In a secure network environment, machine identity management refers to the systems and processes for managing credential authentication required for machines to access resources and other machines. Every machine in a modern enterprise digital environment, from computers and mobile devices to servers and network infrastructure, has a machine identity.
An ever-increasing number of machine interactions inherent in digitalized processes pose a significant risk to business survival without adequate authentication management. With the help of cryptographic keys and digital certificates, these systems can determine whether the interaction is trustworthy or not.
This machine identification is a digital credential or “fingerprint” used to establish trust, authenticate other machines, and encrypt communication. Regardless of the number of identities involved or the complexity of the enterprise network, it’s essential that the whole machine identity lifecycles are effectively managed, ensuring that access is only allowed to legitimate users or machines.
Machine identities must be validated to implement a Zero Trust security model based on the concept of “Trust No, Always Verify.” Public Key Infrastructure (PKI) certificates and cryptographic key pairs can be used to strengthen verification and secure connections between entities outside of a firewalled network architecture.
What is Machine Identity?
Generally, the user identity is represented by username and password. When a user login into an application. They enter username and password, the application checks the username and password in the database, and if the credential matches, the user is authenticated and can access the application.
Similarly, machines need to be authenticated for secure communication with other machines. A machine identification is much more than a digital ID number or a simple identifier like a serial number or part number. It is a collection of authenticated credentials that confirm that a system or user can access online services or a network. A machine cannot enter a username and password. Instead, they use a set of credentials that are better suited to highly automated and linked settings. Machines have digital certificates and keys to establish their identity.
To secure network communications, every internet protocol (HTTPS, SSH, FTP, and so on) checks and authenticates machine identities.
Working of Machine Identity
To understand the working of machine identity, Let’s see the common machine-to-machine communication between server and client.
When a client tries to establish a connection with a web server, the server provides its digital certificate on receiving the connection request. After that, the client verifies the digital certificate (SSL/TLS certificates) and verifies the server’s identity. When dealing with sensitive applications, the server may also request that the client authenticate its identity by sharing its certificate. After authentication, both exchanges keys for encryption and hashing, and a secured session gets established.
Machine Identity Enforcers
As the machines cannot enter a username and password, they use credentials better suited to highly automated and linked settings. Instead, digital certificates and keys are used to establish machine identities. On the other hand, certificates and key types vary depending on the machine, communication protocol, and usage.
Following are some commonly used certificates and keys that make up machine identity:
SSH keys and Certificates: Users, usually system administrators, use SSH keys to secure privileged access to critical systems. Because SSH keys are used to authorize access to important IT systems, the SSH protocol is more secure than TLS/SSL. While it is not common practice to use SSH certificates for authentication, it is recommended as it eliminates the manual, insecure process of key approval and distribution.
Code Signing Certificates:Code-Signing Certificates ensure that scripts, executables, and software builds are genuine and preventing them from tampering. It builds trust in users.
Cryptographic Keys: Cryptographic keys, particularly Symmetric keys, are used to protect data at rest, data in transit, and encrypting credit card and other PII (Personal Identifiable Information) data. However, Symmetric keys are less secure but faster and more efficient than public-key cryptography.
X.509 Certificates: X.509 Certificates are the most extensively used machine identification certificates and the backbone of the Public Key Infrastructure (PKI). Server-client authentication over the HTTPS protocol (based on the TLS/SSL protocol) as well as digitally signing offline applications use these certificates for authentication.
Importance of Machine Identity Management
Machine identity management is a broad term that incorporates various technologies that are currently primarily isolated, like SSH key management, X.509 Certificate Management, etc.
To protect Machine Identity: Suppose someone gets your identity in any way. They can access your personal information like your credit card details, social media accounts, etc. They can make a large transaction from your account and impersonate their identity. A similar thing can happen if someone stole machine identities, and they can do all those things on a large scale as the machine can have records of thousands of individuals. The attacker gains access to the deep network when the identity of a crucial network device, such as a web server or a load balancer, is compromised. Then they can gain administrator privileges and inject malicious code into critical devices, causing them to malfunction or even shut down systems. This can result in severe damage to both customers and users of the organization.
Keep up with the explosive growth of machines: The number of machines in the world is outpacing the number of people who use them. The sheer number of machine identities that must be secured, including mobile, cloud, and IoT devices, makes keeping machine identities secure significantly more difficult.
The proliferation of secure cloud-based machines: The rapid evolution of cloud services requires a rapid assessment of machine trustworthiness, including cloud workloads, virtual machines, containers, and microservices. Because of the fluid nature of their interactions, their identities may be compromised.
Protect the identity of connected devices: There are a number of devices whose identities are connected to the Internet, like robots, medical devices, sensors, etc. Many of these devices use encrypted channels controlled by machine identities to transmit and store important data.
What Factors Led to Machine Identity Theft?
Following are some reasons that cause machine identity compromise:
CA Compromise:Certificate Authorities (CAs) are compromised when attackers steal their private key, used to sign certificates issued to companies. Attackers can use these stolen private keys to sign certificates for malicious applications and fool browsers into believing they are trustworthy. These certificates, known as rogue certificates, are widely used by attackers to spread phishing and man-in-the-middle attacks. And this rouge intermediate root CA can misuse their authority and sign certificates of fraudulent servers and applications.
Certificate Outages: Certificates issued have a validity period associated with them. If a certificate is not renewed before it expires, it can result in a certificate-related outage on the system it supports. Until a new certificate is installed, the unplanned outage and associated downtime will persist. Certificate-related outages are difficult to identify without knowing exactly where a certificate is installed and who controls that system.
Operational Inefficiencies: Each digital certificate that serves as a machine identification takes some time per year for the organizations to manage. With thousands of machine identities, the overhead can quickly increase. And the administration of these identities can be more complicated when the administrator unfamiliar with certificates or trust stores. And the time required will be increase quickly if the machine identity operations are not running smoothly, especially when there is a breach or outage.
Unknown Revoked Certificates: Sometimes, digital certificates get revoked before their validity period because of their private key compromised or the application to which certificate is associated no longer operational. Sometimes certificates may not be revoked by Certificate Authority (CA) or Certification Revocation List (CRL) not updated on time that leads to recognize a revoked certificate as valid. For example, attackers can use an orphan certificate for phishing attacks if an application has been taken down, but its certificate has not been revoked on time.
