Certificate management is the process through which an organisation monitors and manages the life cycle of all certificates deployed in a network.
Also known as X.509 certificates, digital certificates have all of the information that is necessary to authenticate the identity of individuals, websites, organisations and more. Digital certificates use a unique private/public key pair which verifies information as it moves across a network, and are crucial in identifying and validating digital communications and communicators.
Although digital certification may seem overly complex, employing a digital certificate is actually a very simple process.
Certificates have a well-defined lifecycle—they are issued, used and retired. As such, they experience a specific ‘lifecycle’. This lifecycle consists of eight steps, all of which relate to vital processes with a certificate management system. While some of these mid-cycle steps may occur in a different order than is presented here, every certificate must pass through each of these steps during the course of its lifetime.
When the need for a new certificate arises, cypher suites must first be configured and a private key must be created, in a process known as the certificate signing request (CSR). The CSR is sent, received and verified, and the certificate authority proceeds to issue a new certificate.
Once a certificate is acquired, it is installed onto endpoints, such as servers, applications and devices. Certificate chains are established, and root and intermediate certificates must be configured correctly to prevent any confusion during possible renewals.
During the discovery step, the entire network is scanned to identify where each certificate is and whether it has been deployed correctly. A discovery scan helps protect the system from unresolved, potentially exploitable vulnerabilities by identifying any unknown certificates that may be present.
Renewal and revocations of certificates are easier when they are organised into a central inventory. It is also more simplified when certificates are managed based on team structure, managed according to who is using them.
Reporting and monitoring are important for two reasons: first, reporting provides administrators with information about certificates and their statuses, while providing quick answers to important questions. For instance, what certificates need to be renewed? How many have been issued? Which ones need to be replaced? Second, it ensures that the system doesn’t have any blind spots. This helps administrators anticipate and remediate certification expiries, proactively avoiding outages in the process.
Certificates have a limited lifetime, and they need to be renewed by a CA to remain valid. The process can be automated by certificate manager tools which automatically send certificates to CAs for renewal.
There may be reasons why a certificate needs to be revoked. Such reasons are: a hash function has depreciated, or an administrator wants a different type of certificate. A revoked certificate is invalid, which is important to ensure that an old certificate isn’t used by malicious third parties.
The public key infrastructure (PKI) is one of the most important ways to understand certificate management. PKI is made up of the roles, policies, people, hardware, software and firmware systems that are necessary for secured connections across private and public networks.
Secure sockets layer (SSL) and transport layer security (TLS) are the most common types of PKI. Both employ a hybrid cryptosystem that uses both types of encryption. A server’s certificate has an asymmetric private and public pair, and the session key that the server creates is symmetrical.
The certification authority is a third party that provides end-user keys and certificates. They manage the lifecycle, including generation, expiry, revocation and updating.
This is the highest level of the CA hierarchy. Root CAs are kept securely offline. For an end entity certification to be trusted, the root CA must be embedded in the OS, system, browser or whatever the end point is that is validating the certificate.
A subordinate CA’s primary purpose is to authorise and define the types of certificates requested. The CAs live between the root and end entity certifications.
These are certificates installed on machines, devices, servers and cryptographic hardware.
Client application refers to the end-user software that requests and uses certificates for electronic business. A managed PKI also needs services that will operate with other components, which provide services that allow for applications of electronic commerce. Such services include bringing your own device, code signing, access management, S/MIME email servers, legally binding electronic signatures and automated registration.
This provides a scalable mechanism to store and distribute certificates, certificate revocation lists and cross-certificates to PKI end users. These components need to be responsive due to their central position in the PKI.
Enterprise processes need to leverage digital systems to operate, especially as more and more devices are becoming connected—and, every connected system needs a certificate to operate security. Administrators have to be able to ensure that there are no unwanted certificates, and handling the processes manually often is not feasible. Specialised management systems help track certificates, notify when certificates are expired/close to expiry, identify unknown certificates and promote better, more secure communication across an organisation’s networks.
Additionally, some of the most damaging security breaches in history were either the result of expired certificates, or were further exacerbated by expired certificates. For example, a 2017 breach of Equifax credit reporting agency went undiscovered for nearly three months, because an expired certificate was preventing proper inspection of network traffic. This compromised the personal information of 147 million people. And Equifax isn’t alone; LinkedIn, Microsoft, Ericsson, and most recently, Google Voice have all suffered by failing to update certificates.
Expired certificates have the potential to either cause unplanned system outages, or to open holes in your digital security through which threat actors can gain access to your network. This can easily lead to disrupted service, reputational damage, exposure of sensitive organisational and customer data, and steep fines and penalties for those businesses who allow their certificates to lapse.
Renewing certificates before they expire is absolutely essential. But with potentially thousands of certificates in play, businesses face the almost insurmountable task of upgrading and renewing certificates with multiple CAs while adhering to pre-planned maintenance windows to prevent interrupting vital services. Perhaps even more problematic is that the certificates themselves lack vital context to help organisations prioritise critical certificates, identify service owners or even determine which certificates are in need of renewal.
To ensure on time certificate renewal, organisations need a single, centralised, easy-to-use inventory of certificates. ServiceNow makes this a reality; leveraging existing ServiceNow configuration and visibility mechanisms to identify certificates, businesses can keep a clear record of all their certificates, with little effort on their part.
Then, incorporating advanced automation in the form optimised workflows, organisations can optimise the renewal process, automatically getting in touch for approvals, signing tasks and effectively addressing any expired certificates. And through it all, the ServiceNow Certificate Management dashboard provides a complete, at-a-glance summary of the complete certificate picture.
With ServiceNow, you can give your essential certificates the attention they deserve, and avoid the danger, reputational damage and penalties that come with allowing those certificates to expire.
Foresee problems before they arise with ServiceNow.