Certificate Management

Businesses today are deploying an increasing number of digital certificates in order to secure communications between their applications, servers, and devices. An organisation may have hundreds or possibly thousands of certificates installed on systems and devices through their global network. As the number of certificates a business has increases so does the complexity of keeping track of them all. Without a complete and detailed certificate inventory an organisation can't check their certificates are within their validity period and in compliance with their policies. An expired or rogue certificate can have serious implications for an organisation.

Finding Your SSL Certificates

Red Kestrel have developed a certificate discovery product called CertAlert. CertAlert is able to scan your networks for SSL certificates using IP ranges or lists of hostnames. The network is scanned for all types of SSL certificates, regardless of issuing CA, including SSL, SSL-EV, and self signed certificates. The product provides detailed information about the certificates found in the form of an in-depth report or via the Red Kestrel Cert Centre called product.

Identify Expiring Certificates

Like passports, certificates are issued with a finite lifespan - typically one or two years. When certificates are allowed to expire, they can no longer be used and as discussed earlier this can lead to serious problems for an organisation. Checking for certificate expiration is therefore a critical task for any IT department. CertAlert will alert you about certificates that are a configurable number of days away from expiration. It notifies administrators about these certificates through email alerting and reporting. The certificate monitoring can be scheduled or you can request certificate expiration monitoring on demand.

Locating Problem Certificates

In addition to certificate expiration, there can be other issues that an organisation may have with their deployed certificates. Using Red Kestrel products, an organisation is able to get in depth reports that highlight many certificate issues including:

  • Expired and Expiring Certificates
  • Certificates created with weak hashing algorithms
  • Certificates with keys that are shorter than the NIST recommended minimum
  • Certificates not issued by a trusted CAs
  • Certificates that don't list the host within the certificate
  • Certificates using Debian weak keys

Tracking Certificates

The failure to replace expiring certificates can have very serious consequences for an organisation. For example, an outage due to an expired certificate on a mission critical machine can result in a significant financial loss and possibly a loss of reputation. Therefore, it is important for the department managing certificates to be able to see a list of which certificates are coming into their renewal period (e.g., 30, 60 or 90 days from expiry) so they can be renewed and installed in a timely manner. The Red Kestrel tools can be used to help organisation keep an up to date inventory of their certificates and create lists of those that need renewing.