Case Studies Reading Time: 6 minutes

How CertSecure Manager Revolutionized Certificate Management in the Retail Sector

What was once a luxury slowly becomes a necessity. In the early 2000s, digital certificates were considered a luxury. Still, in recent times, with growing regulations and cybersecurity threats, digital certificates have become a necessity to provide identity to users, computers, resources, and more. With every entity of an organization requiring a certificate to access, function, and operate, managing such a huge volume of certificates becomes one of the significant challenges.

In this case study, we talk about one such organization, a retail giant in the US with stores all across the country. As an industry disruptor, it needed to assess and change its operation to make the organization’s size manageable.

For smaller organizations, this can be done manually where the certificate requirement is less than 1000, but for larger organizations with their own set of policies and procedures, ensuring all certificates are compliant with the regulations while also being complicit with their internal policies all the while ensuring all certificates are active with 0 downtime and outages due to mismanagement becomes challenging. This problem only grows with the organization until it becomes unmanageable.

For this reason, certificate lifecycle management solutions like CertSecure Manager provide organizations with a unique, customized solution that can assist with their needs and requirements.

The Challenges

Being one of the big players in the retail sector, the organization had many challenges that other organizations faced, but it also faced some unique challenges. Some of the common challenges include:

  1. Managing Issuance

    To manage a large organization’s demand for certificates, these organizations need many Certification Authorities to issue certificates and provide them on time. However, managing different Certification Authorities with their procedures and maintaining different handbooks with different training for employees slowly become an inconvenience.

    A typical organization of this scale will have over 20+ domains (or forests) with at least two certification authorities (CAs) on major forests, one Cloud CA, and one public CA. This accumulates to 5 or more CAs.

  2. Outdated Microsoft PKI Processes

    Microsoft PKI remains one of the widely used on-premises private PKIs. However, with little to no advancements in certificate issuance processes using web enrollment, users who require certificates have to have different processes that require the help of other personnel. Meanwhile, with no REST API support, DevOps also finds it challenging to ensure that certificates are obtained on time.

  3. Alerts

    With certificates regularly expiring, administrators have to stay alert and vigilant to ensure no certificates remain expired on their applications/servers. Without proper alert mechanisms in place, administrators sometimes miss renewing critical certificates, which can often lead to outages.

With other organizations also facing the above issues, our customer had some unique requests we wanted to address. These requests arise from the challenges this organization faces and want a solution that caters to their needs. They are as follows:

  1. Domain Validation

    The customer had a lot of domains (50+) within their network, and with huge volumes of certificate requests pooling in, the customer wanted a way to weed out domains that are not explicitly whitelisted. The organization wanted certain domains to be authorized, and if any user requests certificates for domains that are not among the whitelisted ones, they should be auto-rejected.

    This will help reduce human errors, which can lead to outages due to improper domain names. This will also improve security as users cannot request certificates for other domains, helping them with the organization’s impersonation issues.

  2. Wildcard certificates

    Similar to the previous one, the organization also wanted to reject any requests.

  3. CA Restrictions

    The customer also wanted some CAs to be restricted and inaccessible to everyone. This primarily includes any public CAs, as certificates issued by these CAs have associated costs. These restricted CAs should only be accessible to a subset of people within the organization.

  4. Departmental Compartmentalization

    With multiple departments within the organization, the stakeholders wanted us to segregate users into different departments to ensure easier certificate management.

    This will also ensure that certain departments can access certain Certification Authorities. For example, the customer did not want the development team to have access to CAs used by the production team. This may lead to co-mingling of certificates, which can confuse the process of identifying the certificates that are being used.

  5. DevOPS

    The customer also had challenges pertaining to the DevOPS team, which needed Rest API access to request and obtain certificates.

These challenges and wishlists drove the organization’s efforts to find the proper solution for its needs. The challenges created significant issues in its operational capabilities and hindered its capacity to grow.

Solution

When the customer approached us with these challenges, we had to spend significant time assessing and understanding their unique stance. Each organization has its processes and procedures, and we wanted to ensure we understand that before catering to their needs. With CertSecure Manager solving primarily all of their issues, we also found a few more areas where we can help the organization improve. The solutions that we focused on were as follows:

  1. Always Accessible

    With stores and offices spread out across the nation, we wanted to connect all of the resources and ensure any personnel working from home can also maintain access to CertSecure.

    This provided the organization with two options: Cloud and SaaS. Since the customer wanted to retain control with minimal latency, the cloud deployment was chosen to connect their whole infrastructure and give access to users outside of the network.

  2. Pooling of CAs

    With multiple Certification Authorities, we provided the customer with a single pane of glass to view and control the certificates. All Certification Authorities are connected and synced with the environment using CA Connectors.

    This allows customers to issue, revoke, and renew certificates from one portal, which reduces training time and compresses the processes and procedures the organization has to follow. This also enables newer protocols like Rest APIs, ACME, EST, and more for the DevOPS and IoT team.

  3. RBAC

    With a large user base, the organization wanted to provide minimal control to the registered users. The principle of least privilege is applied with varied roles and granular access control, ensuring users only get the permissions determined by the organization.

  4. Integration and Alerts

    Organizations can now connect their CertSecure manager with Teams, ServiceNow, and email to ensure they get regular alerts. These alerts consist of certificates expiring in the upcoming week and provide useful insights about their organization. CertSecure Manager also provides reports that can be used for data analysis to better understand and manage their infrastructure.

  5. Policy Module

    CertSecure Manager has a unique policy module that can restrict CSR re-usage and wildcard certificates. This will restrict and auto-reject any certificate requests that violate the policy. This also includes domain validation, where organizations have to whitelist domains. If certificate requests are made for domains that are not whitelisted, they are rejected automatically.

  6. Workflow

    Organizations can restrict CAs and templates for a particular CA. This will restrict any certificate requests and will need explicit approval before issuance. Only users with explicit approval permission can approve these requests.

  7. Departments

    CertSecure Manager enables different departments and segregates the user base accordingly. Each department has its own PKIAdmin, which can oversee and manage all resources and users belonging to that department. There are also global PKIAdmins who have access to all departments and can oversee and access all resources throughout the organization.

  8. Organization details

    With human error still prevalent, the organization wanted proper certificate tagging. The organization can provide options for pre-existing organization details like city, state, country code, department, and so on. Users cannot use any values that the administrators do not provide.

  9. Automation

    CertSecure Manager provides the option of Renewal Agents, which can be configured with servers like IIS, Apache, and Tomcat, load balancers like F5, or custom applications. These agents ensure that the certificates used are active and auto-renewed prior to expiration, helping organizations with their processes without any human intervention.

These features not only helped the organization with its needs but also improved its processes. When submitting a CSR, users can view its properties in the web portal itself without relying on OpenSSL or third-party websites.

Conclusion

In conclusion, CertSecure Manager’s comprehensive features, tailored solutions, and focus on automation and security have significantly improved certificate lifecycle management for organizations in the retail sector, addressing key challenges and providing a scalable, efficient, and secure platform for managing digital certificates.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

About the Author

Anish Bhattacharya's profile picture

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo