How CertSecure Manager Revolutionized Certificate Management in the Retail Sector

What was once a luxury slowly becomes a necessity. In the early 2000s, digital certificates were considered a luxury. Still, in recent times, with growing regulations and cybersecurity threats, digital certificates have become a necessity to provide identity to users, computers, resources, and more. With every entity of an organization requiring a certificate to access, function, and operate, managing such a huge volume of certificates becomes one of the significant challenges.

In this case study, we talk about one such organization, a retail giant in the US with stores all across the country. As an industry disruptor, it needed to assess and change its operation to make the organization’s size manageable.

For smaller organizations, this can be done manually where the certificate requirement is less than 1000, but for larger organizations with their own set of policies and procedures, ensuring all certificates are compliant with the regulations while also being complicit with their internal policies all the while ensuring all certificates are active with 0 downtime and outages due to mismanagement becomes challenging. This problem only grows with the organization until it becomes unmanageable.

For this reason, certificate lifecycle management solutions like CertSecure Manager provide organizations with a unique, customized solution that can assist with their needs and requirements.

The Challenges

Being one of the big players in the retail sector, the organization had many challenges that other organizations faced, but it also faced some unique challenges. Some of the common challenges include:

1. Managing Issuance

   To manage a large organization’s demand for certificates, these organizations need many Certification Authorities to issue certificates and provide them on time. However, managing different Certification Authorities with their procedures and maintaining different handbooks with different training for employees slowly become an inconvenience.

   A typical organization of this scale will have over 20+ domains (or forests) with at least two certification authorities (CAs) on major forests, one Cloud CA, and one public CA. This accumulates to 5 or more CAs.

2. Outdated Microsoft PKI Processes

   Microsoft PKI remains one of the widely used on-premises private PKIs. However, with little to no advancements in certificate issuance processes using web enrollment, users who require certificates have to have different processes that require the help of other personnel. Meanwhile, with no REST API support, DevOps also finds it challenging to ensure that certificates are obtained on time.

3. Alerts

   With certificates regularly expiring, administrators have to stay alert and vigilant to ensure no certificates remain expired on their applications/servers. Without proper alert mechanisms in place, administrators sometimes miss renewing critical certificates, which can often lead to outages.

With other organizations also facing the above issues, our customer had some unique requests we wanted to address. These requests arise from the challenges this organization faces and want a solution that caters to their needs. They are as follows:

1. Domain Validation

   The customer had a lot of domains (50+) within their network, and with huge volumes of certificate requests pooling in, the customer wanted a way to weed out domains that are not explicitly whitelisted. The organization wanted certain domains to be authorized, and if any user requests certificates for domains that are not among the whitelisted ones, they should be auto-rejected.

   This will help reduce human errors, which can lead to outages due to improper domain names. This will also improve security as users cannot request certificates for other domains, helping them with the organization’s impersonation issues.

2. Wildcard certificates

   Similar to the previous one, the organization also wanted to reject any requests.

3. CA Restrictions

   The customer also wanted some CAs to be restricted and inaccessible to everyone. This primarily includes any public CAs, as certificates issued by these CAs have associated costs. These restricted CAs should only be accessible to a subset of people within the organization.

4. Departmental Compartmentalization

   With multiple departments within the organization, the stakeholders wanted us to segregate users into different departments to ensure easier certificate management.

   This will also ensure that certain departments can access certain Certification Authorities. For example, the customer did not want the development team to have access to CAs used by the production team. This may lead to co-mingling of certificates, which can confuse the process of identifying the certificates that are being used.

5. DevOPS

   The customer also had challenges pertaining to the DevOPS team, which needed Rest API access to request and obtain certificates.

These challenges and wishlists drove the organization’s efforts to find the proper solution for its needs. The challenges created significant issues in its operational capabilities and hindered its capacity to grow.

Solution

When the customer approached us with these challenges, we had to spend significant time assessing and understanding their unique stance. Each organization has its processes and procedures, and we wanted to ensure we understand that before catering to their needs. With CertSecure Manager solving primarily all of their issues, we also found a few more areas where we can help the organization improve. The solutions that we focused on were as follows:

1. Always Accessible

   With stores and offices spread out across the nation, we wanted to connect all of the resources and ensure any personnel working from home can also maintain access to CertSecure.

