Issue 2
Don’t Let the CRACKS in
Your Security Foundation
Topple Your Digital Empire
1
Don’t Let the CRACKS in Your
Security Foundation Topple
Your Digital Empire
6
Research from Gartner:
Technology Insight for X.509
Certificate Management
13
About Comodo
Introduction
TSL/SSL certificates. Ugh, 2002’s technology.
Last week’s news. Boring, right?
Not true. Let’s not discount TSL/SSL certificates
just yet. These hardworking digital certificates
are still very much the fundamental foundation
for web security, authenticating users,
enabling secure program to program and
machine to machine communication, digital
signature verification, and code signing, and
are the basis for an estimated $360 Billion in
online transactions alone in 20161.
We all know that TSL/SSL certificates enable
secure web transactions by providing a
protected, trusted connection between a
given browser and a given website, basically
verifying that a site is, in fact, what it claims
to be. But in addition to these standard,
well-known uses, there are several lesser
known extended uses including granting
users access to both networks and resources,
code signing and authentication, to name
a few. Let’s talk for a moment about code
signing. This can be an exceptionally
valuable feature as without it your users
don’t know and can’t prove that a piece of
code transmitted over the Internet is what it’s
supposed to be, or claims to be. Centralized
1
certificate management becomes especially
valuable when sharing certs and keys among
a far-flung group of developers, resolving
code signing errors, revoking or deleting
certificates as well as more generalized
certificate renewal issues.
As we all know, the Internet of Things is not
just “coming soon to an environment near
you,” it’s already here. Today. And if we
stop to think about the new and potentially
overwhelming need for device certificates,
especially for new IoT devices in addition to
existing servers, laptops, desktops, tablets
and smartphones, we start to see that
this one sector alone will bring with it an
enormous need for new certificates.
When we add this to the fact that
most organizations’ existing certificate
management programs are at best barely
keeping up with current demand and are at
worst studies in abject failure, we see that
there is a huge need for a robust, automated
certificate management program. The truth
of the matter is that certificates need to be
carefully and thoughtfully managed. Too
many companies neglect their certificate
management needs, and run a serious risk in
the process. To quote Gartner Research,
Source US Census Bureau News - https://www.census.gov/retail/mrts/www/data/pdf/ec_current.pdf
“Gartner clients continue to cite X.509
certificate expiries as being a leading
concern with respect to management of
certificates.”
year, Apple had a certificate issue as well that caused havoc within
Apple’s developer community. This time it wasn’t an expired certificate
but a certificate that was using a different algorithm that was to
blame3. And these are just two examples of how large, well-managed
companies with ample resources have been adversely affected by
their lack of enterprise-grade certificate management.
In general, security is too often compromised by a lack of automated
certificate management tools. Attempts to manually track and
monitor multiple certificates from various vendors – usually relying
primarily on spreadsheets and sticky notes, almost always result in
error and mismanagement, leading to missed renewals and expired
certificates, which generally leads to insecure connections, lack of
trust, and a tarnished brand, if not bigger problems. Relying on almost
stone-age technology to make sure that certificates are renewed
on time, that validations are done and that certificate requests are
handled appropriately, is a nearly fool-proof recipe for disaster.
How Then to Solve the Certificate Management Problem?
HTTPS Adoption
Google has been enhancing search rankings for sites using HTTPS
over HTTP. As HTTPS continues to become more common and widely
known – and even expected – there will be another commensurate
increase in demand for TSL/SSL certificates to make sure that the
communication channel is, in fact, secured and encrypted, and to
prove that these websites are safe and actually are who they claim
to be. Along these lines, falling under the “Encrypt All The Things”
movement, which, as its name implies is pushing to make the Internet
a safer place using state of the art encryption, Google has a plan to
start flagging non-secured HTTP sites with a red X over the browser
window padlock through Google Chrome starting in January of 2017.
IoT
Now add the deluge of requests that the Internet of Things has
already started to bring and you can remove that “nearly” in the above
sentence altogether. In 2015 an expired certificate led to Google’s
Gmail SMTP service being unavailable for several hours2. That same
2
3
The obvious answer is by utilizing a robust integrated certificate
management solution like Comodo Certificate Manager to automate
the process and protect against data breaches, failed audits and
costly unplanned downtime. When just one expired certificate can
lead to major outages, potentially costing tens of thousands of dollars
to remediate and damaging brand integrity, it definitely makes sense
for organizations to protect themselves with CCM.
