When Certificate Management Becomes Daunting, Automate It

Tracking and managing digital certificates has become a challenge that overwhelms many IT managers and security professionals, making the task a clear candidate for automation. The sheer number of servers, users, devices, and software applications in today’s enterprise which require authentication is daunting—particularly for those still using massive Excel sheets.

Despite the lost productivity and increased risks of manually managing private and public certificates, automation of certificate management remains less common than one would assume.

Yes, there are various third-party tools and IETF protocols that can help modernize this onerous task, but many organizations have holes in the process, making efficient certificate management elusive. Some organizations have fewer than a few dozen certificates to manage, while others, especially those organizations with facilities and offices spread across continents and oceans, may have tens of thousands. In addition, for companies with millions of edge devices and sensors, tracking and managing the security certificates required to establish and ensure secure communications is a herculean task.

By adopting a complete certificate automation solution, enterprises can reduce the risk of breaches or outages owing themselves to expired certificates or that are unknowingly deployed in their environment. In addition, automated certificate lifecycle management enables businesses to respond quickly and with agility as the security and business landscape evolves and new types of cybersecurity threats emerge.

There are four pillars of certificate automation designed to take enterprises from tactical to strategic certificate management: Discovery, Deployment, Lifecycle Management, and Renewal. These pillars feed into a single pane of glass platform for complete visibility.

Four Pillars of Certification Automation

#1  Discovery

Finding and cataloging all of your company’s certificates is essential for securing a modern enterprise. There are likely rogue certificates floating around that were not directly issued by your IT or network security teams. Often, smaller activities and projects from other lines of business are not appropriately removed, with the seemingly non-critical certificates becoming ticking time bombs, which if forgotten or ignored, can create massive security vulnerabilities.

By using an automated discovery process that regularly scans an entire environment, network or security admins can identify every certificate across the organization, ensuring that there are no rogue certificates that go undiscovered until they have opened the door to a cyberattack or create other security issues.

#2 Deployment

Manually provisioning or registering a certificate at the right time for the right purpose is an incredibly time-intensive task. Merely deploying an SSL certificate on just one server could take up to two hours! And that is just the beginning.

Now add the other required tasks such as documenting each certificate’s location and purpose, configuring certificates according to myriad endpoint devices and varying operating systems, and then confirming that each performs correctly. This can require a lot of additional time and effort.

Today’s enterprises need to be quick-moving and agile to keep up with constant flux and rapid change. Beyond time saved, automated deployment means reduced human-error and increased reliability and consistency. Fortunately, IETF standards, like the Automated Certificate Management Environment (ACME) protocol, are gaining traction and cover most use cases for end-to-end certificate management.

#3 Lifecycle management

Certificates include the requirements and policies that enterprises use to define trust within their organization, extending the security of using only highly trusted key architectures.

To ensure a certificate is always in its best possible state, organizations need to be able to revoke and replace certificates on demand, quickly and efficiently.  Spending more than two hours per certificate is unreasonable. It needs to happen seamlessly and at scale.

Automated lifecycle management makes revoking and replacing certificates a touch-free process. And administrators no longer need to wait until the expiration date to make critical certificate upgrades. Instead, they can simply order and provision new valid certificates and easily revoke old or noncompliant certificates. The platform manages these changes without downtime.

#4 Renewal

All certificates have an expiration date. It is a fundamental trust element that certificates are time-bound and will need to be replaced. Effective September 2020, browsers further shortened certificate validity to a 398-day period, sending organizations still manually managing hundreds or thousands of certificates with spreadsheets into panic mode. When certificates expire without having been replaced, that is when we start to see headlines about costly outages or breaches.

Timely certificate renewal is a cornerstone of cybersecurity, and reliance on manual management increases the risk of human errors.

Some organizations claim to be automated because part of their process, such as receiving email notifications about the impending certificate expiration, is automated. Unfortunately, many of these emergency notice emails end up in a flooded inbox or spam folder or are sent to someone on vacation or who is no longer with the organization. More importantly, an email is just an alert. It does not actually DO anything. It does not actually renew and install the new certificate.

While it is essential for organizations to know that renewals are coming, the most significant value of automating renewals is that the entire process is scheduled to run with minimal action from individual contributors.

Single pane of glass visibility for monitoring and management

Enterprises are best served by using one certificate management platform—a so-called “single pane of glass”—to discover, deploy, manage lifecycles, and renew all digital certificates.

Visibility is the critical capability enterprises require to enable and enhance the four pillars. Having this one-stop insight speeds up and simplifies certificate management, making it easier to track and monitor the certificate types, vendors, public and private certificates, cryptographic choices, and upcoming certificate expirations. Such visibility is also the basis for sound corporate governance of trust policies and compliance audits.

The concept of visibility affects all four pillars of certificate automation, from knowing which certificates exist to understanding the cryptography behind those certificates. With single-pane-of-glass visibility, it takes just a quick look to absorb information such as whether keys comply with length and cryptographic requirements, or whether there are non-compliant certificates based on deprecated hashing algorithms.

Get prepared with certificate automation

The more automated your certificate management, the better off and more secure your organization and those you serve will be.

Get strategic about certificate management by automating the discovery, deployment, lifecycle management, and renewal of certificates. #cybersecurity #respectdataClick to Tweet

The four pillars of certificate automation reduce the risk of breaches and outages, lessen administrative burden and human error, and ease responding to sudden events that require certificate agility. Automating the discovery, deployment, lifecycle management, and renewal of certificates is not only how enterprises scale their authentication processes; it is how they get strategic about their cert management.


Chief Compliance Officer at Sectigo