The National Institute of Standards and Technology (NIST) has released a detailed report that highlights the challenges faced by companies when it comes to Transport Layer Security (TLS) server certificate management. No stone is left unturned or security issue unscrutinized in the sprawling 432-page NIST report, which makes sweeping recommendations for organizations to beef up their SSL/TLS certificate management.
We’ve gathered the highlights from the NIST document, which includes recommendations on how TLS can be enhanced and web security maintained. In this article, you’ll discover:
- Why most companies employ suboptimal certificate management practices.
- The risk presented by improperly managed TLS certificates.
- Best practices for tackling the problem head-on.
- How to create a certificate management action plan.
Managing thousands of TLS certificates is complicated
Many organizations are unaware of just how many TLS certificates they maintain. As the NIST report acknowledges in its executive summary, “A large- or medium-scale enterprise may have thousands or even tens of thousands, each identifying a specific server in their environment.” While some of these will be used on customer-facing websites and applications, many more are used internally, to secure company networks and protect communications.
The problem, as the report notes, is that most organizations lack a unified framework for discovering and managing these SSL/TLS certificates. Instead, they’re reliant on piecemeal solutions that are scattered across different systems and departments. We read: “Organizations that improperly manage their certificates risk system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers.”
Implementing better TLS certificate management
The NIST report doesn’t just identify problems: it proposes SSL/TLS certificate management solutions that will result in better practices, and less instances of certificates being allowed to expire, with the security risk and service interruption this carries.
The NIST recommends that “organizations should establish a formal TLS certificate management program with executive leadership, guidance, and support.” This should include “clearly defined policies, processes, and roles and responsibilities for the certificate owners and the Certificate Services team.”
The best practices proposed include:
- TLS inventory creation: a single inventory of all TLS server certificates should be created.
- Validity periods: ensure that certificates and their corresponding private keys are changed regularly and set validity periods of one year or less.
- Signing algorithms: certificates should be signed using cryptographic algorithms that conform to approved standards.
- Subject DN and SAN contents: subject DNs and SANs in all certificate requests should be thoroughly reviewed before they are sent to the CA.
- Automation: organizations should automate certificate lifecycle management for as many systems and applications as possible to decrease security and operational risks.
- Continuous monitoring: TLS certificates should be continuously monitored to prevent outages and security vulnerabilities.
- Certificate transparency: CT logs should be regularly monitored to ensure unauthorized certificates have not been issued for any domains owned by the organization.
- Discovery and import: use a service that provides options for automated SSL/TLS certificate discovery and import of certificates including configuration discovery and bulk import.
- Reporting and analytics: use a certificate service that will provide custom notifications based on configured rules. Custom reporting should also be available.
Create a certificate lifecycle management action plan
The NIST report recommends that businesses create an action plan to fix up their certificate management. It suggests appointing an executive owner tasked with overseeing the company’s certificate lifecycle management program. They will have ultimate oversight over all SSL/TLS certificates, and be expected to educate other execs on their responsibilities in terms of the certificates that fall under their jurisdiction.
It then suggests devising an action plan that includes clearly defined milestones, starting with the most critical tasks. A timeline should be laid out that details when each task is expected to be completed, and what the next steps should be. It also recommends regular executive reviews, ideally every 90 days, to track progress. Finally, regular audits are proposed as well as periodic security testing to ensure that nothing is allowed to slip under the radar.
Automated certificate lifecycle management
If you’re seeking a turnkey solution to automate your certificate lifecycle management while ticking off the NIST’s key recommendations, try Keyhub. The cloud platform allows you to discover and manage all your SSL/TLS certificates via a single inventory and dashboard tools. Crucially, it incorporates many of the best practices set forth in the NIST report including:
- SSL/TLS certificate discovery tool for external and internal networks with regular auto-scan updates and CT logs monitoring.
- Certificate inventory tool to view SSL/TLS certificates regardless of the issuing certificate authority, their validity periods, signing algorithms, Subject DN and SAN contents.
- SSL/TLS reporting and analytics tool to track digital certificate expiration dates and evaluate the overall system health.
- Inbuilt tools to check, generate and verify certificates faster with certificate and CSR generators and decoders in one place.
SSL/TLS certificate management doesn’t have to be a headache – but if it’s left unchecked, it can easily become one. Don’t let your TLS certificates become an administrative and security nightmare. Make an action plan, periodically review your progress, and use a certificate lifecycle management platform you can rely on. That way you can focus on growing your business in the knowledge that your certs are safe, sound, and all accounted for.