A Quick Start Guide to SSL Certificate Inventory and Management

How many SSL Certificates can one admin manage?

SiliconAngle reported a ongoing study that says the average enterprise manages almost 700 physical servers in its network infrastructure. If you’re Microsoft or Google,  that number is estimated to be around one million servers that are being managed at any given time.

Regardless of the size of your organization, managing the ongoing security requirements for server deployments can be an extremely challenging and demanding process whether you are dealing with a few or dozens of servers.

In addition to the number of physical machines in a network, virtualization means that each of those devices could have additional virtual servers—all of which require security, monitoring, and management. Take all of this and add it to the growing number of Internet-connected devices and Internet services that enterprises use to conduct business; it all amounts to huge pressure on administrators and security professionals just to keep with the everyday demands of running a business.

Complete enterprise security requires more than just installing an SSL Certificate. With multiple online systems and services, keeping up with expiration dates, system vulnerabilities, and internal processes and controls for preventing fraud, is a daunting task. So, how do you make it easier?

Simplified Certificate Inventory

One of the common questions admins struggle answering is, “Where are all of my certificates?” We recently worked with a large enterprise with a detailed, internal process for tracking all of their SSL Certificates. They’re certificate inventory spreadsheet listed over 30,000 certificates and they were confident that it accounted for all of the SSLs in their network.

We fired up DigiCert’s free SSL inventory tool Certificate Inspector and the  agent quickly set out to collect inventory for all SSLs in the client’s network. After completing the scans, the agent found several hundred additional certificates in expected devices and on non-standard ports.

Certificate Inspector makes is easy to identify all of the SSL Certificates installed across your network. The inspector agent can identify internal and external certificates running on servers and network devices, and makes it easy to quickly account for all certificates your organization is currently managing.

SSL Management Made Easy

Every SSL Certificate found by the inventory tool is graded based on certificate implementation and server security. Certificate Inspector’s advanced SSL analysis examines all certificate problems and known server vulnerabilities in real time, including:

  • Vulnerability to Heartbleed, Poodle, CRIME, BEAST, or BREACH attacks
  • Certificates with weak private keys: RSA keys under 2048-bit or ECC key under 233-bit
  • Expired or expiring certificate dates
  • Internal names
  • Missing fields and values
  • Certificate name mismatch
  • Weak cipher suites, such as a cipher suite that uses 56-bit block ciphers or a 1024-bit key size
  • SHA-1 vs SHA-2
  • Broken chains
  • SSL v2, SSL v3, MD5

When a vulnerability was announced, this large enterprise customer didn’t need to scramble to find a service to test the thousands of servers and services they were running.

Certificate Inspector was updated to scan for the latest possible threats and quickly identified affected servers, making patching and management a streamlined process.

Enterprise Security Done Right

As the number of online devices and services continues to expand in the enterprise, the complexity of maintaining system security will only continue to grow. Advanced tools for certificate inventory are a critical resource for administrators to use in staying on top of enterprise security needs.

Total enterprise security today requires more than just buying a SSL Certificate. Enterprise security needs to be done right, and made easy in order for admins to stay ahead of the growing number of threats that organizations face today.