Think about how you typically use the Internet. You might send an email, make a purchase, check that a recent bill payment went through. Each of those requires logging into a website, right?
Well, how do you know for certain that those websites are really owned and operated by the businesses they claim to be? You’d need to verify it.
That’s where digital certificates come into play. They are the machine identities that signal the validity, authenticity and trustworthiness of the website, application or service that you are accessing.
Where do these machine identities come from and why should we trust them? Certificate Authorities provide the machine identities that govern our increasingly machine-driven world. In a way, they provide the critical basis for trust, helping you verify that every machine-to-machine connection is safe.
What is a Certificate Authority?
Without Certificate Authorities, our technological world would feel like the Wild, Wild West. It’d feel like you couldn’t trust anyone. So how do we, as a collective, ensure trust?
Certificate Authorities carefully build and maintain trust by validating the credentials of businesses before issuing them certificates. They are third-party organizations, like DigiCert, Let’s Encrypt, and Symantec, responsible for creating and distributing trusted digital certificates. Using a trusted Certificate Authority will help you vouch for the identities of machines to show your users that you’re involved in a legitimate interaction—not one with an imposter.
And according to a W3Techs survey, more than 96% of all TLS/SSL certificates on the Internet are issued by just 9 certificate authorities!
Why are Certificate Authorities so important? Let’s turn to a specific, simple example. When you access a secure website, indicated by the “https://” in the URL at the top of the screen, your browser receives a certificate issued by a CA. (You can also learn more about that certificate, including the issuing authority and a validity period, by clicking on the padlock that comes before the URL).
Why are Certificate Authorities critical to cybersecurity?
Every time you browse the web or interact with a machine, you’re extending a certain amount of trust to whoever or whatever you’re interacting with. Certificate Authorities help ensure that that trust doesn’t get misplaced.
- Combatting cyber threats: All across cyberspace, spoofed websites try to dupe users into providing login credentials, credit card information or other sensitive data. Man-in-the-middle attacks are also common. Certificate Authorities help mitigate these risks.
- Providing privacy: Digital certificates encrypt information between devices, like your computer and a server, ensuring your personally identifiable information (PII) and passwords stay secure.
Why are CAs important to DevOps, Infosec, and DevSecOps professionals?
Infosec teams need to have a solid understanding of CAs to ensure their organizations are adhering to security best practices, protecting data and maintaining user trust. But as we enter a software-first economy, machine identities are no longer primarily deployed at the transaction level. As modern business models require continuous software improvements, speedy access to machine identities is required throughout the development process.
As far as DevOps and DevSecOps are concerned, deployments of code occur frequently and must be authenticated on a continuous basis. But it’s also important that your developers have easy access to trusted machine identities within their development platforms. Otherwise, they may be tempted to take shortcuts that circumvent trusted CAs.
Finally, everyone plays a part in ensuring companies maintain compliance with industry regulations and standards. Following stringent protocols and working with Certificate Authorities is crucial to avoiding penalties.
How does a Certificate Authority work?
In order to validate a machine as legitimate, you must first request a certificate through a Certificate Signing Request (CSR). This request will contain details about the requesting organization, their domain name, as well as a public encryption key.
Once a Certificate Authority receives a request, they will work to verify that the requester is who they claim to be. Sometimes this is just a simple domain validation, but sometimes there is a more extended process. Once the CA has completed that verification, they will sign the provided public key with their own private key. That creates a digital certificate, which gets sent back to the requester and installed.
How do you know you can trust a Certificate Authority?
Based on this explanation, it sounds like CAs hold a lot of power. They are, after all, providing the basis of trust for digital life. But who vouches for the Certificate Authorities?
Industry forums, major tech companies and other stakeholders review the trustworthiness of certificate authorities, basing their decisions on security protocols, infrastructure and previous performance. It’s all about rigor and integrity. Without those two elements, these authorities can become distrusted or revoked.
