What’s the current status of your Public Key Infrastructures (PKIs)? If you don’t know, you’re flying blind. PKI is the backbone of cyber defenses, protecting the network from foes and securing your – and more importantly your customers’ – data. This is achieved through regular monitoring and management of your digital certificates, to ensure that they do not expire.
Unfortunately, many enterprises view PKI management as a reactive rather than proactive process, attending to their certs only when problems arise. This is a mistake, for as the adage goes, prevention is better than a cure, and a stitch in time saves nine. In other words, it pays to monitor your PKI before problems have a chance to emerge. But which indicators should you be scrutinizing for early warning signs that something may be amiss with one of your digital certs? Here are six indicators you should be monitoring.
Keep an Eye on Your PKI
1. Signature Hash Algorithm: The strength of the hash algorithm used to sign a digital certificate makes all the difference. A weakness in a hash algorithm can allow attackers to control fraudulent certificates. For example, Microsoft has deemed SHA1 to be insecure and deprecated it. Are your digital certs secured using a robust algorithm such as SHA256, or are there any outdated algos still in use?
2. Key Strength (algorithm and size): RSA 2048 is generally regarded as the industry standard, though the stronger RSA 4096 keys are becoming more prevalent, as are alternatives such as ECC 256. Weak keys – typically any RSA key of <= 1024 – should be identified and weeded out.
3. Multi-Location Certificates: Certificates that are located on more than one endpoint (for wildcard certs and certs with several SANs) should be closely monitored. This will help to ensure that you don’t miss an unknown endpoint when it comes to renewal.
4. Certificate Status: You should have complete oversight of all of the SSL/TLS certificates your business controls, with alerts configured for when certs are close to their expiration date. This typically applies to certificates that are due for renewal in under seven days. You should similarly be aware of the status of any certificates that are no longer in use.
5. Certificate Authority: It’s important to know which CA issued the certificates you’re using, so you know where to go when they’re due for renewal. And also because in the unlikely event of the certificate authority suffering a security breach, you can quickly mitigate the threat.
6. Certificate Policy Type: Do you know your certificate issuance policy types? Be it basic, extended validation, or self-signed, this is info that it’s helpful to have to hand.
PKI monitoring made easy
Given the number of data points that must be monitored to ensure your certs – and thus your systems – remain healthy, it’s no wonder that cyber-smart businesses deploy dedicated certificate management software.
Keyhub is an SSL/TLS certificate discovery and management platform that allows you to track all six of the indicators listed above among many others. It enables SSL/TLS certificates to be identified and tracked across an entire enterprise, aggregating the data into a single dashboard.
A paid subscription plan means businesses can select a package that suits their needs, with the option of a free trial to experience the convenience that Keyhub brings. Give Keyhub a go and discover a better way to manage your PKI.