This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Digital certificates provide the backbone of information security and trust on the Internet. Demand for certificates is exploding as companies use them to secure and build trust in web transactions, email messages, application code, and devices such as those on the Internet of Things. The use case for digital certificates continues to expand as more people and devices become connected.
It’s not unusual for an enterprise organization to have 10,000 or more certificates in use. For example, a company might use certificates to digitally sign and encrypt email messages and attachments. Allowing for one certificate per email account, this can amount to tens of thousands of certificates for this use case alone.
Certificates provide a lot of benefits but they aren’t maintenance-free. They commonly expire after only one, two or three years, depending on the type of certificate. A large enterprise could conceivably have hundreds or thousands of certificates reaching their expiration dates every day. SSL certificates are now so critical, and everything online is so intertwined, that when these certificates expire, an organization could potentially lose millions of dollars if their online revenue streams are down.
A Ponemon Institute survey of Fortune 5000 companies showed that a certificate outage can result in a recovery cost of $15 million in lost business and potentially another $25 million for compliance violations. Here’s the breakdown for those figures:
Consider some of these high-profile situations that occurred when someone inadvertently forgot to renew a certificate:
- In 2013, Microsoft's Azure cloud platform faced a worldwide outage in its storage services because of an expired SSL certificate. The company also reported problems with its Xbox Music and Video Store services.
- In 2015, millions of Gmail users experienced problems when Google allowed one of its SSL certificates to expire.
- Also in 2015, home automation company Wink, Inc. knocked all its connected home users offline due to an expired security certificate designed to provide security to its Wink Hub IoT device.
It’s easy to see that one small oversight can cause big problems for a vast customer base. And yet, most enterprises keep track of their certificates – assuming they know where all of them are – on a simple spreadsheet. What they need instead is an automated certificate manager platform.
Comodo CA is the world’s largest certificate authority. As a complement to its issuing business, Comodo has released an updated version of its digital certificate management platform known as Comodo Certificate Manager (CCM). CCM brings a high level of integration and automation to the process of managing certificates, enabling businesses to never miss an expired certificate again.
One of the biggest problems that CCM solves is discovering what certificates currently exist, regardless of which certificate authority issued them. There are different methods to do this discovery. One way is to do a scan of an IP range. A more granular method is to download a virtual appliance to the internal environment or even to AWS in the cloud. CCM runs the prescribed scan and populates a certificate map in a dashboard.
Once CCM has agents installed on the servers, it can automate the renewal of all the certificates. The administrator or certificate manager can set rules for the certificates that are due to expire within a certain time period, and CCM will place the renewal order with Comodo. All the validation requirements will be completed in an automated fashion, and the certificates will be installed as needed.
The validation requirements are no trivial matter. When done manually, the process generally goes like this:
1. A certificate administrator requests a new certificate from Comodo. In the request, they must prove that they can control and manage the asset; for example, a company domain.
2. Comodo verifies the ownership information for the asset and the details that the administrator submitted in the request.
3. Comodo contacts the HR department within the company making the request to verify that the requestor actually has the authority to order the certificate.
4. Once all those checks are passed, Comodo issues the certificate.
5. This process is repeated each time a certificate must be renewed.
Having this process automated is quite a time saver, and it eliminates the worry of forgetting to renew a certificate before it expires. Comodo says this is a differentiator from its competitors—being able to both issue and manage certificates within a single platform.
Companies that set up their own certificate authority using a product called Microsoft CA and now want to get out of the CA business, can use the platform’s Microsoft CA plug-in to relieve the enterprise of managing its own internal PKI. Comodo takes the company’s certificate requirements and manages everything from the cloud.
The CCM dashboard provides a centralized view of all your certificates, regardless of what type they are or how they were issued. The company can set up notifications and alerts and manage all its certificates from within the dashboard, making quite an improvement over the old spreadsheet method of management.
The Heartbleed vulnerability a few years ago proved the value of managing certificates through a management platform. When Heartbleed was discovered, companies had to replace their entire inventory of certificates with new SHA-2 certificates. This was a massive undertaking for organizations that had to replace tens of thousands of certificates manually. In a scenario like this, a company using the CCM platform can go into the dashboard and select and replace all the affected certificates automatically.
Comodo says it is already working on what to do about SHA-2 certificates in a world of quantum computing. Currently the strongest kind of certificates, SHA-2 encryption can be broken with a quantum computer. Along with Google and Microsoft, Comodo is on the forefront of developing new algorithms so that new web browsers will be able to handle new quantum crypto keys that will be utilized. As a PKI vendor, Comodo is committed to staying ahead of the curve.