Created by the global leader in SSL Certificates, CCM is an industryleading, fully integrated automated enterprise solution designed
to simplify digital certificate issuance and lifecycle management.
Through its advanced capabilities, CCM provides businesses the
ability to self-administer, instantly provision, and control all SSL
certificates throughout their organization. Comodo leads the SSL
certificate industry not only in market share but also as an originator
of the Certificate Authority/Browser (CA/B) Forum, a consortium of
CAs and Internet browser providers that develop guidelines to govern
the issuance and management of CAs. Comodo has been a pioneer
in certificate management since the founding of the CA/B Forum in
2005 and issues more certificates than anyone else on earth, having
surpassed Symantec (Verisign) in February, 2015, and has widened
its lead over their nearest competitor by over 10% since then, currently
holding over 40% of market share.
CCM’s Auto Discovery feature simplifies the formerly arduous and
error-prone manual discovery process. Rather than logging into
various vendor portals to monitor each certificate’s lifecycle (which
may have been a viable approach in simpler times) and manually
Source Computer World - http://www.computerworld.com/article/2906039/expired-google-certificate-temporarily-disrupts-gmail-service.html
Source Tech Crunch - https://techcrunch.com/2015/11/12/all-mac-store-apps-stopped-working-due-to-expired-security-certificate/
Don’t Let the CRACKS in Your Security Foundation Topple Your Digital Empire is published by Comodo. Editorial content supplied by Comodo is independent of Gartner analysis. All Gartner research is used with Gartner’s
permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2016 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research
in this publication does not indicate Gartner’s endorsement of Comodo’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The
information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein
are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used
as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers
of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and
integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.
2
collecting detailed information on SSL certificates purchased at different
times from different CAs, Comodo Certificate Manager automates
the process. After conducting a comprehensive scan of external and
internal networks to discover every certificate regardless of the issuer,
CCM automatically imports all relevant information, bringing the entire
certificate inventory under central control and offering a comprehensive
view of all certificates. CCM’s Auto Discovery feature provides vital
details about each certificate, including:
• The location of each SSL certificate
• The name of the CA that issued each SSL certificate
• The date each SSL certificate is set to expire
• Whether any certificates have weak keys (as of January 2014, keys
must be 2048 bit or higher)
• Scheduling scans to run on a recurring basis.
• Providing the Signature Algorithm used to sign the certificate
• Identifying what ciphers are supported on the targets
Internal Certificate Authorities
When it comes to certificates, it really comes down to two possible
scenarios: a company can have certificates issued by an Internal
Certificate Authority such as Microsoft Certificate Services or it can
have certificates issued by publicly trusted CAs, such as Comodo.
With the ever-increasing need to issue more certificates for mobile
devices, email and IoT, a number of companies are choosing
internally signed certificate authorities such as Microsoft Certificate
Services for internal applications. While this reduces the need to
purchase publicly trusted certificates, all of these certificates still
need to be managed. CCM’s Active Directory controller works as a
proxy between the Comodo CA and Microsoft Active Directory. This
direct integration provides discovery and information management
of certificates issued by Microsoft Certificate Services. CCM will
scan a Microsoft Active Directory environment to discover every
certificate, regardless of type. CCM then classifies them based upon
their Extended Key Usage (EKU) and imports them into a temporary
staging area where administrators can more easily manage them.
Comodo Certificate Manager
All of these are excellent reasons why now is the time to deploy
Comodo Certificate Manager. When compliance, website security
and brand reputation are all on the line, and when IT departments
are already spread dangerously thin, let CCM do the heavy lifting
and keep your network, data and organization secure by not letting
certificates lapse while managing every aspect of your organization’s
certificate lifecycle. For automated discovery of private and public CAs,
automatic renewal and installation of certs (a.k.a. set and forget cert
renewal), lower costs of certificate ownership, integration with MS AD
and MS Certificate Server, and Support for IoT devices, choose CCM for
full certificate lifecycle management.
WebTrust Certification
CCM is a proven, well-regarded and thoroughly trusted global
solution for enterprise certificate management. Comodo’s CA
infrastructure is WebTrust certified by Ernst & Young. CCM creates an
efficient, productive and secure business environment that allows
organizations to issue SSL certificates for use within internal and
external networks, websites, and email systems.
Quick, Easy and Cost-Effective
CCM offers scaled discounts on Comodo’s already low SSL certificate
pricing, enabling quick, easy and cost-effective fulfillment of multiple
certificate requirements for distributed systems, email and devices.
Fast, Customer-Focused Rollout
CCM’s Software-as-a-Service (SaaS) architecture enables PKI
management within hours. CCM significantly reduces administrative
obstacles and time delays. SSL certificates can be issued immediately
through a secure web console, thus enabling network servers, users,
applications, objects and devices to be secured quickly. CCM also
automates the enrollment process for requesting and issuing SSL,
client authentication, code signing and S/MIME certificates.
Multiple Administrative Tiers
CCM provides 3 layers of delegated administration. This enables
granular user management, enabling a master administrator to
assign specific permissions to various personnel across the org chart.
Business sectors can be delegated in such a way that the certificate
asset management of a particular department, network, domain or
subdomain can be assigned in whatever way is most beneficial to the
organization, even to a specific person.
Maximize Certificate Management with Minimal Resource
Expenditure
Comodo safeguards businesses against the interruptions associated
with manual CA management. CCM discovers all certificates in the
trust chain (root, intermediate and end-entity) and provides details of
each individual certificate including its issuing authority and expiration
date. In addition, CCM’s dashboard provides customizable at-aglace information on expiring certificates, requested certificates, key
strengths and more.
3
Automatic Installation and Renewal
CCM provides administrators the ability to manage and schedule
automatic renewal and installation of certificates through both agentbased and agentless solutions. In the agent model, administrators
install an agent where the certificate is installed. This agent monitors the
certificate and at renewal time, generates a private key and certificate
signing request. This request is submitted to CCM. Once the domain is
validated, the certificate is issued and the agent downloads and installs
it automatically. In the agentless model, an installation controller is
installed on a central node with access to the targeted nodes via SSH.
Device Certificates
While the majority of companies now support BYOD in the workplace,
few have been able to effectively manage the phenomenon,
especially the need for so many new certificates, new security
measures and necessary network improvements. Additional
concerns are time to implementation and the costs of monitoring so
many devices. Comodo provides hosting of private roots, enabling
enterprises to generate private certificates. Enterprises can use these
private certificates to authenticate users requiring access to internal
networks from smartphones and tablets. These certs offer the fastest,
most secure method for securing BYOD connectivity without the cost
and complexity of installing agent software on employee mobile
devices. CCM also provides API to access and use CCM as a Simple
Certificate Enrollment Protocol (SCEP) server.*
Features
Certificate Lifecycle Administration - Extensive portfolio of SSL, CodeSigning, S/MIME and client authentication certificates allowing for the
rapid enrollment, approval, issuance, revocation and renewal of all
certificates.
Automatic Scheduled Renewal and Installation - Provides scheduled
revalidation and installation of critical certificates; this set-and-forget
functionality ensures that users never receive an expired certificate error
and applies to all certificate types.
Configurable Email Notifications - Allows the administrator to be
notified about requests, approvals, expirations or revocations and
enables certificate owners and administrators to receive expiration
notices in advance.
Same-Day Expirations - Administrators control the term and
expiration of all issued certificates.
Dashboard - Provides one common, intuitive dashboard to view.
Reporting - Produce detailed reports, certificate and administrative
status, and activity logs.
Client Key Management Services - Escrow and recovery of private
keys enable a protected, policy-driven, restoration of user encrypted
data.
Automatic Deployment with Microsoft Active Directory or CSV
File Upload - Rapid client certificate distribution and management
achieves tight integration with a variety of directory-based employee/
device management systems.
Automatic CSR Generation and Private Key Management - Escrow
and recovery of private keys for SSL certificates in a secure and
redundant way simplify key management and protects certificate
assets from human error and data loss.
Device Certificates - Comodo provides private root hosting for
enterprises, allowing those entities to generate private, trusted
certificates for all devices.
API Access - Allows organizations with other device management
and reporting solutions to access elements of CCM.
Self-Enrollment Web Interface - Provides a secure self-service
workflow for SSL or client certificates, enabling easy certificate
enrollment and distribution.
Internal and External Discovery Scanning - Administrators can track and
see all the details of each certificate purchased from different vendors.
Customized Web Interfaces - Can be customized with your corporate
logo and images to help maintain your brand identity.
Secure, Multi-Tiered Administrative Web Interface - Flexible
organizational alignment of administrative domains that easily
adjusts to your business model.
Reliable OCSP - Comodo real-time Online Certificate Status Protocol
(OCSP) is distributed worldwide to maintain high availability.
4
Code Signing on Demand - Rapid code-signing service lets
enterprises give their development teams a centrally managed
platform to sign their code. This allows them to manage which users
can sign code, what code has been signed, and which code-signing
certificate was used, as well as the status of those code-signing
certificates. This can be done on-premises or in the cloud.
Two-Factor Authentication and/or IP Address Validation - Provides
highly secure administrative account access protection.
Assured Compliance - Comodo will automatically keep Private CAs in
compliance with any changes to certificate regulations.
Web Service API’s - API’s are available for the enrollment, renewal
and revocation of SSL and Client Certificates.
Quick Implementation and Setup - CCM features fast and efficient
auto enrollment and auto installation.
Source: Comodo
Private CA - CCM’s ‘Private CA’ feature allows companies to
seamlessly and expertly issue and manage privately trusted
certificates without any of the usual associated setup and
management costs, on-premises or in the cloud.
5
Research from Gartner
Technology Insight for X.509
Certificate Management
Security leaders are often unaware of the
scope or status of their X.509 certificate
deployments until it’s too late. As the scope
of certificates expands to devices, people
and things, security leaders must establish
formalized plans and, if necessary, leverage
available tools to minimize impacts.
Key Findings
• Security leaders continue to struggle with
the management of X.509 certificates,
citing that a number of externally facing
and internally facing system outages can
be traced to unplanned X.509 certificate
expiry.
of deployed X.509 certificates to identify
potential risks from expiry.
• Use full life cycle certificate management
tools when dealing with large, complex,
multivendor certificate environments —
especially, when dealing with multiple
certificate-based enterprise use cases,
such as mobile and the Internet of Things
(IoT).
• Ensure that X.509 certificate operations
and management align with the overall
cybersecurity incident response plan.
Strategic Planning Assumption
• While several offerings exist to discover
X.509 certificates, most organizations
rely on spreadsheet-based tracking
methods and manual processes to
keep track of certificates, resulting in
many undocumented installations and
increased exposure to risks.
By 2019, organizations that leverage X.509
certificate management tools will suffer
60% fewer certificate-related issues and will
spend half the time managing these issues
over organizations that use spreadsheetbased management methods.
• When using discovery tools, security
leaders are often surprised by the amount
of unknown certificates, from multiple
certificate authorities (CAs) that exist in
their environment.
Organizations are reliant on digital
communications secured using X.509
certificates for their day-to-day operations.
Certificates are used for user and device
authentication, secure communications using
Transport Layer Security/Secure Sockets Layer
(TLS/SSL; see Note 1), program-to-program
and machine-to-machine communications
(including IoT), digital signature, and code
signing. Many unseen internal and external
services performing their daily duties are
authenticated and trusted based on a relatively
simple process involving the verification that an
issued certificate is still active.
• Unknown and unmanaged X.509
certificates pose a security risk, as
some may be based on deprecated
cryptographic algorithms (such as Secure
Hash Algorithm 1 [SHA-1]). Complicating
this further are the growing use cases for
X.509 certificates on devices, people and
things.
• New sources of X.509 certificates, such as
free Secure Sockets Layer (SSL)/Transport
Layer Security (TLS) certificates, increase
the likelihood of rogue certificate use by
internal parties, such as developers and
DevOps.
Recommendations
• Use full life cycle management or
discovery-centric tools to audit the number
6
Analysis
Many organizations that have an unplanned
certificate expiry typically focus on other
systemic causes, such as hardware/software
issues, long before they begin to consider
an expired X.509 certificate as the source of
troubles. This typically results in significant
delays in identifying and resolving the root
cause of a system outage. This research aims
to educate security leaders on the role of
X.509 certificate management technologies
and tools.
Definition
X.509 certificate management tools
arm organizations with critical insight,
automation and management capabilities
when dealing with digital certificates.
If not managed properly, certificates
can expire, triggering browser warning
messages that can cause users to abandon
transactions. To avoid issues associated
with out-of-compliance certificates,
certificate management tools offer discovery
capabilities to locate and help populate the
certificate inventory, and replace those that
are faulty, corrupted or out of compliance.
Certificate management system (CMS)
software is used to discover, identify,
track, notify, and ultimately automatically
renew and audit the installation of X.509
certificates.
Description
While X.509 certificate management has
been available for some time, a number of
organizations continue to use spreadsheet
and other manual methods to manage
certificates. This might suffice for small,
noncomplex environments; however, for
many other organizations, X.509 certificates
are quite pervasive and manual methods
will no longer suffice. As the use cases for
public-key infrastructure (PKI) and X.509
certificates increase to cover people, devices
and things (IoT), certificate volumes, issuance
velocity and diversity will also increase. In
particular, the increased diversity of X.509
certificate types and attributes increases the
complexity of certificate management.
Security leaders must account for and
manage several critical certificate types and
attributes, such as:
• Certificate Types: For example, device
certificates, domain-validated (DV),
organization-validated (OV) or extended
validation (EV), Subject Alternative
Name (SAN; see “Evaluating SSL/TLS for
Certificates for E-Business”), and/or selfsigned certificates for various use cases.
7
• Hashing, Key Length and Cryptographic
Algorithms: Digital certificates are based
on public-key cryptography, which relies
on a number of cryptographic primitives.
Due to ongoing threats (see the Risks
section), these attributes need to be
monitored and updated periodically.
• Expiry Dates: Certificates can cause
systems to fail, in some cases
unexpectedly, if not renewed according to
policy.
• Certificate Usage and Owners: Who and
how these certificates are used should
also be monitored. Misuse or abuse of
certificates can expose organizations to a
number of security threats. For example, if
a malicious actor were to gain access to a
website SSL/TLS certificate (private key), it
would be able to conduct phishing attacks
that could leverage fake or false websites.
Additionally, assigned ownership also
needs to be managed as certificate
owners typically change over time.
Overall, the complexity of X.509 certificate
management will increase dramatically as
the use cases and volume of certificates
increase.
Functions of X.509 Certificate
Management Solutions
Discovery
Discovery is a primary function of a CMS. It
scans the network, systems and applications;
logs all instances of X.509 certificates; and
may include all or some of the following: SSL/
TLS, Secure Shell (SSH), Pretty Good Privacy
(PGP) and others. Filters can be set to limit
“noise” in discovery, but overall discovery
should be able to support a deep-dive
understanding of where cryptographic keys
are stored, their strength, the issuer, validity
period and expiry date. There is a potential
problem with some discovery “crawlers” that
may occasionally cause a target platform
to malfunction. Further, some keys, such as
those supporting Microsoft’s Encrypting File
System, are stored in the registry, meaning
the discovery agent cannot access them
unless the local user is logged on.
reports in a variety of formats (for example,
CSV)
Ownership
The benefit of X.509 certificate management
technologies and tools can differ depending
on the enabled use cases, volume, and
velocity of digital certificates, and on the risk
exposure and sensitivity of the organization.
As security leaders enable use cases that
require PKI, or X.509 certificates, such as
mobile device authentication, website
SSL/TLS, application-to-application and
machine-to-machine (including IoT) security,
comprehensive and intelligent X.509
certificate management will be required.
Identify who the certificate owners are
for a given certificate and the approval
structure for the issuance and renewal.
Billing and chargeback processes can also
be associated for a certificate as part of this
activity.
Validation
A CMS may have a feature that regularly
checks certificates against certificate
revocation lists (CRLs) and Online Certificate
Status Protocol (OCSP) responders to recertify
trust both inside and outside the context of a
live interaction between servers, or between
a browser and a server. In some cases,
validation is a function of the client (such as
a browser) but is not typically turned on for
performance or other reasons.
Renewal/Provisioning
Some CMSs can support the automatic
renewal of a certificate within a prescribed
period prior to expiry. What is important to
note is that the renewal process from most
CAs or certificate issuers and PKI vendors
typically favor their own brands, meaning that
certificates slated for renewal will be renewed
using only their own certificate authority.