Challenges in Machine Identity Management
Following are some challenges that make Machine Identity Management critical:
Visibility: When there is a large number of certificates and keys in an organization, it is difficult to track them. Many organizations even do not know how many certificates and keys they have, their validity period, and the policy they comply with.
Governance: The next problem is a lack of ownership and control. In organizations, SSH keys and SSL/TLS certificates are used by various teams. But there is no consistent policy of how they are issued, who can access them, rotation of keys, renewal of the certificates, etc.
Protection: Digital certificates to the machine identities must be provided by a trusted Certificate Authority (CA). Private keys must be stored in Hardware Security Module (HSM) and protected from compromise. Machine identities cannot be trusted unless these safeguards are in place.
Automation: Manual management of certificate lifecycle is not just time-consuming. It is error-prone and highly inefficient also. Manually issuing, revoking, renewing, and auditing certificates can lead to downtimes and outages.
Best Practices for Machine Identity Management
Centralize Management: There should be a centralized machine identity that helps streamline policy implementation across various devices. Certificates can also be grouped based on multiple parameters like expiry date, criticality, etc., and implement group policy, making it easy to manage them. There should be proper policy management that prevents unauthorized access and allows machine identities to do their job securely.
Automation: Machine Identity Management process can be automated that helps in defining an action for a single machine identity as well as for an entire group. All the actions can be defined in advance and can be triggered based on specific conditions. Enrollment, provisioning, renewal, revocation of certificates, etc., can be automated, which helps maintain machine identities up to date and effectively eliminating outages. In short, the entire machine identity lifecycle should be automated, including certificate and key lifecycle management that prevent errors that can be done in manual actions.
Storage: All the machine identities like SSH keys, digital certificates must be stored in a centralized, secure environment. Identities can be stored in Hardware Security Module (HSM), FIPS 140-2 Level 3 compliant. HSM keeps the certificate and keys secured even if the user network gets compromised.
SSH key rotation: Organizations must rotate their SSH keys after a certain period that prevents using the same SSH keys for a long time by generating new keys. Key rotation helps strengthen SSH keys security and protects against risks like key sprawl. The key rotation process should be automatic rather than manual so that keys should be rotated regularly.
Enforce strong security policies: Organizations must set up and enforce strong security policies to keep their machine identities secure and ensures that every machine identity complies with appropriate government regulations. Implementing strong security policies allows monitoring every aspect of machine identity.
Machine Identities Auditing: There should be auditing of machine identities at regular intervals, which helps in finding vulnerabilities like expiring certificates, weak passwords, etc., and prevent outages. Auditing can also be automated using third-party tools. Regular auditing helps an organization to improve its management strategies.
The Internet of Things (IoT) has developed and is continuing to evolve. The Internet of Things (IoT) is already well-established in a number of industries, including factories, smart cities, retail, healthcare, and a variety of other sectors. By enabling connectivity of devices, services, and systems that go far beyond conventional machine-to-machine (M2M) capabilities, the Internet of Things provides a unique opportunity to deliver compelling benefits across numerous sectors. On the other hand, establishing trust and security is critical to ensuring that IoT innovation offers the services that people and organizations expect.
IoT solutions rely on working with fundamentally secure systems and data. That means maintaining confidentiality, availability, and integrity is critical. For example, access to information should be limited to those who are authorized to access it in order to keep data private. In addition, transmitted data should be encrypted to prevent any unauthorized.
Need for IoT Security
Security breaches in IoT devices can occur at any time, including manufacturing, network deployment, and software updates. These vulnerabilities provide entry points for hackers to introduce malware into the IoT device and corrupt it. In addition, because all the devices are connected to the internet for example: through Wi-Fi, a flaw in one device might compromise the entire network, leading other devices to malfunction.
Data security, including device authentication and data confidentiality and integrity.
To comply with regulatory requirements and requests to ensure that IoT devices meet the regulations set up by the industry within which they are used.
Role of PKI in IoT Security
Devices are the most frequent Internet users, and they require digital IDs to operate safely. In addition, the rapid evolution of IoT technology is boosting demand for internet of things public key infrastructure (IoT PKI) as businesses seek to adapt their business models to stay competitive and secure.
PKI has long been a significant Internet security standard, with all of the characteristics required to provide the high degree of trust and security demanded by today’s IoT deployments. It provides robust and well-proven security through encryption and authentication, as well as digital signatures to validate data integrity. PKI is also a dynamic security approach designed to handle a variety of IoT use cases. Organizations can use PKI to ensure that users, systems, and devices are securely authenticated and secure data both in-transit and at-rest.
The public key infrastructure (PKI) is a set of hardware, software, policies, and procedures for creating, managing, distributing, and updating digital certificates over time. PKI is considered the backbone of Internet security for decades, and it’s now evolving as a flexible and scalable solution capable of fulfilling the data and device security needs of the Internet of Things.
End-user adoption and productivity are boosted when friction is reduced, and PKI provides an intuitive experience that includes mutual authentication, encryption of sensitive data, and data integrity assurance. In addition, it allows for flexible deployment in a variety of environments and is scalable.
PKI eliminates the need for passwords and complex authorization checks. Devices need to share their public keys and can begin exchanging data. Digital certificates provide a secure environment for IoT devices to operate, minimizing data leakage and hacking risks with point-to-point encryption and flawless authentication. They also validate software upgrades, making it difficult for hackers to get access to the network. PKI is a key component of TLS (Transport Layer Security), and incorporating it into IoT could provide much-needed consistency.
How to Use Public Key Infrastructure (PKI) to Protect IoT Devices
Assign Unique identity to each IoT device: You can enable secure network access and code execution throughout the device lifecycle by integrating a cryptographically verifiable unique identity into each device. These identities, i.e., digital certificates, can also be altered based on manufacturer policy.
Define and Enforce Security Standards: The open standard for PKI enables the organizations to define a system cryptographically with various options for trusted root CAs, revocation, and standard protocols for enrollment and deployment of certificates like- Simple Certificate Enrollment Protocol (SCEP), Automated Certificate Management Environment (ACME), etc.
Scalable Security: Asymmetric encryption allows to issue certificates from a single trusted Certificate Authority (CA). This disconnected verification architecture eliminates the requirement for a centralized server or agent-based software to authenticate devices and applications.
Maintain a High Level of Security: Digital certificates issued by a well-managed PKI provide significantly more security than conventional authentication techniques. In addition, secure hardware elements for cryptographic key storage can also be used in IoT devices, with validity periods that significantly exceed passwords or tokens’ practical lifetime.
Securing with a minimal Footprint: As devices with low memory and processing power have the ability to use asymmetric keys, PKI enables manufacturers to secure IoT devices with a minimal footprint. Elliptic Curve Cryptography (ECC) is considered ideal for sensor and network devices using smaller size keys.
IoT Security Challenges
Malware and Ransomware: The number of malware and ransomware used to exploit IoT-connected devices continue to rise in the coming years as the number of connected devices grows. While classic ransomware uses encryption to lock users out of various devices and platforms entirely, hybridization of malware and ransomware strains is on the rise to integrate various attacks. The ransomware attacks could be aimed at reducing or disabling device functioning while also stealing user data. For example, A simple IP (Internet Protocol) camera can collect sensitive information from your house, office, etc.
Data Security and Privacy: Data privacy and security are the most critical issues in today’s interconnected world. Large organizations use various IoT devices, such as smart TVs, IP cameras, speakers, lighting systems, printers, etc., to constantly capture, send, store, and process data. All the user data is often shared or even sold to numerous companies, violating privacy and data security rights and creating public distrust. Before storing and disassociating IoT data payloads from information that might be used to identify users personally, the organization needs to establish dedicated compliance and privacy guidelines that redact and anonymize sensitive data. Data that has been cached but is no longer needed should be safely disposed of. If the data is saved, the most challenging part will be complying with various legal and regulatory structures. Mobile, web, cloud apps, and other services used to access, manage, and process data associated with IoT devices should comply with the guidelines.
Brute Force Attacks: According to government reports, manufacturers should avoid selling IoT devices with default credentials, as they use “admin” as a username and password. However, these are only guidelines at this point, and there are no legal penalties in place to force manufacturers to stop using this risky approach. In addition, almost all IoT devices are vulnerable to password hacking and brute-forcing because of weak credentials and login details. And due to the same reason, Mirai malware was successful in detecting vulnerable IoT devices and compromised them using default usernames and passwords.
Skill Gap: Nowadays, organizations are facing a significant IoT skills gap that is stopping them from fully utilizing the new prospects. As it is not always possible to hire a new team, it is necessary to set up training and upskilling programs. Adequate training workshops and hands-on activities should be set up to hack a specific smart gadget. The more knowledge your team members have in IoT, the more productive and secured your IoT will be.
Lack of Updates and Weak Update Mechanism: IoT products designed with connectivity and ease of use in mind. They may be secure when purchased, but they become vulnerable when hackers find new security flaws or vulnerabilities. In addition, IoT devices become vulnerable over time if they are not fixed with regular updates.
Best Practices for IoT Device Security
Following are some best practices that the manufacturer team should follow to secure IoT Devices.
Assign Unique Credentials to Each Device: IoT devices must be capable of sending encrypted data so that both users and manufacturers can trust that the data they receive is authentic and intended for them. This can be achieved by providing unique credentials to each IoT device in the form of digital certificates that helps in improving authentication and provides more security over today’s common practice of using default passwords or sharing keys in the case of symmetric cryptography.
Private Keys Protection: Asymmetric cryptography will be required to generate a unique digital certificate for each IoT device. Asymmetric cryptography generates public and private key pairs, so manufacturers must take additional security while storing private keys. Private keys can be securely stored in Hardware Security Module (HSM), which is FIPS 140-2 Level 3 compliant.
Verify Updated through Code Signing: Manufacturers should validate the authenticity of new firmware or software before installing it. So that if a hacker integrates any malicious script in the software update, it can be detected. To do so, manufacturers should use a digital signature, achieved using public and private key pair. When the developers sign their code with a private key, it can be verified with the public key that the update is not modified or tampered when transit and is sent from the authorized manufacturer. Learn more about code signing.
Establish Root of Trust (RoT): There should be an organization-specific Root of Trust (RoT). RoT helps in initial identity authentication while issuing new keys or digital certificates. RoT contains key and provides manufacturers complete control over identity verification to whom they issue an encryption key.
Lifecycle Management of Keys, Certificates, and RoT: All the above best practices require continuous lifecycle management. Without adequate lifecycle management, the digital certificates, key pairs, and RoT in use would weaken over time. There should be a mapping of everything in use so that there will nothing extra created. There should be continuous monitoring of keys, certificates, and RoT to find and fix any vulnerabilities. Update keys, digital certificates, and RoT if required to maintain the health of the security.
How Encryption Consulting’s Managed PKI’s can secure IoT
Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.
Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required, and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons, the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.
Digital certificates are used across the Internet to authenticate users exchanging data with one another. Since every legitimate website uses a certificate, certificate management is extremely important. If a certificate were to be stolen and misused, an attacker could pose as another, more legitimate, source and infect a user with malware via their website. The expiration of a certificate of a certificate can result in an outage, causing an organization to lose out on potential customers. These are just a few reasons to learn more about certificate management.
What is Certificate Management?
Certificate management is the process of monitoring, processing, and executing every process in a certificate’s lifecycle. Certificate management is responsible for issuing, renewing, and deploying certificates to endpoints (servers, appliances, devices, etc.) so that network services are uninterrupted. Certificate management should also automate tasks (issuing, renewal, and so on), as well as provide real time status of the infrastructure of the network.
Certificate management helps manage the network and prevent interruptions and downtime, while providing a detailed monitoring of the whole infrastructure. Good certificate management plans should be able to handle any network, even ones with thousands of devices. If a certificate expires or is misconfigured, catastrophic outages all over the network may occur.
What is a Digital Certificate?
Any discussion of certificate management would be incomplete without explaining what a digital certificate is. A certificate, also known as an SSL/TLS certificate, is a digital identifier for users, devices, and other endpoints within a network. Certificates are linked with a public/private key pair and verify that the public key, which is matched with the valid certificate, can be trusted. The main job of a certificate is to ensure that data sent across a connection between a user and a server is kept private. The certificates does this by encrypting and decrypting data as it is sent across the connection. This is achieved through something called an SSL/TLS Handshake.
A TLS Handshake is executed as follows:
1. Client Hello:The client hello occurs when the client sends a request to the server to communicate. The TLS version, the cipher suites supported, and a string of random bytes known as the “client random” are included in the hello.
