificate Revocation List (CRL). This list ensures that other CAs know that this is no longer a valid certificate.

  • Replacement

    The certificate is replaced when users switch from paying for certificates to creating their own Public Key Infrastructures (PKIs) and CAs. This is rarely done, as renewing a certificate from the original provider is much easier than replacing it.

    Stages of CLM

Common challenges for organizations without CLM       

With Microsoft AD CS being widely used in the industry with no proper CLM solution built with it, many organizations often face some challenges while operating their private as well as their public PKI, such as Digicert:

  1. Manual Certificate Lifecycle Management

    Without a proper CLM solution, teams are often responsible for issuing, renewing, and revoked certificates manually, tracking their owners, and renewing them timely before expiration. This type of process is prone to human error, which can lead to outages and operational inefficiencies.

  2. Lack of central visibility/Purchasing

    Organizations tend to have multiple CAs, including at least one Microsoft CA acting as a private CA and one public CA such as Digicert. Managing certificates from different CAs can often be challenging, as it involves tracking expiring certificates, renewing the certificates separately with their own defined process, and tracking the ownership of the certificates.

  3. Limited reporting and insights

    ADCS alone may not provide the detailed reporting and insights needed for proactive certificate management. A CLM solution enhances visibility into certificate usage and health.

  4. Improper Policy Management

    With multiple CAs being used to manage and issue certificates, implementation of organizational policies and ensuring it is adhered to can seem challenging as each CAs function differently, and sometimes there are no mechanism to apply such policies making the procedures prone to human errors.

Policy Management during Certificate Issuance and Revocation

Every organization has its internal policies which they need to abide by. These policies often contain restrictions such as:

  1. What should be the minimum key size of the certificate?
  2. What information should be contained inside the certificate, such as organization, Organization unit, etc., and should an email ID be present inside the certificate itself to track its owner?
  3. The approval process for certain types of certificates is essential. Who should approve the type of certificate before issuance is often inscribed in the policies themselves, including how many approvals are needed for certain types of certificates.
  4. If wildcard certificates are allowed to be issued.
  5. If CSR can be reused to issue certificates again
  6. What domains should be allowed as SAN attributes in the certificate?
  7. Password policies in cases of PFX certificate

Governing by these policies can often be challenging for teams not using any CLM solution. We have encountered customers in the past who do not check any of these details or track proper ownership of the certificate. That would significantly increase risks and potential insider attacks within the organization.

CertSecure Manager also include one-click renew and revocation procedures where appropriate owners and admins can renew or revoke a certificate using a single click. After required permissions certificates are renewed/revoked from the CA with a confirmation message sent to the owners via emails and teams.

CertSecure Manager: Certificate Lifecycle Management Solution

While interacting with our clients, we learned about many of their issues. While there are many CLM solutions out there, none focus primarily on Microsoft AD CS, which still maintains the operational and monitoring sides of the PKI manual. This motivated us to create our own homegrown solution, which would help our customers with the problems they have been encountering with their own CLM solutions.

While constructing our solution, we focused on solving the key challenges first.

1. Automated Lifecycle Management

With CertSecure Manager, clients can integrate renewal agents with their servers such as Tomcat, Apache, ISS, load balancers such as F5 as well as their own internal applications. This will help the servers and applications rotate certificates automatically without any human intervention thereby minimizing outages as well as ensuring proper certificates are pushed to the server every time in a timely manner.

CertSecure Agents Window

Clients can also integrate their own solutions with ACME or Rest APIs which will make it easier to get certificates easily for their application.

CertSecure Manager API

2. Centralized Visibility and Control

With CertSecure’s HA architecture and connectors clients can integrate all their CAs with CertSecure with no major network configuration needed. This will ensure any and all CAs, no matter if they are on cloud or on premises can be integrated with CertSecure. This will provide a single pane of glass for managing and issuing certificates across multiple private and public CAs.

CertSecure Agents and their CA info

This can also help operations team monitor their PKI directly from the dashboard. This will help ensure that all CDP/AIA points related to the CA are always active while also providing major updates on CRL and CA certificate renewal.

CertSecure CRL and CA information

3. Policy Enforcement

CertSecure can help clients setup policy on a global as well as on a departmental level. This will ensure all users are abiding by the policies defined. These policies help dictate information such as:

a. How many approvals are needed to issue a certificate

CertSecure Approval Window

b. If CSR can be reused and if users can request wildcard certificates

CertSecure List of policies

c. What DNS names are whitelisted which can be added to the certificates

Configure for CSR verification CertSecure

d. And finally, password policies for the PFX files

CertSecure Password Restrictions

Moreover, we can also define which department gets access to which templates which creates further restrictions on what templates a user can access. So, for example, the production team will need access to DigiCert, which the development team will not. Similarly, the IT team may need access to webserver templates while they would not need codesigning certificates.

CertSecure Deapartmental Access

4. Principle of least privilege

With policies defined, clients can also define roles which can be assigned to the users. Users can then conduct functions which are only defined by the permissions that are set by the administrator.

CertSecure Roles and Permissions

5. Comprehensive monitoring and alerts

With CertSecure, clients can integrate alerts with Teams, Email, Service Now, with proper escalation protocol to ensure expiring certificates or PKI downtime are brought into attention at the earliest interval. This helps organizations minimize downtime while also having the ease of mind to maintain the security and functionality of the underlying infrastructure as well as of the certificates it issued.

6. Scheduled Reports

With CertSecure, users can schedule reports which will be delivered directly to their emails in a weekly or monthly manner. This will ease the operation side of things as well as provide visibility and provide a record of operations conducted by the PKI.

CertSecure Scheduled Reports

7. Easy Onboarding

Users can easily be onboarded using AD groups (including Azure AD Groups) into CertSecure which helps CertSecure monitor and add/remove users as they are added or removed from the group. Deregistering of the user results in transfer of ownership of certificates to department admins which make it easier to manage and keep the ownership of certificates as well as the alerts defined easier to process.

CertSecure Active Directory Groups

Conclusion

CertSecure Manager stands out as a comprehensive solution designed to address the complex challenges of Certificate Lifecycle Management (CLM). By seamlessly integrating with both private and public Certificate Authorities, CertSecure Manager offers unparalleled centralized visibility and control, empowering organizations to manage their certificates with greater efficiency and security.

Through features like automated lifecycle management, policy enforcement, comprehensive monitoring, and scheduled reporting, CertSecure Manager ensures that your certificate infrastructure is not only robust but also resilient against potential disruptions. Its focus on the principle of least privilege further enhances security, ensuring that users have access only to the resources they need, thereby minimizing the risk of insider threats.

The ease of onboarding, coupled with integrations with Microsoft AD and Azure AD, simplifies user management and streamlines certificate lifecycle processes. With alerts and escalation protocols, CertSecure Manager provides peace of mind, ensuring that critical issues are promptly addressed, minimizing downtime, and maintaining the integrity of your PKI infrastructure.

Encryption Consulting’s commitment to continuous improvement and customer-centric solutions is evident in the development of CertSecure Manager. We remain dedicated to helping organizations achieve higher standards of security, compliance, and operational efficiency. Let CertSecure Manager be your trusted partner in navigating the complexities of certificate management, ensuring that your digital assets remain secure, compliant, and fully operational.

Free Downloads

Datasheet of Certificate Management Solution

Download our datasheet and discover the power of seamless certificate management with our CertSecure Manager

Download

About the Author

Anish Bhattacharya's profile picture

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo