The Growing Challenges of Certificate Lifecycle Management

istock 1230162131
istock/Blue Planet Studio

Digital certificates and PKI enabled technology are pervasive yet largely unseen, unknown and not well understood. They are the digital credentials that authenticate the identities of users and machines on the Internet and ensure that the applications, websites, and services that you interact with can be trusted and are indeed what they purport to be.

Digital or public key infrastructure (PKI) certificates are foundational to virtually every single digital interaction. However, because digital certificates operate in the background, there is a tendency among many organizations to underestimate the critical role they play—and the need to manage them effectively.

Multiple trends are driving an explosion in the use of digital certificates in enterprise organizations. Main drivers include:

  • Rapid digital transformation has created new use cases that require simple and secure digital trust.
  • Bad actors leverage weak identities, in humans and machines, to access critical enterprise resources. This includes accessing corporate networks, and deploying ransomware, and/or compromising the software supply chain.
  • As such, PKI and certificates have become the foundation to establish digital trust, in a zero-trust world, for the growing volume of human and machine identities
  • Certificates are being used in critical use cases such as passwordless authentication, DevOps, robotic/bot access automation, document signing, and other remote authentication scenarios.

The means that certificate-based security is a foundation for simplifying and securing the hybrid-remote workforce. Also, certificates are a critical component to operating in a modern hybrid and multi-cloud environment. Traditional firewalls and perimeter security have evolved to zero-trust network access (ZTNA). At the heart of this is digital identity, and digital certificates are the best mechanism for it.

“As more of our lives become digitally enabled, we become more dependent on digital certificates,” says Tim Callan, Chief Compliance Officer at Sectigo. “Their volume and complexity have exploded in the past decade. They’re everywhere.”

Changing dynamics add to management challenges

Some studies have shown that the average modern enterprise is managing upwards of 50,000 certificates. Many of these credentials are privately issued and others are PKI certificates from external certificate-issuing authorities.

Organizations often don't have an accurate inventory of certificates and keys being used in their IT environment. Although PKI certificates are the identities that humans and machines use to establish trust and connect with each other, they are often left largely unmanaged and unprotected. Many organizations continue to use spreadsheets and manual methods to track certificates, and few have a centralized process to manage them.

“As a consequence of the growing complexity and volume of digital certificates, if they don’t work correctly, the systems used to run your business don’t run correctly,” Callan says. “Every one of these certificates is like a little ticking time bomb waiting to blow up and ruin your day.”

One common example is the problem of certificate expiration. Every digital certificate has an expiration date by when it must be renewed or replaced. If it is not renewed, the certificate becomes invalid and all services that use it will be disrupted. Most modern browsers, for example, do not trust websites with expired certificates, which means users will no longer be able to access the site.

Keeping track of the expiration dates of tens and even hundreds of thousands of certificates can be a complex challenge and an activity that cannot be handled manually. Studies have shown most organizations have experienced outages of varying severity because of certificate expiration issues.

Even large companies are not immune from certificate expiration issues. In early November 2021, for instance, some users of Microsoft Windows 11 were unable to open or use certain built-in apps, such as a touch keyboard, voice typing, and a snipping tool because of an expired Microsoft digital certificate.

Another management challenge facing organizations: A digital certificate may need to be revoked because it has become untrusted or unreliable. This can happen if a certificate authority is breached. It would also be revoked if an attacker compromises an organization’s internal certificate infrastructure and uses its certificates to impersonate the company or carry out malicious activity. For example, a hacker could abuse a trusted organization's code-signing certificate to sign and distribute malware.

“So, with new digital transformation efforts and cloud enablement, more certificates are expected,” Callan says. “However, the market can't leverage them properly if there are management issues such as digital certificate expirations impacting critical businesses applications.”

Gaining control of digital certificate management

Organizations need a formal process for Certificate Lifecycle Management to ensure ongoing operations and data security. They need a uniform platform to detect, automate, and manage the growing volumes of certificates in the environment regardless of the issuing CA or certificate origin. The platform should leverage open standards to enable integrations into leading technology providers to seamlessly fit into any IT environment, and have interoperability at the heart of its design.

“The critical nature of digital certificates is leading enterprises into a situation where they need a reliable, universal, automated management solution to ensure that all of these digital certificates are operating correctly,” says Callan. “If they don’t work properly, it can have a cascading effect on your business.”

Learn more about how to improve your enterprise’s Certificate Lifecycle Management.

Copyright © 2022 IDG Communications, Inc.