2. Server Hello: In the server hello, the server acknowledges the client hello. It then ensures it is using a TLS version that is compatible with the client TLS version, selects a compatible cipher suite from the ones offered by the client, and sends its certificate, the server random (similar to the client random), and the public key to the client.
3.Certificate Validation: The validity of the server’s certificate is first checked by the client through the certificate authority. The certificate authority, or CA, is a highly trusted entity given the responsibility of signing and generating digital certificates.
4. Pre-Master String: The client then encrypts a random string of bytes, called the “Pre-Master String” with the server’s public key and sends it back to the server. This ensures that only the server can decrypt the key with its own private key, acting as another level of security.
5. Session Key Creation: The server decrypts the pre-master key, and then both the client and server create session keys from the client random, the server random, and the premaster string.
6. Finished Messaging: The client and server then send each other messages saying they have finished creating their keys, and they compare keys with each other. If the session keys match, the TLS Handshake is completed, and the session keys are used to encrypt and decrypt any data sent between the server and client.
Once created, certificates can be used for authentication of servers, clients, or other devices. Certificates are considered valid for a certain time period, and expire after that time frame. Certificates follow a constant lifecycle which include phases such as creation, renewal, suspension, expiration, and more. If certificates are left to expire, then the certificate holder will no longer be trusted, resulting in a loss of service for the website or device being used. To receive a certificate, a user or website must first go through a certificate authority or sign one themselves.
Certificates can be generated through either a trusted certificate authority or by signing a certificate themselves. Certificate authorities, or CAs, generate certificates for users to be used for TLS/SSL authentication. To ensure a certificate authority can be trusted, the chain of trust of the CA can be followed back to the source CA. A chain of trust is a chain of certificates published by trusted CAs, leading all the way back to the Root CA. To start the process of acquiring a digital certificate, the requestor must send out a Certificate Signing Request (CSR) to the CA. The CSR must have the public key of a key pair created by the requestor, along with information to confirm the identity of the requestor, such as a social security number or driver’s license. Once the requestors identity has been confirmed, the certificate is signed and returned by the CA and can be used for identification of the requestor.
The other option to get a certificate is to create one yourself using the same information, and then to self-sign it. This is used less often, because the identity of the signer cannot be verified with other trusted CAs, thus rendering the self-signed certificate suspicious. Due to this, many will not accept a self-signed certificate, so using a CA to create a certificate is the suggested method.
There are several distinct stages to the certificate lifecycle, which are shown below.
Discovery: Discovery is the first stage of the certificate lifecycle. In the discovery phase, the network is scanned for missing, expired, or unusable certificates. This phase also ensures any certificates already in place have been deployed properly. Certificates with vulnerabilities and other weaknesses can also be detected and fixed or replaced. The different certificates are commonly inventoried together in this phase to allow for tracking of certificate statuses, or grouping of related certificate types.
Creation/Purchasing: In this stage the CA creates the certificate itself, or the user purchases a certificate from a trusted CA. The key pair for the certificate is created and the public key, CSR, and personally identifiable information are sent to the CA for certificate creation. If an organization or user does not have or does not wish to create a chain of trusted CAs, a certificate is purchased instead of being created.
Installation: This stage deals with the distribution and installation of the certificate in its proper place. All aspects of the certificate’s configuration are checked in the installation phase, including the key pairs, the cipher suites, and the digital signature. The certificate is then installed onto the appropriate endpoint it was created for, and begins authentication of that endpoint.
Storing: One of the most important stages of the certificate lifecycle is the storing phase. Certificates must be accessible, but not reusable by attackers, thus they must be kept in a secure and centralized location. The storing phase can also inventory the certificates into groups, if inventorying was not done in the discovery phase.
Monitoring: This is the longest phase, where the certificates are monitored throughout the duration of their expiration period. Once the expiration date is reached, or sometimes right before, certain certificate management systems will automatically renew certificates. If automatic certificate management systems are not being used, then a system administrator will need to monitor the network’s certificates and renew, revoke, or replace any certificate that reaches its expiration date.
There are benefits to both manual and automatic monitoring, which will be discussed in-depth in the next section, but there are two important benefits which stand above the rest. The biggest benefit of manual monitoring is that if an unexpected issue occurs, then the monitor can react in real time to the problem, whereas an automatic system will not know what to do. On the other hand, an automatic monitor’s biggest benefit is that certificate renewals, revocations, etc. will not be forgotten, which can occur if a human is monitoring certificates for years.
Renewal: The renewal process of certificates begins once the validity of the certificate has run out. Once the user or automated systems decide to renew the certificate, a CSR is resent to the original issuing CA to get the certificate renewed. The process occurs as it did with originally creating the certificate, but much more quickly.
Revocation: If the issuing CA has be decommissioned, a certificate is being misused, or for a host of other reasons, then a certificate can be revoked. Once revoked, the certificate is placed on a Certificate Revocation List, or CRL, if a CRL is in use. A CRL is a list of certificates revoked by the CA that should no longer be trusted. If an Issuing CA’s certificate is on a CRL, then that CA cannot be used in a chain of trust for other CAs or certificates. A downside to using CRLs is that revoked certificates are only published periodically, not every time a certificate is revoked. This issue means a user could renew their certificate with their issuing CA, even though a few hours ago their certificate was revoked for illegitimate usage.
Replacement: If a CA’s certificate is revoked or if the certificate owner wishes to move from paid certificates to their own Public Key Infrastructure, then the replacement phase occurs. This occurs less often, as it is easier to just renew a certificate with the original issuing CA.
The certificate lifecycle is not set in stone. Different organizations will have different stages, combine stages, or leave out entire stages entirely. As long as the certificates are discovered, created, stored, monitored, and renewed, then that is considered a certificate lifecycle.
Manual vs Automated Infrastructure
One of the most important parts of a company’s data security policy is the certificate management infrastructure put into place within the organization. A manual infrastructure involves having an employee create a spreadsheet to keep track of validity periods, policies, revocations, and configuration data of all the certificates within the organization. This method will work with a smaller company with an infrastructure only dealing with a few certificates, but many larger companies can have thousands upon thousands of certificates, making manual infrastructures too complicated. The other option is to create an automated certificate lifecycle infrastructure, which is the more common method. Below is a table highlighting the differences between manual and automated certificate management infrastructures.
Handled via a spreadsheet and a user keeping track of all the certificates within the organization
Streamlined and handled automatically; Certificates renewed/replaced/revoked as soon as necessary
Costs many man hours
Less cost and no man hours needed
Must be constantly kept track of by the employee in charge to ensure certificates do not expire
Is constantly watched by the software set up in the infrastructure, allowing for quick renewal or replacement of certificates
Easy and quick to implement; Only a spreadsheet is required
The software must be implemented correctly, or certificates will not be monitored correctly
One of the most important reasons to have a strong, automated certificate management system is if you have your own Public Key Infrastructure (PKI). A PKI is an infrastructure created to authenticate users based on digital certificates. PKIs can encrypt communications as well. The most common PKI is TLS/SSL, which uses both symmetric and asymmetric encryption in securing connections between two users. The core trust of a PKI comes from the certificates traded between the two sides of the connection. Most PKIs use a two layer architecture, which includes a Root CA and an Issuing CA.
Root CA is a certificate authority that is kept offline and creates a certificate for the online Issuing CA. This creates a chain of trust with all certificates issued by the Issuing CA, as the Root CA is kept offline so it is therefore secure from malicious intent. Issuing CAs distribute certificates for end users and devices. The less commonly used three tier architecture for a PKI includes an Intermediate CA between the Root and Issuing CA, which act as a go between for the Root and Issuing CA. The reason automated certificate management is mainly used by PKIs is because it is more secure to create a PKI correctly once and then let the automated services keep the certificates up to date. This cuts down on the cost to the company, the man hours required to keep the PKI running, and human error. Since so many organizations are creating their own PKI, proper certificate management is key to any company’s security plan.
Another reason that so much importance is put onto certificate management is the need for every device and user that is connected to the Internet to have a digital certificate. Whenever a user or a device connects to a website, the authenticity of their digital certificate is checked, along with the certificate of the website. By having a strong chain of trust and a valid certificate, you can go anywhere on the Internet. However, a certificate is invalid or expired, if the user or device that certificate belongs to cannot go to most websites, as a secure connection cannot be established. The same holds true for website certificates. If their digital certificate is invalid, then users will not or cannot use that website, for fear of getting malware or viruses on their device.
One more reason to ensure strong certificate management is so that breaches do not occur in an organization. If a certificate were to be allowed into a network, even though it has untrusted CAs in its chain of trust, then the owner of that certificate could steal sensitive data or otherwise misuse company data for malicious purposes. Also, if the certificates are not stored properly, then an attacker could steal that certificate and pose as a legitimate user, while stealing, changing, or deleting sensitive data.
Other Certificate Uses
There are a number of other uses for digital certificates, which are listed below.
Point of Sales System
Internet of Things Devices
SSH Key Management
Customer Service Websites
Certificate Management with Encryption Consulting
Encryption Consulting provides a variety of services relating to certificate management. We offer PKI assessments,CP/CPS development for PKIs, and PKI Design and Implementation services. Our PKI assessment will assess the current certificate management practices of our customer and help with the development of a strategy and roadmap for certificate management. Our CP/CPS development and PKI design and implementation services provide assistance in creating and implementing all the stages of a PKI, from on-premises to the cloud. We can provide our services via video or in person, at the customer’s behest. We also provide services to help develop and implement certificate management systems into new and current infrastructure.
Almost all companies rely on cryptographic keys and digital certificates to keep communications between devices secure and confidential. Digital certificates and keys solved the problem of communicating back and forth securely on the Internet.
SSL/TLS certificates enable devices and systems to be uniquely identified and trusted. To keep digital communication safe, private communication tunnels are created using encryption that keeps digital communications safe across computer networks. Certificates and their associated keys control access to information in these private tunnels.
Hackers target certificates to utilize in their attacks because they know most companies have encryption tunnel blind spots. When attackers acquire access to certificates that have been stolen or faked, they obtain access to the globally trusted status provided by these digital assets, enabling them to gain access to private, encrypted tunnels through which they can monitor communications. Even with the help of these certificates, hackers can establish their encrypted tunnel for malicious activities.
Without the proper management of keys and digital certificates, Dangerous private tunnels carrying malicious traffic might be hidden among numerous tunnels carrying good traffic supporting daily operations.
Best Practices for Protecting SSL/TLS Certificates and Keys
Identify and create SSL/TLS Certificates inventory: You subject yourself to security threats if you don’t keep a strict inventory of your certificates, so start by keeping track of all the issued certificates from your Certificate Authority (CA). Manually, It can be challenging to ensure that you’ve collected everything, from internal CAs to network devices. To build an accurate inventory, Enterprises should automate a system that quickly scans the whole digital infrastructure to identify all digital assets, including where they are installed, who owns them, and how they are utilized. This will help you identify all certificates that may influence the reliability and availability of your company’s infrastructure.
Monitor SSL/TLS Certificates: Manual management of certificates becomes challenging as your networks evolve and the number of certificates increases. All of the certificates in your environment should be continuously checked for availability, expiration, and key strength in real-time synchronization with CAs, SSL network scans, and certificate store inventories.
Automate certificate management: Processes that rotate any or all keys and renew certificates on a planned or as-needed basis are required by strong security procedures. With automation, you can update all affected certificates, private keys, and CA certificate chains fast. You may also respond quickly to major security events like a CA compromise or a zero-day vulnerability in a cryptographic algorithm or library by automating the tasks. Automation helps prevent outages and saves time from manual tasks like certificate requests, issuance, provisioning, and renewal.
Centralized Management of SSL/TLS Certificates: Certificates are often issued without any centralized knowledge of where they are installed when they expire or what policies they comply with due to the DevOps and automation of infrastructure provisioning. As a result, SSL/TLS certificate administration becomes a considerably larger and more complex issue.
Secure Private Keys: When an attacker gets access to a private key, valuable data is leaked due to the impersonation of an enterprise’s servers. To ensure maximum security, never leave private keys in your logs, especially your email and chat, whether for storage or transmission and use a central key escrow, such as an encrypted software vault or Hardware Security Module (HSM).
Enforce Policies: Your security posture should contain a well-defined policy that specifies which application settings are required and how certificates should be used. Machine identity security policies and practices must be established to keep your machine identities safe. This helps manage all aspects of machine identities, including issuance, use, configuration, ownership, management, security, and decommissioning.
