Venafi Inc.s AutoCert Manager 4.1 significantly reduces the time and manual effort needed to manage SSL digital certificates. AutoCert Manager, released in February, acts as a certificate clearinghouse, tracking certificate information and status across the enterprise and enabling automated renewal even in complicated environments that utilize multiple signing authorities. For ably solving a management problem that, left unchecked, could affect the publics trust in a companys brand, eWEEK Labs awards AutoCert Manager 4.1 our Analysts Choice designation.
Click here to read the full review of AutoCert Manager 4.1.
2
Venafi Inc.s AutoCert Manager 4.1 significantly reduces the time and manual effort needed to manage SSL digital certificates. AutoCert Manager, released in February, acts as a certificate clearinghouse, tracking certificate information and status across the enterprise and enabling automated renewal even in complicated environments that utilize multiple signing authorities. For ably solving a management problem that, left unchecked, could affect the publics trust in a companys brand, eWEEK Labs awards AutoCert Manager 4.1 our Analysts Choice designation.
At this time, AutoCert Manager is focused on managing certificates for Web servers, Secure Sockets Layer accelerators and IBM WebSphere MQ servers. AutoCert supports most common Web servers, including Apache and Microsoft Corp.s Internet Information Services 5.0 and 6.0, as well as load balancers from F5 Networks Inc. and Redline Networks Inc. (For a complete rundown of systems supported, check out www.venafi.com/product/datasheet.pdf.) However, there is plenty of room in AutoCert for future growth, capitalizing on enterprises continued adoption of client certificates to secure VPN, wireless and other links.
While external CAs (certificate authorities) such as VeriSign Inc. and Entrust Inc. offer tools that help corporate customers track, request, renew and revoke certificates, AutoCert is the first tool weve seen that can manage the process among multiple CAs.
In addition to automating the certificate-generation process with a number of external CAs, AutoCert can manage certificates generated internally with the Microsoft Certificate Authority system that comes with Windows 2000 Server and Windows Server 2003.
Pricing for AutoCert Manager 4.1 ranges from $150 to $250 per managed Web server, depending on the complexity of the deployment. The number of servers managed, the levels of automation desired and the diversity of CAs used will all factor into the final price.
In the simplest usage scenario, AutoCert acts as a specialized port scanner, detecting Web servers on the network.
During tests, eWEEK Labs kicked off a scan of our entire test network to determine how many Web servers were active on TCP ports 80 and 443. Most enterprises will likely have third-party vulnerability scanning software already in place, and wed like to see Venafi add the ability to import results from these products.
As part of the scan, AutoCert initiates a standard connection to any Web server found and collects any certificate information it encounters. (A Web server certificates issuing authority and the certificates expiration date are public information—just click on the lock icon in your browser and take a look.) AutoCert then adds all found servers and certificates to the Discovery Queue in the administrative console.
From the Discovery Queue, we easily configured our servers for ongoing management with AutoCert. We assigned an AutoCert administrative group by filling out pertinent Web server and operating system version information. We also configured SSH (Secure Shell) log-in information for the servers, which allows AutoCert to securely install certificates. AutoCert also supports Telnet communications to Web servers, although use of Telnet is not recommended because it lacks encryption capabilities.
Venafi supports multiple nested administrative groups. We were, therefore, able to assign control of a subset of our servers and certificates to specific administrators. This will let administrators delegate responsibility to individual departments while maintaining centralized oversight in the process.
Next page: Dashboard gives administrators an overview.
Page Three
AutoCerts Web-based dashboard gives each administrator an overview of the certificates for which they are responsible. Primary administrators, meanwhile, have access to views across the enterprise.
The dashboard provides special notifications for any expired or soon-to-expire certificates. A few canned reports are also available and provide the same information in exportable form, and it was a snap to configure AutoCert to send notifications via e-mail.
While AutoCert greatly simplifies the process of tracking certificate status across the network, its real power comes from its ability to request new certificates from multiple issuing authorities—all from a single console.
eWEEK Labs tested AutoCerts ability to generate and process certificate requests from VeriSign and from our internal Microsoft Certificate Authority, as well as its ability to automatically install the certificates on intended Web servers.
From the AutoCert Web interface, we could generate a CSR (certificate signing request) and choose the authority from which to request it. With the Clone button, we could easily duplicate existing requests. Wed like to see Venafi take things a step further, however, and allow administrators to configure and lock CSR templates. This would enable other administrators to manage requests without the risk of typing errors.
When AutoCert detects that a certificate is about to expire, it triggers the automated renewal process (if enabled). A color-coded status bar indicates where things stand as the request is generated, transmitted, approved, received, validated and installed.
Using our internal CA, the entire process took only a couple of minutes from notification to install. Renewal time varied during our testing with VeriSigns external CA, but the process worked without intervention.
Companies uncomfortable with automating the entire renewal process can choose to be notified only when a certificate is set to expire and initiate the renewal or replacement process manually from the AutoCert console.
eWEEK Labs installed AutoCert on a Windows Server 2003 Enterprise Edition with 512MB of RAM. We used the integrated MSDE 2000 database engine for our tests, but larger deployments should use an external SQL Server database instead for greater scalability.
AutoCert includes simple tools for backing up the database file to a network share.
We also appreciated AutoCerts redundancy features. AutoCert includes the ability to configure slave servers that come online in the event of failure at the main server. Slave servers are configured to replicate data from the master server and to monitor the masters status. If the master server does not respond within a certain amount of time (determined by the administrator), the slave machine becomes the master.
Next page: Evaluation Shortlist: Related Products.
Page Four
Evaluation Shortlist
Manual tracking and renewal processes Tracking certificate expiration dates in a spreadsheet and waiting for notification e-mails from a CA can be time-consuming
Entrusts Certificate Management Service Premium Edition The richest level of support from Entrust offers reporting and automation tools and arranges alignment of expiration dates for multiple certificates (www.entrust.com)
VeriSigns Managed PKI for SSL 2nd Premium Edition Central management and reporting as well as Server Gated Cryptography-enabled certificates guarantee highest possible encryption levels, even with older browsers (www.verisign.com)
Technical Analyst Andrew Garcia can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.