Why Manual Management of SSL\TLS Certs Destroys Security
Learn more about ways manual management of SSL/TLS certs can destroy your security.
Join the DZone community and get the full member experience.Join For Free
For something so important, if you look around, you will find that the means and methods of managing SSL and TLS certificates are stuck somewhere in the past. Despite being the backbone of cybersecurity, IT folks often recount an alarming dependence on ad-hoc, manual, or semi-automated approaches to addressing this problem.
The range of tasks involved with certificate management is greater than one might assume at first glance. For example, someone has to purchase certificates and renew them when they expire, time-consuming activity in and of itself. Then, there’s the actual deployment of certificates, etc.
In most organizations, even smaller “SMB” or mom-and-pop type organizations, there are multiple applications deployed in the cloud or clouds. Although many of them are familiar and fairly standard, the specific ways in which they are deployed is invariably somewhat unique.
Sizing Up the Challenge
So, in short, it takes focus and organization just to begin the process of certificate management.
Of course, every individual certificate has to be matched to the correct web application. The decision also has to be made regarding whether to utilize inexpensive “low-assurance” certificates or make the investment in pricier extended validation certificates, which can potentially reduce maintenance effort because they are provided by a known certificate authority.
Cost can be a factor. Have your budgets been built to include this significant but vital expense?
Furthermore, a closer look quickly shows that there are a lot of variables when it comes to certificates. IT people may make the assumption that it’s a simple matter, but, in fact, there are many choices, most of which can have big consequences. TLS/SSL certificates, for example, can be divided by validation (domain, organization, extended) or domain setup. If you only care about one hostname, a single domain certificate may be what you need. On the other hand, so-called wildcard certificates can function for a whole domain and its associated subdomains. Yet, another option is the multi-domain type certificate, which can actually span several domain names.
Then, there are the many vendors to choose from and choices regarding many details, such as the duration of a certificate and the warranties provided for end users. Methods of authentication also vary – a substantial subject of its own. And, just as with many other kinds of products and vendors, reputations are constantly evolving. To get the best results, you need to take the time to see which combination has been trouble free and reliable because even with the best certificate providers: problems are not unknown.
But, it is important to remember that certificate authorities are not without their own problems. From time to time, authorities have lost or misassigned certificates or had other issues that impacted users.
However, the biggest challenge is ultimately managing all those certificates.
Be Realistic About the Complexity of Certificate Management
If you had a tiny and simple organization with a handful of certificates – and intended to never grow your operation – a single sheet of paper might suffice to track and manage your certificates – at least for a while. However, even simple can rapidly turn complex.
As the challenges grow, many of those tasked with certificate management have turned naturally to familiar and generic tools such as databases or spreadsheets such as Microsoft Excel. While this is undoubtedly better than relying on a paper-based system, an examination of the tasks involved will make clear the limits of a spreadsheet-based system. A list of some of the steps, which all need to be documented, includes:
Certificate creation -- While perhaps not an absolute requirement if generating just a few certificates, clearly early in the life of a certificate administrator, it will be vital to begin documenting the creation of each certificate. Related tasks could include associating a domain name and an initial certificate location
Downloading the certificate itself (perhaps using an embedded link)
Uploading the certificate in conjunction with the associated private key. (Some have adopted options like Nginx, a web server which can also be used to host the same TLS certificate and key.)
Many additional steps may then be needed, depending on the exact set up in an organization to ensure certificates are used correctly, renewed in a timely manner, etc.
Imagine how many entries would be needed just to record all this information in a spreadsheet! Now, consider ongoing management.
Admittedly, perhaps if you are using a spreadsheet you can write scripts to cover some of the ‘logic’ that needs to be captured, for instance around renewals. But what then? And how much maintenance time and effort does that take?
Is the system flexible? Certainly, it is not foolproof. Mistakes can (and will) occur ranging from data entry to logic that could result in a vast array of problems, such as:
Expired certificates (which can result in embarrassing scrambles to “fix” the problem).
The direct costs of these problems for the person or persons tasked with handling certificates are substantial, ranging from the time-consuming setup and operation of the “system” to the unplanned efforts needed to fix problems. Again, that on-going maintenance, will require dedicated hours on a daily, weekly, or monthly basis. Then, there are bigger costs:
Lost time for internal people who depend on access.
Reputational risk and loss of business if customers or partners have access problems due to certificate issues.
Consider Better Tools and Automation
These days, certificates are probably too important and too numerous to be handled in an ad hoc, manual fashion.
Fortunately, of course, there are options. Automation is here, and it can address not only the obvious problems outlined above regarding the implementation and management of certificates, it can also help stay on top of external problems.
Automated options can provide deep search, various visualizations, proactive alerts, and etc. helping to avoid many of the problems. According to the statistics, the most required features are deep inventory that instantly shows all the certificates and potential vulnerabilities and custom reports that allow people receive not only general information but information important for their PKI infrastructure in particular.
There’s one other thing to consider: appropriate size and scalability. Some automated tools aren’t a good fit for every organization. They are geared only to the challenges of large enterprises and may not be a good match for smaller organizations. Some have scalability built in and can adapt to small or large needs.
So, consider your certificate challenges realistically. By now, you should be convinced that something better and more reliable than manual methods is a necessity at this point. Certainly, the evidence points that way.
Opinions expressed by DZone contributors are their own.