SSL/TLS Certificate Vulnerabilities: Increased threat intelligence is needed to provide a baseline for identifying vulnerable keys and certificates, such as those with weak encryption algorithms or short key lengths. A baseline can help identify applications that are served by vulnerable keys and certificates and certificates that are possibly compromised, unused, or expired and should be revoked or retired.
Datasheet of Encryption Consulting Services
Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all
aspects of encryption for our clients.
A wildcard certificate (like SSL/TLS) is a public key certificate that can be used to protect several subdomains inside a domain and is normally acquired from a trustworthy public Certificate Authority (CA).
Multiple subdomains for your website can be beneficial to your business, but they can also be challenging to manage. Multiple SSL/TLS certificates to secure those subdomains increase the complexity, but a wildcard certificate can efficiently resolve this issue.
If compared to managing individual certificates for your subdomains, a Wildcard certificate can save you time and money.
The domain name is prefixed by an asterisk and a period in wildcard notation. Wildcards are frequently used in Secure Socket Layers (SSL) certificates to extend SSL encryption to subdomains. A traditional SSL certificate is only valid for a single domain, such as www.domain.com. A *.domain.com wildcard certificate will also protect cloud.domain.com, shop.domain.com, mobile.domain.com, and other domains.
How Does Wildcard SSL Certificate Work?
Wildcard certificates are issued to domains with a wildcard character in their hostname, represented by an asterisk (*). This character can represent an infinite amount of subdomains.
Along with your parent domain, a wildcard certificate can secure any number of subdomains.
For better understanding, let’s take an example:
Suppose an organization has three subdomains:
Instead of having three individual SSL certificates for the above subdomains, the organization can purchase only one wildcard certificate. In addition to the subdomains that the wildcard certificate already covers, it can also cover more subdomains without any extra charges. Wildcard certificates can also be issued as Domain Validated (DV) certificates, which can be provided in a few minutes and require proof of ownership of the domain. You can also get an Organization Validated (OV) certificate, which will include your company’s information in the certificate details. This requires a verification process to ensure that your website is legitimate. But can not be issued as an Extended Validation (EV) Certificate.
Benefits of using Wildcard SSL Certificates
Wildcard SSL certificates can be very beneficial for organizations looking to secure several subdomains while maintaining flexibility. The following are some advantages of using wildcard certificates:
Secure any number of subdomains: Without having different SSL certificates for each subdomain, a single wildcard SSL certificate can cover as many subdomains as you want.
Straightforward Certificate Administration: Individual SSL certificates must be deployed and managed properly to secure an increasing number of public-facing domains, cloud workloads, and devices. But by using a single wildcard certificate, you can manage unlimited domains that make certificate management simpler.
Cost-cutting: A wildcard certificate costs more than an ordinary SSL certificate, but it becomes a cost-effective alternative compared to the overall cost of securing all of your subdomains with their certificate.
Fast and Flexible Implementation: A wildcard certificate is a great way to build new sites on new subdomains that your existing certificate can cover. There’s no need to wait for a new SSL certificate that saves your time and speeds up your time to market.
Risk of Using Wildcard Certificates
Wildcard certificates are frequently used to cover all domains with the same registered root, making administration straightforward. However, because the same private key is used across numerous systems, the freedom that comes with using wildcard certificates also comes with severe security risks:
Web Server Security: If one server or sub-domain gets hacked, all sub-domains may be hacked as well.
Access To Private Key: If the private key of a wildcard certificate gets compromised then the hacker can impersonate any domain for the wildcard certificate.
Fake Certificates: Attackers can fool a certificate authority (CA) into issuing a wildcard certificate for a bogus organization. Once the attacker gets the fictitious company’s wildcard certificates, they can set up subdomains and phishing sites.
Certificate Management: All sub-domains will require a new certificate if the wildcard certificate gets revoked.
Attackers can easily misuse wildcard certificates if they don’t have adequate security, control, or monitoring.
Datasheet of Encryption Consulting Services
Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all
aspects of encryption for our clients.
Extended Validation Certificate, also known as EV Certificate, is a highly valued SSL/TLS Certificate and requires significant efforts from Certificate Authorities to validate it. During the verification of an Extended Validation SSL Certificate, the website’s owner has to go through a detailed and globally standardized identity verification process to prove exclusive rights to use a domain, confirm its legal, operational, and physical existence, and prove that the entity has authorized the certificate’s issuance process. The certificate contains this verified identity information.
Certificate Authorities (CAs) demand domain owners to provide additional documentation, such as a signed authorization form, a signed subscriber agreement, and documentation validating their business or their Extended Validation request in order to obtain an EV certificate. Then, the domain owner’s name, legal, operational, physical existence, and other properties are verified by a verification partner who goes over all of this information. After a successful verification procedure, a fully certified EV certificate is provided, a digital file with the organization’s name in the address bar.
The other certificates, such as Organization Validation (OV) and Domain Validation (DV) certificates, do not require comprehensive verification. For example, in the case of a DV certificate, the Website owner does not require to demonstrate administrative control over the domain. And also, the OV certificate verification process is not extensive as of EV certificate. It only includes the identity information of the website operator.
Due to the extensive verification process of the EV certificate provides a high level of authentication with SSL/TLS certificate, and visitors have a high level of trust on the website having an EV certificate.
Types of Extended Validation Certificates
EV certificates are of three types:
Single Domain EV Certificate: These certificates are used to secure only one domain. These are ideal for small online stores and websites.
Multi-Domain EV Certificates: These certificates are used to protect subdomains and multiple domains. These certificates can be used for complex websites.
Code Signing: These certificates are used by developers to secure their products by digitally signing them. Learn more about code signing.
Benefits of Extended Validation SSL Certificates
The primary idea behind extended validation SSL certificates is to provide a high level of trust and security than most regular SSL certificates. Because enterprise websites generally deal with highly protected client data, this makes them an excellent choice for protecting them. The following are some major advantages of using EV SSL certificates:
Assurance at a Higher Level: EV SSL Certificates offer a high confidence level than Domain Validation (DV) SSL Certificates. Before a certificate is issued, EV verification requires the CA to confirm the organization’s legal identity, physical presence, and operational existence. Whereas DV Certificates have no identifying information in the organization name field, the end-user cannot trust the certificate to validate who is on the other end, even though they technically allow encrypted transaction. The process of EV certificate verification includes:
The user making the request has the legal right to use the domain.
