Warfare has been described as “interminable boredom punctuated by moments of terror.” It’s a description that could be equally applied to manual certificate management. Every day, your business is under attack from blackhats, greyhats, nation state hackers, bored script kiddies and bots, as well as anything and everything else probing your systems for vulnerabilities.
Most of the time, they don’t get very far. Most of the time, your cyber defenses work just as they’re supposed to, repelling both dumb and smart attempts at infiltration. Every once in a while, though, an expired certificate slips through the net and then it’s open season on your network.
That’s why you need a certificate discovery tool to monitor your system during those long periods of interminable boredom, ensuring that the moments of terror never arrive. They’re not the flashiest or most exciting enterprise software you’ll ever use, but then they’re not meant to be; digital certificate tools quietly take care of business in the background so you can get on with yours.
Why SSL/TLS discovery software is essential
Before automated cert management tools came along, businesses had to manually oversee all of their digital certificates, often using nothing more sophisticated than an Excel spreadsheet – in fact many still do. In the case of large organizations, the number of certs to oversee can run into the thousands. All it takes is a missed Excel row or an absent employee for a single day for a certificate to lapse. It’s a system that works...until it doesn’t.
Enter SSL/TLS discovery tools, which do a lot more than simply issue a reminder any time a digital certificate is due to expire. The best software serves as an all-in-one solution for detection, organization, tracking, and analysis. These tools perform advanced services that extend far beyond anything an admin armed with an Excel sheet could ever hope to accomplish including:
- Deep network scans
- Port scanning with IP range
- Port scanning with domain list
- Subdomain search
- CT log discovery
- Scans of both internal & external networks
This is all on top of aggregating an enterprise’s certificates, which can be scattered across multiple departments, units, and sites. In addition to presenting a security risk, certificate expiration can result in website and server downtime, complete with the costs this carries.
For businesses intent on implementing proper SSL/TLS certificate management, it comes down to choosing between free or paid options. Here, the maxim “you get what you pay for” tends to hold true; while free cert discovery tools are better than no automation at all, subscription-based SaaS provides more options, functionality, and improved UX. Here’s how the leading cert management tools stack up.
Free vs paid certificate discovery tools
OpenSLL operates under an Apache-style license, making it free for use, albeit with limited capacity and cert by cert discovery accessible via a command line. As such it’s not the most user-friendly of software to get to grips with, and is best reserved for more technical teams that are comfortable with getting their hands dirty, so to speak.
Nmap is another command line-based solution that can be used to scan endpoints. It provides a wide array of tools and can serve up all manner of insights into certs, but suffers from a poor interface.
Qualys CertView is a cloud-based cert management tool that’s free to use, and has a cleaner interface than the solutions mentioned above. It’s let down, however, by limited functionality; there’s no CT log monitoring, internal scans or subdomain search, for example.
Keyhub is a cloud-based platform that provides a universal solution for certificate management. It enables enterprises to automatically discover, organize and track all of their SSL/TLS certificates and to perform deep scans that include subdomains. Both internal and external networks are covered, the latter via a free plan. Fast (up to 1,000 certs can be scanned in 60 seconds) and user-friendly, with CT log monitoring built in, Keyhub is the best cert discovery tool for businesses that have no desire to cut corners.
Handily, there is a decoding tool that can be accessed for free with Keyhub; simply create an account and then, in the Tools section, paste your CSR into the box. You can also upload a *pem, *cer, *crt, *p12 or *txt file. To access the entire suite, you’ll require one of the paid plans, which range from up to 100 to over 1,000 certificates to suit organizations of all sizes.
Whatever tool you choose, know that if utilized to its full capacity, you’ll be securing your business with a cert discovery solution that eliminates the ticking time bomb that is manual SSL/TLS certificate management. The only question you’ll be left with after automating your certificates is pondering why you didn’t do it sooner.