Audit and Reporting
When a certificate is renewed, it is critically
important to ensure that the new X.509
certificate itself was both installed and
rendered active within the target system;
otherwise the previous X.509 certificate can
remain active even after a new certificate has
been installed. Therefore, security leaders
must verify the actual in-use certificates
against those charged by a third party or an
internal provider list. In addition, most X.509
certificate management tools provide some
level of reporting, typically either in a webbased user interface, with the ability to export
Benefits and Uses
Uses
Holistic Management of X.509 Certificates:
Enhancing Internal and External Enterprise
PKI Certificate Management
A number of organizations and security
teams use PKI systems to create an internal
certificate authority with the aim of enabling
a variety of internal use cases. Ultimately,
these CAs typically issue X.509 certificates
that are spread across systems, devices and
applications.
Most importantly, some of these CAs,
provide security leaders with the ability to
issue, renew and revoke digital certificates.
However, X.509 certificate visibility and
management is typically only with the
certificates issued by that particular CA.
As illustrated in Figure 1, each device
contains three certificates from three CAs.
In this case, security leaders would need
to undertake the tedious task of accessing
each CA in order to gain insight and control
over each certificate. As devices and
certificates grow and expand inside and
outside of the organization, the complexity
of managing these certificates increases
dramatically.
7
X.509 certificate management systems
and tools provide security leaders with the
ability to gain insight and control over a wide
variety of X.509 certificates that exist in their
organization. This also includes the ability
to locate and identify unknown or rogue
certificates (see the Risks section).
In addition to gaining insight and control
is the ability to enforce certificate policy.
Specifically, with a number of certificate
management systems, security leaders can
provide enforcement of certificate policy on
a wide variety of X.509 certificates. This is
critically important where there is concern for
unknown or rogue certificates (see the Risks
section).
Overall, security leaders can gain holistic
insight and management over a wide variety
of internal and external uses of digital
certificates when using X.509 certificate
management technologies and tools.
• Certificate Validity and Expiration Date:
What is the validity period, and when does
the certificate expire?
• Security Vulnerabilities and Compliance:
Are there known vulnerabilities with the
certificate provider? Are the cryptographic
primitives still in compliance? Does the
certificate meet enterprise certificate
policy? Is this a rogue certificate (see the
Risks section)?
While much of the above can be managed
with manual methods, such as using
spreadsheets (see the Risks section), security
leaders can optimize their approach to X.509
external certificate management with the
use of a CMS. This can include reducing
X.509 certificates used for external use cases
typically require public trust, or rather they
are purchased from SSL/TLS CAs or certificate
providers.
When purchasing these certificates,
organizations need to ensure that they
are optimizing their purchases. For some
enterprises, managing certificates may also
have to be done across a number of different
certificate providers or CAs. Security leaders
need to ensure that they are aware of and
are managing some critical aspects such as:
• Certificate Authority: What certificate
authority issued the certificate (for
example, Comodo, Let’s Encrypt or
Symantec)?
8
Expanding Uses of PKI and X.509
Certificates
Mobility
As organizations continue to expand their
use of mobile devices, whether corporate
issued or bring your own device (BYOD),
device identity remains critical. While a
number of technologies exist, provisioning
X.509 certificates to mobile devices can
FIGURE 1
Example of a Simplified Enterprise Certificate Environment Highlighting Visibility and
Management Silos
Optimizing Management of External SSL/
TLS certificates
• Certificate Owners: Who acquired or
purchased the certificate? What is the use
of the certificate (that is, what website/
application/service)?
time spent on the management of digital
certificates, as well as direct cost savings by
way of optimizing SSL/TLS purchases (that is,
by eliminating unused certificates). Overall,
if security leaders have several hundred
certificates issued from multiple CAs, the use
of CMSs and tools is highly advised.
Source: Gartner (September 2016)
9
provide security leaders with a strong and
simple way to provide device identity and
authentication. Furthermore, with X.509
certificates deployed on mobile devices,
security leaders can enhance use cases
such as Wi-Fi, VPN and secure email (Secure
Multipurpose Internet Mail Exchange [S/
MIME]; see Note 2).
All of these use cases not only add to
enterprise certificate volumes, but also
increase the dependency on X.509
certificates and PKI as well. Therefore,
as security leaders consider X.509
certificate-based methods to secure and
identify their mobile devices, they must
ensure holistic and comprehensive full
life cycle management of their X.509
certificates. Additionally, if multiple CAs are
considered, then the complexity of certificate
management increases dramatically. In this
case, Gartner advises that clients assess the
benefits of X.509 certificate management
systems and tools.
