Save Time and Money

Managing certificates can be a huge time sink. Not to mention lost money and productivity when one expires unexpectedly.

Why you need a Certificate Management System! 

Introduction 

In today’s digital landscape, security is paramount. Yet, many organizations overlook one crucial aspect of their cybersecurity infrastructure: certificate management. With the average enterprise managing thousands of digital certificates, proper certificate management isn’t just good practice—it’s essential for business continuity and security. This guide will explore what certificate management entails and why it should be a priority for your organization.

Digital Certificates are used for two main purposes. The first is digitally encrypting data so that it can be securely transmitted across a network.   The second is for signing something digitally, which doesn’t encrypt it but allows the recipient to know that the file came from the correct person.  The most common use of digital certificates is for HTTPS websites, which encrypt the data transmitted from your computer to the website so it cannot be intercepted.  

As applications become more web-based and security continues to be a concern, our use of digital certificates will never diminish and will only grow.  This is why you need to have a good Certificate Management System in place.  If your company relies on the use of web based applications, I am sure you know issues that come up with missing a certificate that is expiring.  Missing an expired certificate can cause your line of business applications to fail or have an inferior user experience.  Often, a missed certificate on your business website can cause you to lose tens of thousands of dollars in sales if it isn’t resolved quickly.

 

What is a Certificate? 

Without going into too much detail, certificates typically have two parts to them.  The first if the private key.  The private key is what you need to keep secure always and should never be given out.  The private key is responsible for decrypting traffic and files or for signing a file.  The second part is the public key, which is what is given out and made available for others to use.  The public key is used to encrypt the traffic or file and is used to verify a file signed by the private key.  Here is one of the most common scenarios.  As you browse this website because it is HTTPS, your computer and browser encrypts all the traffic that you send based on the website’s public key, which is made available to you.  My servers hold the private key, which is used to decrypt the traffic that you sent.  So if someone can capture the traffic you send to my server, they would never be able to read it because they do not have the private key.

 

Why are Certificates becoming so important?

Certificates have always been important for the security reasons I have mentioned above.  However, they have become more important for websites over the last 10 years since having your website set to HTTPS is directly linked to how your website appears in search engines.  Google ranks sites with a proper certificate using HTTPS higher in search engine ranking than a site using HTTP or a site using HTTPS but has an expired certificate.  Major browsers like Google Chrome now alert users they the website is unsafe if it is not using HTTPS.  There is a great article written by Troy Hunt on this subject that you should read “Troy Hunt: Here’s Why Your Static Website Needs HTTPS“.

As of the writing of this article (October 2024), there are new policies being considered by Google and other major browsers.  They are looking to reduce the acceptable time for a certificate to live.  Currently, it is acceptable for certificates to be good for 1 to 2 years.  However, future standards may reduce that to as little as 90 days!

The Business Impact of Certificate Management   

 Success Story: Major Retailer Prevents Holiday Outage   

A large e-commerce retailer implemented automated certificate management just before their peak holiday season. This system flagged an impending certificate expiration on their payment processing system, preventing what could have been millions in lost sales during Black Friday.

 The Cost of Poor Management   

Poor certificate management can lead to:

  • Service outages ($5,600 per minute on average)
  • Security breaches ($4.35 million average cost)
  • Lost customer trust (40% of customers abandon brands after a security incident)
  • Regulatory fines (up to 4% of global revenue under GDPR)

 

Technical Challenges with Certificate Management

There are many technical challenges when it comes to Certificate Management.

Certificate Sprawl 

Certificate Sprawl can happen in any size environment but tends to get worse the larger you get.  A common scenario is you purchase a certificate from a public Certificate Authority like GoDaddy and you install it on a web server.  Over time your web site starts getting more traffic, and you need to put in another web server so you use the same certificate on that server.  Now a new website needs to be created, but you can use the same certificate so you put them on the new web servers as well.

After a while, you no longer know which servers are using that certificate.  So when GoDaddy tells you the certificate needs renewing you can renew with no problem but maybe you don’t remember which servers you installed it on.  Or, maybe you have a larger IT department and you don’t know where that certificate could have been installed by someone else.  This is certificate sprawl, and unless you have a very strict form of documentation that everyone follows, it can be very difficult to keep track.

