Certificate blind spots are an ongoing — and growing — problem. In 2021, a DigiCert-sponsored survey found that the average enterprise was responsible for more than 50,000 server certificates — with certificate counts on the rise. Without a centralized cryptographic inventory, companies risk outages caused by expired certificates, as well as breaches or business disruption caused by unidentified vulnerabilities.
These blind spots become even more complex when organizations acquire or merge with other companies. The newly acquired companies may purchase from different certificate authorities, manage certificates with different policies and different processes, and may not have insight into what is in their environment. This article explores some of these challenges and how DigiCert® Trust Lifecycle Manager can help.
Acquired companies come with their own CA relationships and policies — and it is highly likely that they are different from the acquiring organization. As IT leaders consider certificate consolidation strategies, how to bring the acquired company under unified policies, and what certificates governing critical business processes need renewal, the first step is to know what certificates are present across both environments. Complicating this goal is the increase in complexity of IT environments over the last several years. Large enterprises are now a combination of on-premise and cloud-based infrastructures, distributed around the world.
Certificate management solutions that provide comprehensive and CA-agnostic discovery equip IT leaders with the information they need to take the first steps toward consolidating inventories, which is knowing what’s in both environments. Key criteria include the ability to find and inventory certificates across multiple public and private CAs, including clouds, as well as the myriad of target systems on which they may be installed. This inventory can also provide insight into what vulnerabilities need to be remediated and what steps should be taken.
Two companies that are merging are highly likely to have different policies and processes governing certificate purchase, installation and renewal. Some may have centralized procurement; others may have different departments involved in certificate purchase. Some organizations may require installation and use of certain types of certificates (such as S/MIME, for securing email communications), whereas others may have made some types of certificates optional at the discretion of the employee. Companies may have unmanaged certificates that have been purchased outside of the IT organization or by individuals or departments.
With centralized management of certificate lifecycles, companies can begin to merge their practices around certificate management at the pace and priority that meets their objectives. Key criteria include the ability to designate approved CAs, tag certificate groups and apply policy governing approval workflows or validity periods and automate provisioning of certificates against directory services.
Crypto agility is an important goal in Mergers and Aquisitions for a few reasons. First, a merger or acquisition expands the certificate pool and the IT complexity of managing issuance and renewals without error. Second, validity periods and standards can change. Being able to handle shorter validity periods (whether this is one year, 90 days or the short periods that come with ephemeral certificates) or bring certificate types into compliance with new standards requirements is essential. And third, companies need to begin to prepare for post-quantum computing — which means maturing certificate governance now so that updates to algorithms can be made in lockstep with advances in quantum computing. These are some of the reasons why NIST’s framework for TLS/SSL certificate management, NIST SP1800-16, stresses automation as a fundamental requirement.
With automation of certificate issuance and renewal, companies can streamline complexity, remove human error and build in agility for responding to change. Key criteria include the ability to automate certificates for a broad range of enrollment flows, target systems and use cases.
DigiCert Trust Lifecycle Manager is helping organizations address the challenges listed above, with discovery of their certificate inventory, centralized management of their certificate policies and processes, and automation of certificate lifecycles.
One DigiCert customer, for example, had a capable PKI team that managed their DigiCert TLS certificates, acquired from CertCentral® using Excel spreadsheets and scripts. A pending acquisition, however, drove the need for a way to centrally manage their current certificate universe and the one that was coming with the addition of the new organization.
Some of their key needs included:
DigiCert Trust Lifecycle Manager met these needs, allowing them to broaden their certificate management to include the certificates present in the acquired organization while benefiting from the seamless integration with CertCentral, which they continue to rely on for public trust certificate issuance. The ability to have both a truly CA-agnostic solution and one that integrated so tightly with their approved CA is another example of how digital trust meets the real world.
Learn more about how we provide the discovery, management and automation needed to consolidate multiple certificate inventories under a single pane of glass at https://www.digicert.com/trust-lifecycle-manager.