Avoiding Security Certificate Missteps

Written by

With code signing cyber-attacks on the rise, certificate legitimacy is a growing concern. Digital certificates are a core tenet of security, and when mis-issue events occur, the standards of trust that businesses expect from their software and CA providers is fractured.

The importance of iron-clad, encrypted and code signed certificates, combined with a growing number of digital identities within the corporate network, means that gaining complete visibility to all certificates is fundamental to an organization’s over-arching security strategy. Whether you’re a global software provider, a certificate authority (CA), or a business that relies on software consumption and CA vendors, a mass certificate revocation event is expensive and inconvenient.

More recently, GoDaddy, Apple and Google announced operational errors that caused the revocation of more than a million digital certificates as a result of ECBCA misconfigurations: ECBCA is an open source software package commonly used by software and hosting companies to digitally sign code, secures emails and protect websites. While these particular events didn’t trigger cause for security concern, they are a major operational failure and inconvenience to CAs and customers alike.

Organizations and government entities regard digital certificates and signatures as a foundational layer of trust to reinforce corporate IT security strategy, harden its overall posture and inform industry best practice. The risk of compromise and mismanagement rises as certificate volumes increase, so unplanned certificate reissuance can be an overwhelming task at the enterprise level because skilled PKI professionals must spend time locating and reissuing impacted credentials.

In many cases, the work is done manually, making the exercise time consuming and prone to errors. Our research even indicates that 71% of businesses don't even know how many certificates they have – leaving them ill equipped to revoke and reissue at scale. 

Fortunately, crypto agility is emerging as best practice and a critical component to reissuance within the broader corporate IT security strategy. It’s an approach that takes digitization maturity into consideration, allowing leaders to apply digital identity use cases that align to and scales with the business’s security strategy.

Crypto agility supports IT teams as they manage mass certification events because the framework allows for seamless, automated updates and gives IT managers complete visibility to certificate deployment and the assets they impact.

Here are four crypto agile steps business and IT leaders can apply to improve their certificate management process and get ahead of large-scale certification events:

  1. Run an inventory. Identify every certificate within the organization and use cryptographic parameters to understand where certificates have been deployed and what assets they secure. 
  2. Develop a certificate lifecycle plan. Standardize certificates to ensure that common workflows are followed when certificates are deployed. Standardization addresses audit questions focused on asset custody and other downstream issues that could impact compliance. 
  3. Adopt IT automation technology. Traditional, manual certificate management processes aren’t equipped to revoke and reissue certificates at scale. Introducing a single, automated platform provides complete visibility to every certificate, simplifying identification and replacement.
  4. Embrace crypto agility. Build lifecycle workflows to match the business’s certificate inventory and establish the crypto strategy and framework. 

Public Key Infrastructure (PKI) isn’t new, but digitization and emerging cyber risks are changing the way PKI elements are secured and managed. Skills shortages and increasing security pressures mean businesses must adopt innovative frameworks, tools and technology to protect the foundational security layer that PKI and digital certificates provide.

Whether you’re a global software conglomerate like GoDaddy, Google or Apple or an end-user and software consumer, digital certificate management – and its best practice – underpins the effectiveness of corporate security strategy.

What’s hot on Infosecurity Magazine?