Different Certificate Authorities 

You may have a process for keeping track of Certificates issued by GoDaddy or another public Certificate Authority.  But what about ones that are issued by your internal Certificate Authority?  If you are in an Active Directory environment, certificates are probably being issued even without your knowledge.  A good Certificate Management System can keep track of certificates from multiple certificate authorities

Different Certificates Types 

While web certificates are the most commonly used, there are many other types of certificates.  Certificates can be used for encrypting data on database servers. Certificates can be used for authentication to a wireless network or for administrative access to a server.  Many different cloud environments require the use of certificates for securely accessing some of their services.  With all these different types of certificates, it is important to have a Certificate Management System that will keep track of everything for you.

What is a Certificate Management System 

Many of the public Certificate Authorities like GoDaddy will alert you when your purchased certificates are going to expire.  However, what they do not and cannot tell you is where those certificates live.  Do you have them on three servers that host your website? Do you use them internally?  So while you can renew the certificate, if you don’t know where you need to install the renewed certificate, you can still miss certificates expiring and cause downtime.  

Other enterprise level systems for medium and larger companies have their own internal Certificate Authority for issuing certificates for multiple reasons.  Some of those reasons may be internal web applications that don’t require a public certificate, SQL Database Encryption, Code Signing, etc.  It is not uncommon for medium to large businesses with their own Certificate Authority to issue thousands of certificates a year for different reasons.

A Certificate Management System is really any system that helps you keep track of all of your certificates and alert you when they are going to expire.  A good certificate management system will also help you to keep track of where those certificates live so that you don’t miss one.  This can be as simple as an excel spreadsheet where you manually keep track of everything or a more automated system that searches for certificates for you like CertMS.

Whichever way you choose, it is critical you have a way to track all of your issued certificates so that you can stop unnecessary downtime.

Best Practices for Effective Certificate Management  

1. Establish Clear Policies  

  • Define certificate standards
  • Document management procedures
  • Assign roles and responsibilities
  • Create emergency response plans

2. Implement Automation  

  • Deploy automated discovery tools
  • Set up automatic renewal processes
  • Configure monitoring systems
  • Enable automated reporting

3. Regular Audits  

  • Conduct quarterly certificate reviews
  • Validate compliance requirements
  • Update inventory records
  • Assess security configurations

4. Training and Documentation  

  • Train IT staff on procedures
  • Maintain updated documentation
  • Conduct regular refresher courses
  • Share best practices

 Conclusion 

Establishing an effective and efficient Certificate Management system is vital.  With all of the different types of systems that require certificates, and as certificate expiration continues to get shorter and shorter, keeping track is critical to avoid unwanted downtime.  We need to continue to make sure our systems stay both secure and in compliance with local regulations.  Whether you use a manual approach or a third-party software to track your certificates, I hope you have found this post helpful.

Why CertMS?

When it comes to managing certificates we can do it all from alerting and monitoring to scanning and reporting.

Documentation

Once a certificate is issued it cannot be changed. CertMS allows you to associate other information and documentation with all of your certificates.

Certificate to Server

Certificates can be hard to find if they are used on multiple servers.  CertMS can make the correlation between Certificate and Server for you.

Certificate Authority Monitoring

With our state of the art Certificate Authority monitoring we can alert you in real time when certificates are pending approval or when sensitive certificates are issued.

On Prem Appliance

While CertMS does not store and sensitive data we provide an On Prem appliance so you control all the data and communications.

Cloud Appliance

Don’t want any more On Prem servers that need to be updated? We also offer a Cloud Service that can perform the same functionality as the On Prem appliance but hosted completely by us.

Server Monitoring

CertMS is able to monitor Local and User Certificate store through WinRM and Kerberos or an easy to install agent.

Reporting

With a dedicated reporting engine CertMS can create custom reports on expiring and issued certificates.  Get reports in PDF, CSV, or HTML

Help Desk Integration

CertMS reporting was built to work with Help Desk ticketing systems so that you can quickly create help desk tickets on each expiring certificate. Complete with documentation.

Support and Upgrades

First year of support and software upgrades comes with your purchase of the CertMS appliance.  Additional years of support can be purchased.  CertMS Cloud Appliance includes Support and upgrades with your subscription!

Ready To Get Started?