The Certificate Lifecycle Core Principles of Certificate Management The Best Practices for Certificate Management AppViewX CERT+ : Certificate Lifecycle Automation Platform

1. © 2019 AppViewX, Inc. 1
Best Practices for Certificate Management

2. © 2019 AppViewX, Inc.
The Certificate Lifecycle
2
Issuance
CSR generation
Provisioning
Servers, Applications,
Devices, et al.
Discovery
Scan and locate
certificates
Inventory
Group certificates
and managed
entities
Monitoring
Dynamic reporting
and auditing
Renewal
Pre-emptive, to
prevent expiry
Revocation
On invalidity
Security
Encrypting private
key storage

3. © 2019 AppViewX, Inc.
Obstacles to Effective PKI Management
3
Manual
Management
No
Granular
RBAC
Poor Auditing, Inefficient
Policy
Siloed
Inventories
Undocumented, Unknown
Certificates
Insecure
Private Key
Storage
Increase chances
of theft and data
breaches

4. © 2019 AppViewX, Inc.
o Following a defined certificate management process helps administrators streamline the lifecycle of their
internal and external PKI.
o It eliminates all the aforementioned challenges from the equation by introducing automation, visibility, and
structure into the equation.
o The ideal certificate management process assists in the execution of every step in the certificate lifecycle by
integrating with your network, devices, and CAs.
Core Principles of Certificate Lifecycle Management
6

5. © 2019 AppViewX, Inc.
o Following the recommended best practices for certificate management will help enterprises actively combat
security threats such as expirations, vulnerabilities, and certificate-related outages, downtimes, or breaches.
o The use of a dedicated certificate lifecycle management tool is highly recommended.
The Best Practices for Certificate Management
Obtain Visibility Maintain Inventory Enforce Policy Protect Private Keys Enable Monitoring
7

6. © 2019 AppViewX, Inc.
o Scan your entire network: across all CAs, environments, and endpoints, to detect
and locate the certificates in your inventory.
o Perform subnet scans across all the ports in batches of 24 or more to locate public
certificates and IP/host names.
o Perform a controlled discovery scan by batching the subnet list and choosing
between parallel or sequential execution, with cooling periods to avoid network
load and chatter.
o Perform scans in the schedule maintenance window to avoid firewall issues.
o Schedule the scans to run overnight or during periods of low network traffic.
o Perform passive scans in parallel over a scheduled change window period.
o Ensure that discovery scans are run periodically to ensure an updated inventory.
Obtaining Visibility
6

7. © 2019 AppViewX, Inc.
o Ensure that the results of the scan are automatically updated in the inventory and
categorized.
o Group certificates to simplify batch operations. Recommended groups include:
1. AD Security Group vs. Department
2. Test vs. Production
3. Internal vs. External hierarchy
4. Auto-renewal vs. Approved CSRs
o Provide group owner details during configuration for simpler tracking.
o Group based on hierarchy to leverage alert escalation capabilities in workflows.
o Maintain the same (or similar) policy across a hierarchy of groups.
Maintaining Inventory
7

8. © 2019 AppViewX, Inc.
o Ensure that CSR parameters are defined as per industry guidelines (NIST).
o Renewal: Define automated renewal mechanisms for certificates whose validities
are past 80% of their validity periods.
o Revocation: Revoke any certificate whose private key is suspected to be
compromised. Post-renewal, ensure that the old certificate is revoked within 5
days of testing and installation.
o Schedule automated bi-weekly emails that provide notification on expirations and
compliance.
o Establish contracts with backup CAs to enable rapid transition in the event of a
compromise.
o Enforce RBAC based on certificate groups and users to permit access only to
relevant user personas.
Enforcing Policy
8

9. © 2019 AppViewX, Inc.
o Encrypt and store private keys and credentials at rest.
o Leverage FIPS 140-2 standards while safeguarding critical data at rest.
o Use vaults or HSMs to store private keys.
o Use automation workflows within the system to push certificates and their keys
to network endpoints.
o Provide key access to users on a scheduled, role-based, on-demand, and
privileged basis.
o Provide training to users across hierarchies on the access, storage, and application
of private keys in the network environment.
Protecting Private Keys
9

10. © 2019 AppViewX, Inc.
o Create dynamic dashboards that display certificate information at a glance: statuses,
expired certificates, unwanted certificates, et al.
o Set up workflows to send emails to administrators when a certificate is expiring/has
expired.
o Configure weekly reports that showcase the status of the certificate infrastructure.
o Track hosting environments for weak ciphers, algorithms, or transport security
protocols.
o Monitor global certificate issuance with transparency logs published on the internet.
o Closely track a single client certificate hosted on multiple endpoints.
o Set up scheduled reports to specific certificate owners by grouping certificates to avoid
unnecessary noise.
Enabling Monitoring
10

11. © 2019 AppViewX, Inc.
AppViewX CERT+: Certificate Lifecycle Automation Platform
11

12. © 2019 AppViewX, Inc.
AppViewX CERT+: Holistic View of the Chain of Trust
12

13. © 2019 AppViewX, Inc.
AppViewX CERT+: Seamless Monitoring and Reporting
13

14. © 2019 AppViewX, Inc.
Benefits of Certificate Lifecycle Automation
ELIMINATE
ERRORS
Reduce the margin of error
due to manual operation to
zero.
ENFORCE
COMPLIANCE
Use stringent RBAC, audit
trails, and more to
manage policy.
MOVE
FASTER
Accelerate certificate
operations via
automation.
REDUCE
COST
Minimize complexity,
save time, and prevent
catastrophic outages.
14

15. © 2019 AppViewX, Inc.
Business Benefits
Reduce Risk, Cost, and Delays in Certificate Management
Reduction in
Issuance Time
Reduction in
Deployment Time
Reduction in
Validation Time
83% 70%70%
15

16. © 2019 AppViewX, Inc.
Schedule a Live Demo