   This provided the organization with two options: Cloud and SaaS. Since the customer wanted to retain control with minimal latency, the cloud deployment was chosen to connect their whole infrastructure and give access to users outside of the network.

2. Pooling of CAs

   With multiple Certification Authorities, we provided the customer with a single pane of glass to view and control the certificates. All Certification Authorities are connected and synced with the environment using CA Connectors.

   This allows customers to issue, revoke, and renew certificates from one portal, which reduces training time and compresses the processes and procedures the organization has to follow. This also enables newer protocols like Rest APIs, ACME, EST, and more for the DevOPS and IoT team.

3. RBAC

   With a large user base, the organization wanted to provide minimal control to the registered users. The principle of least privilege is applied with varied roles and granular access control, ensuring users only get the permissions determined by the organization.

4. Integration and Alerts

   Organizations can now connect their CertSecure manager with Teams, ServiceNow, and email to ensure they get regular alerts. These alerts consist of certificates expiring in the upcoming week and provide useful insights about their organization. CertSecure Manager also provides reports that can be used for data analysis to better understand and manage their infrastructure.

5. Policy Module

   CertSecure Manager has a unique policy module that can restrict CSR re-usage and wildcard certificates. This will restrict and auto-reject any certificate requests that violate the policy. This also includes domain validation, where organizations have to whitelist domains. If certificate requests are made for domains that are not whitelisted, they are rejected automatically.

6. Workflow

   Organizations can restrict CAs and templates for a particular CA. This will restrict any certificate requests and will need explicit approval before issuance. Only users with explicit approval permission can approve these requests.

7. Departments

   CertSecure Manager enables different departments and segregates the user base accordingly. Each department has its own PKIAdmin, which can oversee and manage all resources and users belonging to that department. There are also global PKIAdmins who have access to all departments and can oversee and access all resources throughout the organization.

8. Organization details

   With human error still prevalent, the organization wanted proper certificate tagging. The organization can provide options for pre-existing organization details like city, state, country code, department, and so on. Users cannot use any values that the administrators do not provide.

9. Automation

   CertSecure Manager provides the option of Renewal Agents, which can be configured with servers like IIS, Apache, and Tomcat, load balancers like F5, or custom applications. These agents ensure that the certificates used are active and auto-renewed prior to expiration, helping organizations with their processes without any human intervention.

These features not only helped the organization with its needs but also improved its processes. When submitting a CSR, users can view its properties in the web portal itself without relying on OpenSSL or third-party websites.

Challenge	Solution	Benefits
Lack of visibility into the location of certificates, leading to frequent expiry-related outages, duplication, and cumbersome troubleshooting.	CertSecure Manager’s Certificate Discovery feature efficiently manages the certificate landscape. It helps identify and remove unused or expired certificates, ensuring critical certificates remain current. It also offers a comprehensive certificate inventory, providing access to essential details, including certificate status, issuance dates, and expiration dates.	90% reduction in outages across the entire organization Timely certificate renewals for a stronger security posture.
Manual execution of certificate tasks, including monitoring expirations and installations, necessitated automation	CertSecure Manager automates certificate tasks and centralizes certificate management, offering a unified platform for efficient Microsoft PKI management. This streamlines certificate issuance and renewal, enhancing reliability and reducing the risk of outages.	Reduced manual errors in certificate tasks. Achieved a 100% compliance. Reduced certificate renewal time from days to less than one minute.
Lack of well-defined PKI processes, resulting in ambiguity and compliance issues.	CertSecure Manager offers self-service certificate requests, reducing management costs and enabling swift certificate enrollment. With role-based access control, it enforces policies and controls for authorized user requests, enhancing efficiency and security in certificate management.	Reduced management costs Enhanced security through role-based access control.
Administrators utilized a single CSR for multiple certificates, self-signed and wildcard certificates that did not align with internal policies.	CertSecure Manager strengthens compliance by implementing stringent policy controls. It ensures the security of certificate issuance by permitting each CSR to be used only once, thereby preventing unauthorized or repetitive certificate generation. Additionally, any attempt to request wildcard certificates is automatically rejected, ensuring that only specific, non-wildcard certificates are issued.	Adherence to internal policies Heightened security

Conclusion

In conclusion, CertSecure Manager’s comprehensive features, tailored solutions, and focus on automation and security have significantly improved certificate lifecycle management for organizations in the retail sector, addressing key challenges and providing a scalable, efficient, and secure platform for managing digital certificates.