Certificate management processes
Sometime between five to ten years ago, most where looking at certificates for the first time and thinking what is PKI (Public Key Infrastructure), however people are now thinking, how do we manage so many different certificates? Certificates are now used all of the time within the IT industry, and certificates confirm our websites identity, certificates are used to sign emails and certificates are even used to evidence code was developed by a specific business, so with many certificates, how should they be managed?
Lets start by recognising that along with a certificate, there’s also an associated life cycle, which often contains the following steps, which means they should be wrapped in a business process, or standard operating procedure.
For a handful of certificates this is likely something that can be managed without too much stress, but there is still the concern of security, so here’s a few quick wins and considerations on how to improve the certificate life cycle deployed in your business.
Distribution of certificates is highly important, because if done incorrectly it can lead to your certificate being intercepted. This is obviously bad, because if intercepted a malicious actor could pretend to be you and even be verified through the usage of the certificate. A great method for distribution, is to ensure that the certificate requires a passphrase, and to distribute the passphrase separately to the certificate. If the plan is to send it via email, zip it up, name it something different to “certificate” and password protect the zip file. Ideally send the certificate using only a secure email platform (encrypted email), and better again, don’t send it at all using a public facing system.
Storage of certificates and keys, is another important factor. Where and how should they be stored. Consider this heavily because doing so now, could save a lot of time in the future. Options that some businesses use, include storing on a none networked virtual machine, which is powered off unless required, and only accessible by certain members of staff. Other options, include storing on an encrypted USB key and locking in a fireproof safe (if you do this, don''t store the password for the USB key within the same safe), or perhaps dropping them in a directory, which has tightly controlled ACLs (access control lists), with auditing on the access.
Monitoring is another very important consideration. Certificates can be installed in hundreds of places, so how can they be kept track of? There is the obvious idea of logging each certificates details within an excel document but if it’s not actively reviewed, it could lead to a certificate expiring and problems occurring resulting in a reactive fix, rather than proactively replacing them. The best ideas in this arena, are automated. Using a solution such as PRTG or Zabbix, enables the ability to track lots of certificate related information. This tracking often means having a dashboard present in IT or email alerting when customised thresholds are met. A few example thresholds include...
- 60 days, to provide time for finance to approve.
- 28 days, to ensure the appropriate CA is found and used.
- 7 days, to ensure time is given for performing the technical change.
If your company would like any assistance with using certificates and the management process, feel free to get in touch, we’re always happy to get involved.
FOR LATEST UPDATES SUBSCRIBE HERE: