6 Things to Know About Certificate Lifecycle Management

Certificate

On the web, security is always a sensitive topic. On one side of the spectrum, we see users facing ever-growing numbers of cyber threats such as Malware, Phishing, etc., to obtain information that has been made readily available by legitimate websites. On the other hand, website owners must ensure their security and all parties involved in transactions with them. This includes compliance with industry standards and regulations such as PCI DSS, FedRAMP, HIPAA, or Disclosure.

To do so by default might be easy, but doing it right is often more complicated than expected, especially when certificates come into play. Companies that use a CLM to keep track of delicate data and information drive CLM solutions. The financial services industry has been one of the most enthusiastic adopters of CLM technology. It offers secure online customer experiences while adhering to industry rules that demand regularly reissue their SSL/TLS digital certificates.

What is Certificate Lifecycle Management?

Certificate Lifecycle Management (CLM) is a general term that refers to pre-certification processes, the actual process of issuing the certificate after approval has been given, and all post-issuance activities associated with maintaining certificates in use. Some people refer to an organization’s certificate management process as its “certificate lifecycle.” Here are some things you should know about Certificate Lifecycle Management.

1. Certificates are not Free

This statement may be surprising to some readers, but the fact is that certificates are only available for purchase. They are pretty expensive depending on the chosen validation type, use case, number of hosts, etc. For example, prices range from $3000 – $4000 for an Extended Validation certificate (EV), which is one-time. Thus, evaluating all options before making a decision is something you simply should do while contacting certificate Lifecycle management services.

2. Certificates Might Expire Earlier Than Expected

Certificate expiration dates are determined by their validation method and other parameters through key usage, extended key usage, or subject attributes. Moreover, different CAs have different policies regarding re-keying and consider it necessary. At best, you should check certificates in your inventory every three months to ensure no surprises. In the case of a lack of technical knowledge on the subject, reaching out to your CA might be a good idea.

3. Certificates have been Compromised Before

To guarantee security on all levels, SSL/TLS implementations have been updated several times throughout the years with new versions that prevent attacks such as POODLE, BEAST, CRIME, BREACH, etc. Most browsers have already blocked weak ciphers even if servers continued using them for some time due to backward compatibility issues or lack of updates from server owners. You can find more details about these issues on the dedicated SSL/TLS Deployment Best Practices and the PCI DSS website.

4. Certificates need to be revoked when Compromised

Revoking a certificate is not enough in many cases: its private key should also be considered compromised, which means it cannot be used anymore to sign certificates. If you own a personal website or blog, you can simply revoke your current certification and issue another one (after changing the affected hostnames).

Issuing companies such as banks end up dealing with dozens of servers and certificates that must all be re-keyed at once to prevent loss of trust from their customers. No matter what happens, organizations that issue or own certificates must plan and communicate these changes in advance to give users enough time to update their browsers.

5. Private keys must be protected at all Costs

A private key is what allows a CA to sign and validate certificates. Protecting it with a passphrase makes decryption impossible without knowing this secret string of characters, which means that no one can use the certificate except for its owner (who knows the password). For instance, Github has famously implemented this feature for its users. However, some companies such as PayPal still haven’t.

6. Certificates must be revoked when losing control over the corresponding private key

Every year, obtaining a certificate gets more complicated as CAs have started investigating applicants before issuing them a digital file allowing server owners to protect information transmitted through browsers with TLS/SSL technologies. Many companies even employ specialized security teams responsible for validating every possible domain name and hostname they own to ensure such certificates are not compromised as easily as before. Reissuing a certificate is often done under strict internal policies that take time and must be followed to the letter.

Reminder:

Expired or revoked certificates should never be used anymore, not even for testing purposes. Using them would simply compromise everything: users’ data and servers’ security. It’s also important to note that other CAs could sign these old certificates without your knowledge, which means you might think your servers are protected against cyber-attacks while they aren’t at all.

That being said, we encourage readers to research more about SSL/TLS, X.509 certificates, and the significant impact over the years on internet security.

Conclusion

Certificate Lifecycle management is a crucial part of any SSL/TLS deployment. It helps companies guarantee the security of their users’ data and servers at all times, even if that means spending more time on certificate management. Certificates can be compromised or revoked for many reasons, but CAs must reissue them per strict internal policies. Expired or revoked certificates can never be used anymore, even for testing purposes. They would compromise everything from users’ data and servers’ security.