Warfare has been described as “interminable boredom punctuated by moments of terror.” It’s a description that could be equally applied to manual SSL/TLS certificate management. Every day, your business is under attack from blackhats, greyhats, nation state hackers, bored script kiddies and bots, as well as anything and everything else probing your systems for vulnerabilities.
Most of the time, they don’t get very far. Most of the time, your cyber defenses work just as they’re supposed to, repelling both dumb and smart attempts at infiltration. Every once in a while, though, an expired certificate slips through the net and then it’s open season on your network.
That’s why you need a certificate discovery tool to monitor your system during those long periods of interminable boredom, ensuring that the moments of terror never arrive. They’re not the flashiest or most exciting enterprise software you’ll ever use, but then they’re not meant to be; digital certificate tools quietly take care of business in the background so you can get on with yours.
Why SSL/TLS discovery software is essential
Before automated certificate management tools came along, businesses had to manually oversee all of their SSL/TLS certificates, often using nothing more sophisticated than an Excel spreadsheet – as discovered in our industry survey presented in a white paper. In the case of large organizations, the number of certificates to oversee can run into the thousands. All it takes is a missed Excel row or an absent employee for a single day for a certificate to lapse. It’s a system that works...until it doesn’t.
Enter SSL/TLS discovery tools, which do a lot more than simply issue a reminder any time a digital certificate is due to expire. The best software serves as an all-in-one solution for detection, organization, tracking, and analysis. These tools perform advanced services that extend far beyond anything an admin armed with an Excel sheet could ever hope to accomplish including:
- Deep network discovery scans
- Port scanning with IP range
- Port scanning with domain list
- Subdomain search
- Certificate Transparency log monitoring
- Scans of both internal & external networks
This is all on top of aggregating an enterprise’s certificates, which can be scattered across multiple departments, units, and sites. In addition to presenting a security risk, SSL certificate expiration can result in website and server downtime, complete with the costs this carries.
For businesses intent on implementing proper SSL/TLS certificate management, it comes down to choosing between free or paid options. Here, the maxim “you get what you pay for” tends to hold true; while free certificate discovery tools are better than no automation at all, subscription-based SaaS provides more options, functionality, and improved UX. Here’s how the leading certificate management tools stack up.
Free vs paid SSL/TLS certificate discovery tools
OpenSLL operates under an Apache-style license, making it free for use, albeit with limited capacity and certificate by certificate discovery tool accessible via a command line. As such it’s not the most user-friendly of software to get to grips with, and is best reserved for more technical teams that are comfortable with getting their hands dirty, so to speak.
Nmap is another command line-based solution that can be used to scan endpoints. It provides a wide array of tools and can serve up all manner of insights into certificates, but suffers from a poor interface.
Qualys CertView is a cloud-based cert management tool that’s free to use, and has a cleaner interface than the solutions mentioned above. It’s let down, however, by limited functionality; there’s no CT log monitoring, internal scans or subdomain search, for example.
Keyhub is a cloud-based platform that provides a universal solution for SSL/TLS certificate management. It arms enterprises with indispensable tools:
- Automatic certificate Discovery. Both internal and external networks are covered, the latter via a free plan.
- Organized Inventory for all detected certificates.
- Analytics to monitor all SSL/TLS certificate expiry dates and vulnerabilities.
Handily, there are inbuilt certificate-related tools like a CSR and certificate decoders that can be accessed for free with Keyhub; simply create an account and then, in the Tools section, paste your CSR into the box. You can also upload a *pem, *cer, *crt, *p12 or *txt file. To access the entire suite, you’ll require one of the paid plans, which range from up to 100 to over 1,000 certificates to suit organizations of all sizes.
Fast (up to 1,000 certificates can be scanned in 60 seconds) and user-friendly, with CT log monitoring built in, Keyhub is a great certificate discovery tool for businesses that have no desire to cut corners.
Whatever tool you choose, know that if utilized to its full capacity, you’ll be securing your business with a certificate discovery solution that eliminates the ticking time bomb that is manual SSL/TLS certificate management. The only question you’ll be left with after automating your certificates is pondering why you didn’t do it sooner.