The requestor has authorized their permission for the certificate to be issued.
The requestor’s physical existence and legal status.
Whether the entity identifies corresponds to official records.
Protect Against Phishing Attacks: Scams on the internet have become more complex and well-coordinated, reducing consumer confidence, critical to online business. Hackers utilize a variety of methods to collect personal and sensitive information through phishing. Due to the strict validation standards for EV Certificates, a hacker would never be able to pass all of the checks, making fake EV Certificates extremely unlikely. In the following ways, the EV certificate counteracts these attacks:
The Extended Validation standards demand that the party requesting the certificate be thoroughly vetted. Because phishing sites, by their nature, involve identity theft, this vetting prohibits a criminal from obtaining a certificate in the spoofing target’s name.
When an EV certificate is active, the green bar indicator is prominent at the top of the browser. Having the EV certificate on the web page makes the faked page’s absence noticeable. Since phishing aims to replicate the real site as accurately as possible, providing this experience gap is a great way to distinguish between legitimate and fraudulent sites.
If a phisher submitted an EV certificate by any chance, the green bar contains the company’s name. Because the phisher will not have a corporation with the same name and address as your favourite bank, merchant, brokerage, or other institution, the game will be obvious immediately away.
Fulfill Compliance Requirements: EV SSL certificates are required or recommended by some standards, such as PCI DSS, etc. In addition, many regulations, including HIPAA and others, require that organizations take all reasonable precautions to protect PII, PHI, and other sensitive data from theft. Using EV SSL certificates is an excellent approach to indicate that you have taken all possible precautions to protect this information.
Cons of using Extended Validation SSL Certificates
The following are the disadvantages of using EV certificates:
They are more costly.
They are often valid for a short period.
The efforts and time required to complete the validation procedure.
You may decide not to use EV certificates if you have many websites published on the Internet. But still, it would be better if you considered them for sites like your online store. EV certificates are very dependent on the user. Leaving your security in the hands of the user is not a good idea. Every time a user visits a site, we should not expect them to validate the identification of the organization owner and the domain manually and correctly. For Extended Validation certificates to be effective, some technical restrictions should be enforced without relying on the user.
What is the Purpose of an Extended Validation SSL Certificate?
Regardless of the benefits of using EV certificates, EV certificates are not for everyone. Organizations must evaluate the added value of these certificates. They are perfect for high-profile websites that are frequently targeted by phishing attacks, such as major shops, banks, financial institutions, or government bodies with public-facing websites. All services that require higher identity assurance and enhanced confidence can use EV SSL Certificates. For example, high-profile websites, such as bank sites, financial institutions, etc., can use EV SSL Certificates, which are frequently targeted for phishing attacks, for their public-facing websites. As well as any website that collects data, processes logins, or accepts online payments can benefit from displaying their verified brand identity.
Is it worth to invest in a more expensive Extended Validation SSL certificate?
An EV SSL Certificate costs more than an Organization Validation (OV) or Domain Validation (DV) SSL Certificate because it is the most advanced and secure SSL Certificate available today. These SSL Certificates are slightly more expensive because they require a thorough verification by the CA, which takes time and resources. So, a question arises, is it worth spending on an EV SSL certificate? And the answer is:
If your company is developing and want to increase client confidence, it is worth investing in an EV SSL Certificate. While EV certificates are used for financial institutions and large organizations, they may be a viable option for a medium-sized business looking to boost client confidence and conversion rates.
Datasheet of Encryption Consulting Services
Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all
aspects of encryption for our clients.
Cryptography is the study of securing communications from outside observers. Encryption algorithms take the original message, or plaintext, and converts it into ciphertext, which is not understandable. The key allows the user to decrypt the message, thus ensuring on they can read the message. The strength of the randomness of an encryption is also studied, which makes it harder for anyone to guess the key or input of the algorithm. Cryptography is how we can achieve more secure and robust connections to elevate our privacy. Advancements in cryptography makes it harder to break encryptions so that encrypted files, folders, or network connections are only accessible to authorized users.
Cryptography focuses on four different objectives:
Confidentiality: Confidentiality ensures that only the intended recipient can decrypt the message and read its contents.
Non-repudiation: Non-repudiation means the sender of the message cannot backtrack in the future and deny their reasons for sending or creating the message.
Integrity: Integrity focuses on the ability to be certain that the information contained within the message cannot be modified while in storage or transit.
Authenticity: Authenticity ensures the sender and recipient can verify each other’s identities and the destination of the message.
These objectives help ensure a secure and authentic transfer of information.
History of Cryptography
Cryptography began with ciphers, the first of which was the Caesar Cipher. Ciphers were a lot easier to unravel compared to modern cryptographic algorithms, but they both used keys and plaintext. Though simple, ciphers from the past were the earliest forms of encryption. Today’s algorithms and cryptosystems are much more advanced. They use multiple rounds of ciphers and encrypting the ciphertext of messages to ensure the most secure transit and storage of data. There are also methods of cryptography used now that are irreversible, maintaining the security of the message forever.
The reason for more advanced cryptography methods is due to the need for data to be protected more and more securely. Most of the ciphers and algorithms used in the early days of cryptography have been deciphered, making them useless for data protection. Today’s algorithms can be deciphered, but it would require years and sometimes decades to decipher the meaning of just one message. Thus, the race to create newer and more advanced cryptography techniques continues.
Types of Cryptography
Cryptography can be broken down into three different types:
Secret Key Cryptography
Public Key Cryptography
Secret Key Cryptography, or symmetric cryptography, uses a single key to encrypt data. Both encryption and decryption in symmetric cryptography use the same key, making this the easiest form of cryptography. The cryptographic algorithm utilizes the key in a cipher to encrypt the data, and when the data must be accessed again, a person entrusted with the secret key can decrypt the data. Secret Key Cryptography can be used on both in-transit and at-rest data, but is commonly only used on at-rest data, as sending the secret to the recipient of the message can lead to compromise.
Public Key Cryptography, or asymmetric cryptography, uses two keys to encrypt data. One is used for encryption, while the other key can decrypts the message. Unlike symmetric cryptography, if one key is used to encrypt, that same key cannot decrypt the message, rather the other key shall be used.
