Certificate Infrastructure or Public Key Infrastructure (PKI) plays an important role in enterprise security by using encryption to secure data transmission. Managing PKI is an important task for enterprise security teams, and manual errors, outdated tools and processes, and lack of visibility can lead to expensive outages and security vulnerabilities. With the volume of connected devices numbering in the thousands, and often tens of thousands, it has become near impossible to manage them manually, using spreadsheets, or homegrown tools. Organizations need to consider implementing consistent processes to properly secure and manage their certificate infrastructure. At AppViewX, we recommend taking a Five Step approach to bring visibility, uniformity, and automation to your PKI practices.
1. Certificate Management
The first step in managing the certificate infrastructure is to gain visibility. You need a reliable system that knows where each certificate resides, which devices it’s assigned to, when it’s due to expire, etc. Administrators who still rely on spreadsheets to keep track of thousands of certificates often can’t keep track of their location, type and expiration dates; they have no way of knowing which certificates need to be rotated or revoked. If an expired certificate causes the system to become unavailable, it could take hours to locate the culprit and remedy the situation. Without visibility into the entire enterprise security infrastructure, managing certificates in a modern enterprise is near impossible.
AppViewX CERT+ manages and automates an entire certificate lifecycle – from enrolment to revocation, monitoring, and end device provisioning. CERT+ provides a centralized inventory system that tracks every certificate that’s currently in use, discarded, or revoked. This single pane of glass view removes the risk associated with unused certificates that could be exploited and makes management at an enterprise scale more efficient and secure.
2. Securing Private Keys
An effective way to secure private keys is by limiting their storage to just a few computers, and restricting access to a limited number of users. Another way to protect private keys is to store them in a password-protected folder after encrypting it. Private keys can also be stored in a secured location, like an HSM – aHardware Security Module device that protects and manages valuable data by encrypting it.
With AppViewX, integration with HSM devices is achieved in two ways: private key encryption and private key generation in HSM via application endpoints.
- Private key encryption: Private keys are generated and stored within AppViewX, while offloading encryption to the HSM device
- Private key generation in HSM via application endpoints: AppViewx performs all certificate management activities, while the HSM creates and stores private keys. This solution is suitable for all devices and can communicate directly with the HSM. A key identifier is used to access private keys.
AppViewX limits the encryption to the HSM device for optimal utilization. Before the private key is stored in an AES-256 encrypted database, it undergoes multiple layers of encryption, such as DEK (Data Encryption Key), KEK (Key Encryption Key), and MEK (Master Encryption Key). While the encrypted private key, encrypted DEK, and encrypted KEK reside within AppViewX, the MEK is stored inside the HSM and cannot be retrieved. This solution is suitable for all supported devices that can communicate directly with the HSM device and can access the private key using a key identifier.
3. Using certificates issued by a trusted CA
A certificate authority (CA) is an organization that validates entities and binds them to cryptographic keys, which are then issued as digital certificates.
Public websites and applications usually have their TLS certificates issued by a trusted CA, while internal applications and testing environments use self-signed certificates.They can sometimes lead to browser warnings, when no authentication is provided. In contrast, a globally trusted CAs provides authentication that satisfies browser requirements.
4. Rotate certificates and SSH keys
SSH keys are used to provide verification and communication between the user and the remote computer. They are used for logging into remote computers for support, maintenance, transferring files, executing commands, etc. SSH keys must be rotated to prevent them from being misused.
Key rotations should be done when the client or CA certificates expire. Organizational policy should include either periodical rotation, or key rotations when a CA or a client key is compromised.
AppViewX provides easy-to-use low-code automation workflows for key rotation.
Best practices suggest that keys should be rotated every 60 days to ensure trust relationships within the infrastructure.
5. Establish policy
Enterprise policies should be set and enforced according to role-based access, certificate renewal durations, and where the keys and certificates are stored. By creating rules and improving transparency, organizations can significantly reduce errors, increase visibility, and minimize certificate-related outages.
AppViewX CERT+ helps organizations manage entire certificate lifecycles li with policy-based automation. Using the AppViewX’s dashboard, administrators can create and enforce custom data protection policies.