Table of Contents
- Importance of Digital Certificates in the PKI environment
- The Role of PKI in Digital Certificate Management
- Types of Digital Certificates exists in your PKI environment
- Considerations for effective Certificate Management
- Risk with Unmanaged Certificates
Importance of Digital Certificates in the PKI environment
Digital certificates are critical to any environment as they possess a greater degree of authorization with them. With this authorization power, it becomes very important to secure them with the utmost care. Many organizations care about certificates that are manually generated; however, they lack auto-enrolled certificates. Since the number of auto-enrolled and manually generated certificates exist in the hundreds of thousand, it becomes a quintessential need for organizations to manage all the certificates (auto-enrolled and manually generated) with the help of automation.
The Role of PKI in Digital Certificate Management
For many customers, the role of Public Key Infrastructure (PKI) is to process workflow for manually generated certificates and auto-enroll the rest of the certificates through group-policy in the Microsoft PKI environment. Some customers may see auto-enrollment through group-policy as a certificate management feature of PKI, however, when you look in-depth you see that it’s just the functionality provided by the Microsoft PKI environment. The true definition of certificate as well as key management is when the certificates and keys are managed from enrollment to revocation. This means that both (certificate and keys) are managed through their entire lifecycle process, including inventory and reporting, all the way through the revocation of certificates, when the certificates are no longer needed, or potentially compromised. Skill gap is another factor which contributes to the inefficiency of certificate management as it requires specialized skills to manage the certificate & keys through their entire lifecycle. Based on the above understanding, we can state that it is requisite to monitor the issuance of certificates in your PKI environment to ensure that the certificate issuance process is secure, efficient, and customized as per your organization’s requirement.
Types of Digital Certificates exists in your PKI environment
As we discussed, certificates possess a greater degree of authorization that results in gaining attention from bad actors like criminals with malicious intent, as these certificates provide them an increased level of access or the ability to impersonate a user. One of the most common certificate types that is susceptible to attack are machine certificates, as these are automatically issued to the devices in your network. There are hundreds of these types of certificates in the environment of an organization that could potentially be a risk in terms of unauthorized access to critical resources such as Wi-Fi access, VPN access, authentication for network access control systems, multi-factor authentication for single-sign-on applications, email encryption, Microsoft Azure WCF services, etc.
Considerations for effective Certificate Management
The following points should be considered while assessing the certificate management situation in an organization:
- The inventory of certificates in your environment is very critical. Also, the pattern of certificate issuance indicates normal or abnormal behavior from the certificate generation perspective.
- The issued certificates are used for the purpose for which they are issued. PKI administrators should always keep an eye on their PKI environment for any discrepancy with respect to certificate usage.
- As every certificate has a key usage field, this should be correctly chosen, as a misconfigured certificate template in the PKI domain would create complete chaos and might result in organization-wide risk and loss.
Risk with Unmanaged Certificates
There is a saying that if you can’t see the risk, it doesn’t mean there is none. PKI administrators sometimes ignore the risks based on the fact that they don’t see any immediate problem because of this. Also, some minor issues in the PKI go unnoticed in the initial stage that create bigger issues in the future. To avoid this, PKI admins must have tools deployed to detect and manage these issues in order to establish and maintain a healthy PKI in their environment.
The following are risk avoidance actions that can be taken by the PKI team for certificate management:
Certificates are issued based on certificate standards that vary with time. This requires the need for continuous audit of your PKI environment and all the certificates issued by the PKI. At times, certificates are issued based on old certificate standards, for example the key length of 2048-bit keys are still active even though the new standard states that a key length of 4096-bit is more secure. PKI admins must have an inventory of all those certificates (with key length of 2048-bit) to address all of them in a single attempt.
When there is a requirement to replace or re-issue the certificates in bulk, the ability to automate this transaction efficiently can help improve security response time. The same scenario is applicable when a critical vulnerability is identified and the admin must extract the certificate inventory at risk to remediate those within a short span of time.
At times, there are small misconfiguration issues in certificates which can cause critical and large-scale issues. For example, a PKI admin has issued 10,000 certificates with a validity period of 10 years, and later on the validity period has to change based on some compliance policy. Now, there has to be a centralized and quick way to locate these certificates to remove them from the environment to remediate & recover from this situation. It is significant to monitor the certificate issuance process and issuance policies to identify issues. Also, having a monitoring tool in place enables the quick detection of issues if they arise.
Rogue certificates do exist and get issued in the PKI environment. These rogue certificates lead to disastrous results if not dealt with properly. To counter rogue certificates, PKI admins must have an accurate inventory of all the legitimate certificates issued in the PKI environment so that centralized action can be taken, if required, to replace, re-issue, or revoke them.Till now, we have discussed many situations that may happen in any organization and could lead to unexpected results or outcomes. These include PKI issues, skill gaps on PKI, and lack of centralized management for digital certificate and key lifecycles. Effective management of all digital certificates and keys in a PKI environment requires the appropriate management tool and resources in place to mitigate the risks associated with PKI expeditiously and reliably.