One key is kept private, and is called the “private key”, while the other is shared publicly and can be used by anyone, hence it is known as the “public key”. The mathematical relation of the keys is such that the private key cannot be derived from the public key, but the public key can be derived from the private. The private key should not be distributed and should remain with the owner only. The public key can be given to any other entity.
Hash functions are irreversible, one-way functions which protect the data, at the cost of not being able to recover the original message. Hashing is a way to transform a given string into a fixed length string. A good hashing algorithm will produce unique outputs for each input given. The only way to crack a hash is by trying every input possible, until you get the exact same hash. A hash can be used for hashing data (such as passwords) and in certificates.
Public Key Infrastructure (PKI) is based on the principles of asymmetric cryptography: messages are encoded using the recipient’s public key, and the recipient decodes the message using her private key. However, how do we know that the public key we are using indeed belongs to the intended recipient? What if the public key is a forgery and belongs to an impersonator? A digital certificate helps to establish whether a public key truly belongs to the purported owner. Just like a physical certificate of identification such as a driver’s license or a passport, a digital certificate provides information about an individual along with her/his public key and helps anybody else verify the identity of that individual. The certificate also contains one or more digital signatures, which indicate that the information in the certificate has been attested by some other trustworthy person or entity, known as a certificate authority. We will cover more about certificate authorities in a subsequent article.
Types of digital certificates
The main types of digital certificates that are used today are:
Server certificates: These implement the SSL/TLS (Secure Sockets Layer / Transport Layer Security) standards, are installed on the server, and are best known to have enabled the boom in e-commerce implementations by helping secure the communication channel between the client and server. SSL certificates in turn are of three types:
Domain Validation (DV) certificates: These only verify that the certificate owner has the right to use the domain name; however, they don’t certify who the owner is. Since they involve only basic validation, they are cheap and can be obtained instantly from the certificate provider. DV certificates are typically used for basic web sites and web applications.
Organization Validation (OV) certificates: These provide additional assurances about the certificate holder and include validations about the organization, domain ownership, and whether the applicant is authorized to apply for the certificate. OV certificates are a good option for e-commerce web sites.
Extended Validation (EV) certificates:These offer the highest levels of encryption and follow a strict authentication process before the certificate is issued. EV certificates are typically used by banks and financial institutions, as well as e-commerce applications.
Organization certificates: These are typically used by corporate entities and help to identify employees for secure web transactions and email communication.
Client / Personal certificates: These are “digital IDs” that help to verify an individual’s identity and also help to control the access that individuals have to information and data. In general, certificate-based authentication is far superior to a traditional User ID and password-based authentication mechanism. Personal certificates can also be used for document signing purposes. These certificates are also helpful in Business to Business (B2B) scenarios – for example, allowing suppliers and partners to access and update specific information such as shipping dates or inventory availability.
Code signing certificates: These provide the ability to digitally sign software before it is distributed, typically over the internet, for downloading. These certificates help the recipients downloading and installing software to verify that the code is from an authentic source and that it has not been altered e.g. by the insertion of malware before reaching the recipient.
The X.509 Standard
Most digital certificates today are based on the X.509 standard, defined by the International Telecommunications Union (ITU). X.509 specifies a certificate format with a standard set of fields as indicated below.
Version number: Identifies which version of the X.509 standard the certificate is based on
Public key: This is the public key of the certificate holder
Serial number:This is a unique number to identify the certificate and distinguish it from other certificates issued by the same entity.
Certificate holder’s unique identifier: This is also known as a Distinguished Name (DN) and is intended to uniquely identify the certificate holder across the internet. The DN consists of fields such as Common Name (CN), Email, Organizational Unit (OU), Organization (O), and Country (C).
Validity period: This includes the date/time when the certificate was issued, and the expiration date/time.
Issuer unique name:This is the unique name of the entity that issued the certificate, usually a Certificate Authority (CA). Using the certificate implies that you trust the CA that issued the certificate.
Issuer digital signature:This is the digital signature of the CA, generated using the private key of the CA which can be verified through the CA’s public key.
Signature algorithm: This identifies the algorithm used by the CA to sign the certificate. One example of a popular algorithm used for signing certificates is the Secure Hash Algorithm (SHA) with a hash length of 256, also known as SHA256.
Version 3 of the X.509 standard introduced certificate extensions, which can be used to provide additional information about the subject, apart from that contained in the standard fields. Examples of such additional information include alternative subject names or information on what the certificate can be used for, such as signing a digital object. Extensions are qualified as critical and non-critical and this defines how the additional information is to be processed by the recipient.
As described earlier in this article, PKI is based on asymmetric cryptography, which uses a public-private key pair. It is important to note that this key pair is created by the requestor and not by the issuing authority such as a CA. Requestors apply for a certificate by sharing their public key with the CA. The CA includes this public key in the certificate that it issues to the requestor. Certificate holders assert their identity by proving that they possess the private key corresponding to the public key in the certificate. Key protection and management
The most vulnerable aspect of PKI is the protection of private keys. If private keys are compromised, the entire system is compromised. Operating systems provide some basic features that can be used for key protection, an example being the Data Protection API (DPAPI) in Windows. For increased security however, one of the best practices is to use dedicated hardware appliances such as Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs). Such dedicated hardware based key protection solutions are a good option for large organizations who manage a large number of keys. For smaller organizations however, HSMs and TPMs could be an expensive option and alternatives such as virtual appliances and cloud key management solutions could be more suitable.
A certificate store is a repository used by the certificate holder to store digital certificates. This is usually a special location in the file system provided by the operating system. The Windows operating system for example, provides the following types of certificate stores:
Local Machine Certificate Store: This is local to the computer and global for all the users. It is located in the system registry under HKEY_LOCAL_MACHINE, examples being HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificates and HKEY_LOCAL_MACHINESOFTWAREMicrosoftEnterpriseCertificates
Current User Certificate Store: This is local to a user account on the computer and located in the system registry under HKEY_CURRENT_USER, an example being HKEY_CURRENT_USERSoftwareMicrosoftSystemCertificates
Trusted Root CA Certificate Store: This contains the root certificates of all the CAs that are trusted by the Windows operating system. Administrators can modify the default set of trusted CAs and also manually install the root certificate of their own private CA.
Trusted Publishers Certificate Store: This contains information about code signing certificates of trusted publishers that are installed on a computer. Administrators can modify the default set of trusted publishers and manually install code signing certificates into the trusted publishers certificate store.