With the launch of Certificate Transparency and the establishment of CT logs by Google and DigiCert, website admins are able to monitor the certificates issued for their domains. Certificate Transparency logs provide oversight for TLS Certificates, monitoring a company’s awareness of its certificate issuance. Although this information is publicly available, Certificate Transparency logs still require extraction of the data before a company can actually observe issuance for its domains. Without a service to monitor the logs, the information found in these logs is largely inaccessible to users.
In-line with DigiCert’s focus on customer usability, we have developed a new and useful feature, Certificate Monitoring, that will extract information from the CT logs to provide easy reporting on certificate issuance and help solve some of the current challenges that security admins face with their day-to-day certificate management.
When it comes to monitoring certificates, there are three main challenges that security administrators face.
1. Misissued Certificates
According to the Certificate Transparency organization, a misissued certificate is a certificate that is “used to spoof a legitimate site and, in some case, install malicious software or spy on unsuspecting users.” A misissued certificate is one where validation controls have failed to properly prevent issuance of the certificate to an entity.
For example, the Chinese Certificate Authority, CNNIC, issued a certificate to Google’s domains via delegated third party, MCS Holdings. Although the browsers took action to cease trusting the certificate and many eventually stopped trusted the CNNIC root, serious damage could have resulted from the issuance.
Misissuance is not necessarily caused by a CA failing to abide by required validation practices. For example, DV certificates are often validated with a mere email to an administrator at a domain name, without verification of a company’s actual authorization for the certificate. These email verifications are sometimes completed without realization by the approving entity. Although the CA is acting in accordance with all applicable requirements, the low standard required for DV certificates can lead to issuance by rogue employees, hackers, and overworked admins.
2. Disorganized Certificates
One of the biggest security challenges that admins face is the disorganization of servers and related certificates. When many administrators throughout a company are ordering certificates, the task of managing security can become very difficult, even with strict policies. This issue is exacerbated if the company is large and has acquired other entities. Those acquired entities will often have their own policies and infrastructure. Many companies have a very difficult time tracking and monitoring their domains, let alone the certificates used to secure them.
To solve the certificate problem, DigiCert’s Certificate Monitoring provides a complete overview of all certificates logged for a company’s domain. Certificate Monitoring provides comprehensive oversight, giving admins the ability to find, track, and organize all certificates in internal and external networks.
3. Fraudulent Certificates
Certificate Monitoring can quickly and efficiently identify fraudulent certificates—such as certificates issued to phishing sites or that are issued by a non-approved Certificate Authority. As Certificate Monitoring works with CT logs, it provides increased transparency into your security infrastructure and alerts you quickly to malicious behavior that could affect a company’s data or reputation.
DigiCert’s Certificate Monitoring was released on April 14, 2015, and provides admins the tools needed to detect misissued, disorganized, and fraudulent certificates.
The power of Certificate Monitoring is that it assists admins in better and faster remediation of misissued, disorganized, or fraudulent certificates by increasing awareness of certificate configurations and detecting certificates that need revocation. Although the admin will still need to request revocation through the appropriate channels, Certificate Monitoring is another tool that should be in every admin’s belt. Through greater oversight and notifications set to alert you of fraud, DigiCert Certificate Monitoring puts administrators in true control over their certificate management, allowing them to remediate certificate problems before they are exploited.
How Do I Use Certificate Monitoring?
Certificate Monitoring has been released as a public and free tool on DigiCert’s website. Click here to sign up and begin using Certificate Monitoring today.