How Does Your Enterprise Manage Digital Certificates?

By Larry Seltzer  |  Posted 2008-05-27 Print this article Print

Certificate management in many enterprises is a surprisingly manual affair. This can lead to potentially disastrous errors.

Public key encryption is so powerful and yet its impact on computing is disappointing in many ways. I think there's a notion that it's a very technical, complicated subject, therefore it needs to be left to very technical people. And those people can take care of themselves. Nobody has tried to bring public key infrastructure to the masses.

You see it in the utter failure of personal certificates for e-mail and you see it in the tools used by most administrators for their own certificates. In fact, most administrators-or so vendors tell me-just manage their certificates manually. There are no systems in place to track where the certificates are, what the dates are for their active lifetimes, how they were generated, what certificate authority may have signed them, what the account information for that CA is and so on.

You see where I'm going? There's a lot to keep track of. It's not unheard of for a company to have used more than one CA, and it's not uncommon for companies to use self-signed certificates, and how do you keep track of that? In a spreadsheet on your workstation? What happens when you leave your job?

In fact, there is software available to perform these functions and it can save your butt big time. Are you sure you will know when to renew your CA-signed certificate when the signature expires? Already this year there have been a couple famous examples of companies that didn't and, as a result, had embarrassing error messages that diminished their customers' confidence. What kind of big, responsible business could do such a thing? How about HSBC, a large bank? How about Equifax, the people managing your credit report, for whom a typo made their certificate unavailable?

But the best reason to get moving on this problem is the recent Debian OpenSSL bug. As a result of it, any and all certificates may need to be examined for weakness, potentially revoked and replaced. Can your staff do that? Can they do it today?

I could only find three companies in the business of certificate management software (I'm sure the rest of them will be contacting me soon). Microsoft has a Certificate Lifecycle Manager, but it's Windows only and limited in many ways. RSA is also in the business. But I was most interested in Venafi, which tries to work neutrally with the rest of the PKI environment.

They start out with a scan of your networks for existing uses of PKI and certificates and create an inventory. Remember that security people will always tell you that, whatever the topic, the first think you need to know is what you already have. I have no doubt that a large number of companies have no inventory of their PKI assets.

Their software also manages the lifecycle of a certificate. This includes basics like generating pairs and the certificate signing requests and submitting them to the certificate authorities. They bring them down and integrate them into the infrastructure. They notify you of expiring certificates and possibly renew them. They even integrate with a large number of applications and devices that use certificates, such as Web and mail servers, routers, VPNs, app servers and so on. Finally, they monitor and report on your PKI infrastructure.

You have to figure that PKI is going to be more important to your infrastructure over time, and it has to be managed seriously. It's time to take an accounting of what you have and where it is. How else will you know what you need?

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel