Securing TLS certificates has become increasingly difficult in recent years as the volume of certificates has greatly increased and the lifespans of machine identities have dramatically decreased. Combine these changes with the fact that many machines themselves have lifespans of only days or even hours, and organizations have more machine identities than can be effectively managed even with an army of PKI professionals.
Effective TLS certificate management today requires automation, not just to keep up with the volume and velocity of certificates, but also to minimize human error and ensure unprotected certificates don’t cause an outage or worse, get compromised and lead to a data breach or other attack.
A great guide to managing TLS certificates is the NIST Special Publication 1800-16: Securing Web Transactions, TLS Server Certificate Management (SP 1800-16), published in June 2020. NIST SP 1800-16 provides recommended best practices for large-scale, effective TLS certificate management. A large portion of the guidelines focuses on automation.
At a high level, NIST shares that an effective certificate management service should include:
- Seamless technology and services to connect with issuing Certificate Authorities (CAs), including self-service access for provisioning, installing, renewing, and revoking certificates
- Certificate discovery and inventory management that includes continuous monitoring and crypto-agility capabilities
- Easy integration with other enterprise systems
Let’s look at how automation could have an impact in each of these areas.
Seamlessly connect with issuing CAs
We know that medium and large organizations work with multiple CAs. The NIST guidelines recommend doing so—both from a public and private CA perspective—as a way to easily mitigate against a compromised CA or other incident and because different teams have different needs best served by one CA versus another. Challenges often arise when multiple CAs are in use, such as maintaining organizational policy across certificates and duplication of effort. Fortunately, using a control plane for machine identities and automation is a great way to solve these challenges.
Automation, available through Venafi TLS Protect Cloud, can make the entire process of requesting, obtaining, and installing a certificate hands-free for the requester. TLS Protect Cloud has an internal issuer, pre-built integrations with popular public and private CAs, and can connect with any CA that supports ACMEv2, like Let's Encrypt and SSL.com. When a certificate is requested, TLS Protect Cloud makes all the necessary CA connections, uses pre-built issuing templates to ensure all certificates issued meet organizational policy, and can automatically install certificates.
The following short video describes how you can connect to your CAs and issue certificates using TLS Protect Cloud.
Discovery and continuous monitoring
NIST is clear about discovery, saying organizations must build and maintain an updated inventory of certificates to help detect potential vulnerabilities (such as weak key length or algorithms), identify certificates that are nearing expiration, and more.
We know from experience that building a complete and accurate inventory is only possible with automation. Trying to build and maintain an inventory is impossible in today’s IT environments and if you’re relying on just what the tools say from your CA partners, you’re likely missing certificates being issued from shadow CAs that you don’t know about.
Fortunately, automating discovery and ongoing monitoring of certificates is an area where TLS Protect Cloud excels. Proprietary internet and network discovery delivers a unified view of every certificate and where it is installed. Once discovered, certificates are validated every 24 hours to ensure that the correct certificate is in use on an application and properly configured and that the certificate chain is well-formed, valid, properly signed, and trustworthy.
We developed this short video to show you how you can start building an inventory of TLS certificates on your public and private networks within minutes of starting a free 30-day trial.
Integration with other enterprise systems
The NIST guidelines suggest that organizations should work to "automate certificate management on as many systems and applications as possible to decrease security and operational risks." We know that in the past, many certificate owners hesitated to introduce automated management of certificates on their systems for fear that the automation solution would introduce an error or issue.
For this reason, we're committed at Venafi to build and maintain the largest, integrated technology ecosystem from industry leaders. From the Venafi Marketplace, you can discover, consume, provide feedback on and get support for integrated solutions to manage and protect TLS certificates with Venafi TLS Protect Cloud.
To see some specific integrations in action, the following short video showcases how TLS Protect Cloud can automatically install certificates using either popular orchestration tools or direct technology connections.
Automation, as part of your overall plan to effectively manage TLS certificates, is no longer a nice-to-have given the number of certificates in use, their growth, their shortening lifespans and the important role they play in protecting machine-to-machine communication in both traditional networks and zero trust environments. See the power of automation by starting a free 30-day TLS Protect Cloud trial.