How Does Your Enterprise Manage Digital Certificates?

Certificate management in many enterprises is a surprisingly manual affair. This can lead to potentially disastrous errors.

Public key encryption is so powerful and yet its impact on computing is disappointing in many ways. I think there's a notion that it's a very technical, complicated subject, therefore it needs to be left to very technical people. And those people can take care of themselves. Nobody has tried to bring public key infrastructure to the masses.

You see it in the utter failure of personal certificates for e-mail and you see it in the tools used by most administrators for their own certificates. In fact, most administrators-or so vendors tell me-just manage their certificates manually. There are no systems in place to track where the certificates are, what the dates are for their active lifetimes, how they were generated, what certificate authority may have signed them, what the account information for that CA is and so on.

You see where I'm going? There's a lot to keep track of. It's not unheard of for a company to have used more than one CA, and it's not uncommon for companies to use self-signed certificates, and how do you keep track of that? In a spreadsheet on your workstation? What happens when you leave your job?

In fact, there is software available to perform these functions and it can save your butt big time. Are you sure you will know when to renew your CA-signed certificate when the signature expires? Already this year there have been a couple famous examples of companies that didn't and, as a result, had embarrassing error messages that diminished their customers' confidence. What kind of big, responsible business could do such a thing? How about HSBC, a large bank? How about Equifax, the people managing your credit report, for whom a typo made their certificate unavailable?

But the best reason to get moving on this problem is the recent Debian OpenSSL bug. As a result of it, any and all certificates may need to be examined for weakness, potentially revoked and replaced. Can your staff do that? Can they do it today?

I could only find three companies in the business of certificate management software (I'm sure the rest of them will be contacting me soon). Microsoft has a Certificate Lifecycle Manager, but it's Windows only and limited in many ways. RSA is also in the business. But I was most interested in Venafi, which tries to work neutrally with the rest of the PKI environment.

They start out with a scan of your networks for existing uses of PKI and certificates and create an inventory. Remember that security people will always tell you that, whatever the topic, the first think you need to know is what you already have. I have no doubt that a large number of companies have no inventory of their PKI assets.

Their software also manages the lifecycle of a certificate. This includes basics like generating pairs and the certificate signing requests and submitting them to the certificate authorities. They bring them down and integrate them into the infrastructure. They notify you of expiring certificates and possibly renew them. They even integrate with a large number of applications and devices that use certificates, such as Web and mail servers, routers, VPNs, app servers and so on. Finally, they monitor and report on your PKI infrastructure.

You have to figure that PKI is going to be more important to your infrastructure over time, and it has to be managed seriously. It's time to take an accounting of what you have and where it is. How else will you know what you need?

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.