Organizations don’t have basic visibility into their digital certificates: Keyfactor

When it comes to managing digital certificates, it’s a nebulous dilemma, says a Keyfactor executive.

“Many organizations today still don’t have basic visibility into all the certificates that are being used within their organization, let alone the ones that need to be managed,” said Chris Hickman, chief security officer at Keyfactor. “They think they know how many, but when they actually go out and use a platform like ours to do a complete inventory, there are usually many hundreds if not thousands of more certificates.”


What are digital certificates and how do they work?


Just like passports, digital certificates are a basic method of authenticating an entity’s identity. Through checking the unique digital signatures embedded in these certificates, the receiver can rest assured that the information they download is from an approved source. Digital certificates are issued by certification authorities (CA) and need to be renewed on a regular basis. When a digital certificate expires, so does the identity of the entity it’s attached to.

Digital certificates are commonly used to verify the identity of websites. They typically use either SSL or TLS protocol and are checked automatically by the browser. If the browser notices an expired or invalid certificate, it would prompt the user with a big warning to not trust the website. Imagine Amazon’s main page being blocked due to an expired certificate, yikes!

Yet, even when a company has plenty of resources to oversee certificate validity, bad certs could still slip through the comb. The 2017 Equifax breach, one of the most prolific and dangerous breaches in recent memory, sat undetected for 76 days due to an expired certificate. For more recent examples, Spotify was down for an hour when a TLS cert expired, and some suspect that an expired cert killed thousands of Samsung Blu-ray players after a firmware update.

If companies keep playing the blame game, it’s going to get nowhere. The key is to understand the certificate structure and ensure that when a cert is updated, it should be installed on every relevant branch.

“A lot of organizations have traditionally kept an eye only on one or two certificates…But what they fail to do is realize that there is a chain of certificates across these technologies, that while one might only show up in a browser, for instance…every application or every device that’s touched along the way to present that to the user also has certificates.”

To illustrate, Hickman described updating and distributing a cert across load balancers. Even when the cert has been renewed, if it isn’t installed on all the load balancers, the ones that are left out could run into service issues.

Beyond keeping websites functional, digital certificates can be used to sign documents, establish remote connections, authenticate devices in a network and much more. The situation is even more complex when factoring in self-signed certificates, which are issued and managed internally by an organization.

“It’s a big challenge for organizations to not only be able to renew the certificates,” underscored Hickman. “There’s a manual set of steps that they need to do to go get that certificate, bring it to the device, deploy it on that device, make sure it’s properly configured and working and complete. It’s a monstrous task across a typical IT landscape today that is multi-vendor.”

Hickman recommended two considerations to alleviate headaches surrounding certificates:

  1. Make a determination of whether a cert needs to be issued by a certification authority or an internal public key infrastructure. For certain enterprise applications, it may not be a good idea to use a publicly rooted certificate. Before registering a certificate from a CA, understand what audience it addresses.
  2. Do an inventory check to see what certificates have been issued, what they’re being used for, what cryptographic standards they’re using, and what new tech is around the bend.

Digital certificate technologies are continuously evolving, and although digital certificates and public key infrastructures (PKI) have been around for a long time, there isn’t anything on the horizon that could replace it. With that said, Hickman said it will need to adapt to emerging new techs in the future.

“There’s no move towards changing the technology, there will be changes within the technology,” Hickman said. “When quantum supremacy is actually realized…the way we use crypto today is going to essentially be invalidated. So PKI will need to emerge to a new set of cryptographic standards. But the core technology and the underlying infrastructure? I don’t see changing for a long time.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Tom Li
Tom Li
Telecommunication and consumer hardware are Tom's main beats at IT World Canada. He loves to talk about Canada's network infrastructure, semiconductor products, and of course, anything hot and new in the consumer technology space. You'll also occasionally see his name appended to articles on cloud, security, and SaaS-related news. If you're ever up for a lengthy discussion about the nuances of each of the above sectors or have an upcoming product that people will love, feel free to drop him a line at [email protected]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now