Certificates have become a necessary technology across the enterprise as a mechanism to keep things secure. However, managing digital certificates can be anything but easy. After all, there are numerous certificate authorities, different types of certificates, expiration dates, application integrations, certificate ownership, and numerous other bits of meta-data that must be managed and accounted for when it comes to certificates.
Add to that legislative compliance issues, certificate hacks and countless other issues that can render certificates useless, and the typical IT manager may find himself in certificate hell.
Why certificates matter
Digital certificates came into being to bring security to the internet, which was originally designed as an open communications network with little thought given to security. Digital certificates addressed that lack of security by creating a mechanism that encrypts online data/information communications between an end-user’s browser and a website.
After verifying that a company owns a website, certificate authority will sign its certificate so it is trusted by internet browsers. Simply put, certificates became the “locks and keys” of secure access.
However, certificates also introduced an additional burden to enterprise IT, because someone had to track and manage those certificates, making sure they were still valid, not expired and renewed on time. Some IT departments stored critical information about certificates, such as keys and expiration dates in unprotected spreadsheets, while others relied on paper documents, databases or some other ad hoc method to store what amounts to very critical information.
That lackadaisical approach to managing certificates led to cybersecurity compromises and a realization that certificates were assets worth of protection. However, with numerous certificate authorities in play and an increasing need for certificates across numerous domains, centralized management of certificates and their critical elements became an almost impossible task with widespread implications.
Digicert, a well-known certificate authority, recognized the angst that certificate management was causing enterprises and launched CertCentral, with the intention of bringing full visibility and lifecycle management to certificates.
A closer look at DigiCert CertCentral Enterprise
To date, certificate management has been anything but easy. CertCentral aims to bring ease into the process of certificate management. The product, or more appropriately, service is designed to be a central repository for anything related to certificates.
Certificates all contain a number of critical elements that require active management. CertCentral brings all of those elements together into a unified management platform that automates many of the processes associated with certificates, while also tracking the critical elements of certificates.
CertCentral brings forth the concept of a centralized database for certificate elements and presents that information in a simple to understand management console. Getting started with CertCentral requires little more than creating an administrative account and entering the proper credentials.
Once an account is established, administrators need to import their certificates into the platform to enable management. Adding certificates to the platform proves quite easy. CertCentral incorporates automated continuous search and monitoring capabilities which can identify the certificates already in use. What’s more, the continuous monitoring brings forth another benefit, the ability to identify new certificates that may have been added in an unauthorized fashion under shadow IT. CertCentral is able to offer insight for any certificate, regardless of the issuing authority, or if the certificates are self-signed, private or public.
Numerous enterprises today face compliance issues, and expired certificates introduced during a shadow IT project can prove to violate compliance regulations, just as an expired certificate under IT’s control can. That makes it critical to locate any and all certificates in use on enterprise resources. What’s more, certificates are being used on more and more devices, meaning that the liability that a certificate can introduce into a compliant environment may go unnoticed. CertCentral’s continuous monitoring helps to mitigate those liabilities by discovering certificates and bringing visualization to them.
Effective certificate management is multifacted
Discovery of certificates is only one part of the management equation. Effective management means that administrators must also be able to review the status of any certificate, track any issues with a certificate, and remediate any problems with a certificate. Here, CertCentral takes a multipronged approach to easing the management of those certificates, and even goes one step further to incorporate complete lifecycle management of certificates in use in the enterprise.
While that still may sound like a rather complex process, CertCentral incorporates many tools to keep things simple. First, CertCentral supports multiple users and administrators, allowing IT departments to spread the burden to the actual owners of a certificate, while still maintaining visibility. The product supports a simple paradigm that allows the primary administrator to invite other managers into the platform using an email invitation. Invitees can then be verified by the administrator and granted access. The product also supports SAML (Security Assertion Markup Language) and single sign-on, which helps to keep things secure, while not introducing any additional complexity.
Discovered certificates are displayed on a dashboard, which gives a single pane-of-glass view into the certificates in use. Critical information, such as expiration dates, discovered vulnerabilities, and so forth. The product also offers a scan tool that can be executed to find any issues immediately. The certificate inspector is able to quickly identify certificate vulnerabilities, such as certificates that are not compliant with industry standards, or certificates that contain deprecated algorithms. The certificate inspector presents that information visually and allows an administrator to drill down into each certificate to further investigate any issues.
One of the most critical aspects of certificate management comes in the form of understanding the who, what, where and when of a certificate. In other words, administrators need to know who is responsible for the certificate, the lifecycle of said certificate, where the certificate is installed, and why the certificate is needed. CertCentral combines all of that relevant information into a visual representation on the management console.
Renewals can be automated
Take for example, the chore of renewing a certificate. With critical information defined in the system, renewals can be automated using a workflow, which can be defined to require as much interaction by the administrator as necessary. Steps, such as approval, payments and so forth can be orchestrated by the system, preventing a renewal from falling through the cracks. Much the same can be said about requests for a certificate, where a workflow can be incorporated to smooth over the approval process and purchase the certificate, and then deliver it.
CertCentral incorporates all of the intelligence to support the primary focus of certificate management, allowing administrators to easily request new certificates, duplicate certificates, renew expired certificates, re-issue outdated certificates, remediate risky certificates, revoke compromised certificates and report on the complete certificate ecosystem.
CertCentral takes what was once a painful and risky process of certificate management and transforms it into a comprehensive management paradigm that can remove the angst of certificate management while also reducing the operational overhead associated with certificates.
Frank Ohlhorst is a veteran IT product reviewer and analyst who has been an eWEEK regular for many years.