Mitigating Digital Identity Risk: Best Practices for TLS Certificate Management

By Sami Van Vliet

An ever-increasing number of connected devices and this year’s rapid move to remote working has led to a news stream emphasizing the importance of managing and protecting digital identities from exploit and security breaches. From the Microsoft Teams outage to the revocation of 3 million+ TLS certificates by Let’s Encrypt, the risk is hard to ignore.

The recent trend of Zoom-bombing makes even non-technical people recognize the importance of privacy, security and why they should think twice about hardened passwords and checking for a lock icon in their browser.  

When it comes to Public Key Infrastructure (PKI) – the backbone of digital identity security – the National Institute of Standards and Technology (NIST) is considered a leading authority, providing several security guidelines and recommendations. PKI providers follow these guidelines and others to achieve industry standards compliance and ensure end users avoid costly security breaches and certificate-related outages. However, companies managing their PKI program in-house may struggle when it comes to understanding NIST guidelines and how they apply to their individual program requirements.

The guidelines are broad, but five best practices are universal when managing TLS certificates in your organization:

01 | Know the importance of TLS certificates

Knowledge is power. Effectively addressing TLS-related security challenges comes down to education and understanding how critical managing TLS certificates is to mitigate incidents. That means understanding what happens if a certificate expires or if it’s compromised, and the risk that creates for the business. Consider that network downtime costs roughly $300,000/hour, and that an exploited SSL/TLS certificate can cause serious damage in the hands of an attacker.  Stolen certificates can be used to compromise networks or create fake websites, cause harm to your customers and loss of revenue and reputation for the business.

02 | Centralize inventory of TLS certificates

With the rise of DevOps and automation of infrastructure provisioning, certificates are often issued without any centralized knowledge of where they are installed, when they expire or what policies they comply with. That makes TLS certificate management a much larger and more complex problem.

Start with visibility. Building an inventory of TLS certificates is the first step to improve visibility and prevent a possible outage. This can be accomplished with a certificate management solution that could:

  • Synchronize with CA databases
  • Scan SSL/TLS endpoints
  • Inventory key and certificate stores

03 | Define ownership and policies

Most end users aren’t knowledgeable about issuance and the use of best practices when it comes to TLS certificates. PKI is typically driven by a single team, but that team must have a way of enforcing consistent policies and knowledge across all departments.

Defining responsibilities assigned to certificate owners and approvers and ensuring that every team – from network engineers to developers – have a consistent set of ‘rules’ to follow is essential. Overstretched teams can consider automated platforms to support:

  • Certificate owner assignment with role-based access and permissions
  • User and certificate-related activity auditing capabilities
  • Standardized certificate templates and policy enforcement

04 | Focus on detection and prevention

Detection and prevention are security 101 and by adopting key techniques, organizations are better equipped to identify new vulnerability points – such as near-expired certificates or weak keys – by utilizing proper reporting and monitoring tools. These techniques also support:

  • Discovery of vulnerable certificates (e.g. those signed with weak algorithms, like SHA-1)
  • Outage prevention due to certificate expiration by notifying certificate owners beforehand
  • Cryptographic incident response to events such as CA or algorithm compromise

05 | Adopt automation and self-service

Manual processes are certainly more effective than no process at all, but humans make mistakes. Not only does automation help to prevent outages, it also frees up IT resources and end-users from hours of manual tasks related to certificate requests, issuance, provisioning and renewal. 

Whether your team is managing your PKI program in-house or not, NIST guidelines have become a critical framework to help build awareness, manage rising digital identity security risk and stay compliant with shifting industry regulations.

Sami Van Vliet

With almost 20 years of programming experience, and a strong focus on Microsoft technologies, Sami Van Vliet has worked in a variety of sectors including non-profit, startup, government and consulting.  She is currently principal product manager at Keyfactor, a leading provider of secure digital identity solutions. For more information visit: or follow @Keyfactor on Twitter and LinkedIn.

error: Content is protected !!