One such example of these industry forums, the Certification Authority/Browser (CA/B) Forum, works to “advanceindustry best practices... and improve the ways that certificates are used to the benefit of Internet users and the security of their communications.” They are one of, if not the, most well-known of these groups, capable of de-trusting CAs who don’t conform to the required rigorous practices.
Some CAs, known as root Certificate Authorities, are widely recognized and embedded in certain browsers and operating systems by default. They can issue certificates to intermediates to form a chain of trust.
Understanding the trust hierarchy and chain of trust
Up to this point, we’ve talked a lot about the importance of trust, and the robust system that keeps it all in place is what is known as the trust hierarchy.
What is a trust hierarchy?
A trust hierarchy establishes and distributes trust in digital communication. It begins with the highest authority (a root CA) and flows to intermediates and every other participating entity.
A central component of that hierarchy is what’s known as the chain of trust. It begins at the root, or the anchor. As you move down the chain, each link (which is a certificate), can be vouched for by the link preceding it. However, if one link is broken, the entire chain’s integrity could be compromised.
The role of your Public Key Infrastructure (PKI) in the trust hierarchy
Your PKI, which is a set of processes, policies and technologies used to manage, distribute, use, store, and revoke certificates, underpins certificate issuance.. The way you configure your PKI can impact the success (or failure) of the application of digital certificates in your organization. It is the backbone of your machine identity management program, and it’s crucial that it’s configured to protect your organization, not leave it at risk. [SC1]
What are intermediate and end-entity certificates?
Moving on from the root we arrive at intermediate certificates. These, in turn, can issue more intermediates or issue end-entity certificates. End-entity certificates are the ones you think of for servers and websites, the ones that users and systems interact with directly.
For visualization, let’s picture this entire “trust hierarchy” like a tree.
Your root certificates are, of course, the roots that anchor your chain(s) of trust. Intermediate certificates are the branches of that tree. They’re middlemen of sorts that stand between your root certificates and your end-entities. Finally, we can say that end-entity certificates, such as server or website certificates, are like the buds or leaves on that tree. They are issued to specific domains that require secure coverage.
The entire system is designed to ensure that the public key, and associated data contained in an end-entity certificate, belong to its subject. To confirm this, the end-target certificate is verified using the public key contained in the following certificate, and then the next, and the next... and so on until you’ve reached the root. If you can validate the public key contained across every link, then you can trust that end entity.
Selecting the right Certificate Authority
How do you know which Certificate Authority is right for your needs? Consider these factors:
- Reputation: Be sure the CA has performed consistently and has rigorous security practices in place. Their status with the CA/B Forum is a great indicator of their track record.
- Validation levels: Not all CAs provide the same level of validation. Be sure you work with one that meets your needs.
- Certificate types: There are various certificate types, including code signing certificates, device certificates, etc.
- Customer support: If you’re not sure where to begin, do research into existing CAs to see who provides excellent support and easy-to-understand guidance.
- Cost: Security is important, but you also want to seek out competitive pricing.
- Revocation capabilities: If a certificate gets compromised, you want to ensure quick revocation.
- Interoperability: Keep operations running smoothly by first checking CA compatibility with browsers, OSes and devices.
Certificate Authorities are the guardians of digital trust in a hyperconnected world.
They help ensure that websites can be trusted, and they legitimize machine-to-machine communications. They are a crucial necessity for everyday digital life, and that’s why it’s important that Infosec and DevOps teams continue to have a solid understanding of the role CAs play in enterprise cybersecurity.
However, the security of your machine identities does not stop with your use of a trusted CA. You must also remember that the way you manage those machine identities will strongly influence their impact on your risk profile. Let them expire and they will trigger an application outage. Leave them unattended and they could become compromised for malicious misuse. While many of the top CAs offer management tools, they may only solve part of your problem.
Venafi offers a Control Plane for Machine Identities that standardizes your approach to managing every machine identity in your enterprise, providing enterprise-wide visibility and consistent automation, regardless of machine identity type, location, or use case.