Enterprise application outages due to digital certificate errors aren't just frustrating—they're costly. And when you’re working with a legacy public key infrastructure (PKI) system, these disruptions become all too familiar.
A big part of the problem is that IT environments that depend on legacy PKI systems require high levels of effort to maintain and fail to meet current and evolving security standards. And many are simply incapable of being modernized sufficiently to support modern technology initiatives and security developments.
But a modern PKI can improve management and reliability without the need to rip and replace existing tech. If you want to stay secure and competitive, it’s time to rationalize your PKI systems by modernizing them.
PKI’s purpose is to establish trust both inside and outside our networks in a world where no user or system is inherently trustworthy. To make this happen, many organizations use cryptographic operations throughout the enterprise and in many kinds of software. A few common examples are mobile device management (MDM), VPNs, microservices environments (typically running Kubernetes), and IoT device management.
But these PKI applications are often isolated and independent, effectively “PKI silos,” which are separate PKI implementations on the same network. The best-case-result scenario is increased overhead—the silos have to be managed separately, usually with different tools and perhaps even by different teams. Without proper coordination, it’s common for these implementations to conflict.
The main resource used in PKI authentication is the digital certificate, which identifies the object being authenticated. When there’s a problem with a certificate, the systems that rely on it will likely fail, disrupting business and possibly creating a compliance problem.
Part of what makes certificates difficult to manage is the sheer volume of them—typically tens of thousands within a single enterprise. And once a certificate is issued, the clock starts ticking: The maximum lifespan for publicly trusted TLS certificates, the most prevalent kind, is 398 days, or about 13 months. The Certificate Authority/Browser (CA/B) Forum, the body that sets standards like these, is moving to shorten the maximum lifespan to just 90 days, and it could go even lower.
Staying on top of that volume of short-lived certificates is impossible without automation. But many organization are still managing digital certificates manually, leaving the door wide open for mistakes.
Expired certificates are just one cause of outages and GRC failures that result from inadequate PKI management,but they’re the most common. In a large and complex enterprise, those in charge may not even know what certificates they have. With disorganization like this, making technology or budget plans becomes impossible.
In the long term, there are other problems: Industry standards change, sometimes slowly, sometimes quickly. An audit of your certificates could determine that the standards you rely on are obsolete.
And if they’re not obsolete yet, they will be—in the coming years, many new standards will be introduced into PKI tech to address the threat of attacks using quantum computers. Those with modern, agile cryptosystems that allow policy to be applied globally will be able to adapt quickly to the new post-quantum cryptography (PQC) standards.
Bringing order to a haphazard PKI starts with discovery. The modern PKI periodically scans all reachable parts of the network for existing certificates and creates an inventory, preferably as part of an asset-tracking system, which IT can use to plan.
A good discovery process should identify many types of certificates, like SSL/TLS, code signing, SSH, and S/MIME certificates—regardless of the issuing certificate authority (CA)—and may well find multiple PKI silos.
During the discovery process, you’ll establish ownership of the certificates to assign lifecycle management and budget reporting duties to the right people while establishing an inventory and ownership of applications that use PKI.
The optimal design in a complex enterprise is to have centralized governance and oversight of the PKI but distributed certificate use and lifecycle management. This means that teams throughout the enterprise can manage their own acquisition and use of certificates, subject to company policy. As with most cloud software, a modern PKI works best when it provides some level of self-service.
The modern PKI system is adaptable to any workload on any kind of device, including both modern architectures like Kubernetes clusters and legacy systems like self-hosted VPNs. The ability to seamlessly interoperate and integrate with enterprise architectures is a must.
Hybrid enterprises are important but especially tricky. A single logical application could have components on on-premises systems and in multiple clouds. It might also need to manage client certificates and vendor certificates embedded in proprietary appliances. Complex enterprises may have units that operate independently in different jurisdictions with different legal requirements and require the flexibility to manage appropriately. The modern PKI system should support certificate management for all application components.
Finally, the system needs to integrate with relevant software in the enterprise ecosystem using both standard and proprietary interfaces. The PKI ecosystem is extensive, complex, and not completely standardized. A good, modern PKI will integrate directly with major players like Amazon Web Services, Microsoft Active Directory on Windows and Azure, and HashiCorp to ease the discovery process and establish central governance. A large enterprise often has multiple systems implementing the same standards but with different interfaces and applications.
A modern PKI system formalizes key procedures and workflows, like record-keeping and the approvals necessary for certificate revocation and other events. It should automate routine and dynamic use cases to improve user experience, lower administrative overhead, and reduce opportunities for misconfigurations that cause outages and security incidents.
The system should also provide many default reports and the ability to customize them—things like:
Want to learn more about topics like PKI, PQC, and certificate lifecycle management? Subscribe to the TV blog to ensure you never miss a story.