Certificates and IoT Security
Of the many aspects that need to be
considered as organizations embark on IoT
initiatives, security leaders must ensure that
they account for identity and authentication
of IoT devices. While there are a number of
methods that provide device identity and
authentication, PKI and X.509 certificates
(among other certificate types), are poised to
play a critical role.
Ultimately, there are many details that will
need to be accounted for; one of the most
important will be scale. Manual identification
and tracking processes will not scale, and
therefore will not suffice in the realm of
IoT. Security leaders, when considering
certificate-based identity and authentication
methods for IoT, should seek out solutions
with embedded or interoperable certificate
management systems.
While this is a new and emerging area,
some security leaders may choose to deploy
purpose-built IoT platforms with tightly
integrated PKI systems that come with builtin certificate management. These systems
may be separate from corporate or internal
PKI systems, and therefore may not fall
under enterprise certificate management.
Alternatively, for organizations that desire
to leverage and extend their current PKI
platform, certificate management systems,
tools and techniques will most certainly
be required to enable certificate-based IoT
initiatives and strategies.
Risks
As security leaders and their organizations
rely on X.509 certificates to enable a wide
variety of critical business applications,
holistic management quickly becomes a
requirement. Poor management of X.509
certificates can cause significant negative
business impact, from system downtime
and increased incident response costs,
to possibly lost business and/or brand
damage. Security leaders need to be
aware of key areas of risk related to X.509
certificate management, such as:
System Downtime Due to Certificate
Expiries
Gartner clients continue to cite X.509
certificate expiries as being a leading
concern with respect to management of
certificates. Specifically, security leaders
are mainly concerned with web browser
warnings, notifying consumers or website
users that the website may not be secure
due to an expired or out of compliance
certificate. This typically causes users to
escalate the issue to support, or to abandon
web transactions with the site altogether.
Management of X.509 Certificate
Vulnerabilities and Compliance
Due to the changing threat landscape,
security technologies are constantly
evolving. Attackers leverage ever-increasing
computing power, so cryptography
techniques, hashing algorithms and
key lengths all need to be enhanced.
This requires that certificates be updated
periodically (see Note 3).
Certificate Authority Compromises and
Incident Response
Whether an internal CA or a publicly trusted
CA is compromised, digital certificates
can be created without permission or
supervision (for example, in the case of
DigiNotar, a fraudulent wildcard certificate
was issued for the Google domain *.google.
com).1 Overall, malicious actors use these
fraudulent certificates to potentially enable
trust on phishing sites and/or digitally
sign malware. Security leaders should be
aware that CA compromises can occur,
and an incident response plan should be
in place. Specifically, security leaders need
to ensure that they have plans to deal with
compromised CAs.
Unfortunately, many organizations
scramble to remove a trusted root when
a compromise takes place. Organizations
need to understand their internal process
for removing a trusted certificate or root from
browsers and applications. While browsers
are relatively easy to fix by waiting for the
browser patch with the removed/deleted/
revoked root, applications typically involve
more work and, thus, more planning.
One of the first steps in identifying
compromised certificates is to identify all
certificates and evaluate each relying server
for certificate validity. Overall, X.509 certificate
management technologies and tools can
help security leaders reduce complexity and
time when responding to CA compromises.
Rogue and Unknown Certificates
Another challenge that security leaders
must account for is gaining insight and
managing unknown and rogue certificates.
These certificates are typically generated by
an individual or groups in the organization
that acquire X.509 certificates without the
knowledge or support from IT or security
9
teams (this is an example of “shadow IT”).
A common example would be a developer
that requires an SSL certificate for a business
need, such as application testing. From this
perspective, making matters worse, with
free certificates from entities such as Let’s
Encrypt, developers, DevOps and other
internal consumers of digital certificates
have minimal barriers to overcome in order
to acquire certificates. Over time, these
certificates can create a raft of issues, from
system outages to released code/websites
with out-of-compliance certificates. All of
which are difficult to identify, track and trace
without comprehensive and active certificate
discovery and management.
Management by “Spreadsheet”
Organizations with roughly 200 or more
X.509 certificates in use that are using
manual processes typically need one fulltime equivalent (FTE) to discover and manage
certificates within their organizations.2
A limited number of certificates can be
managed manually using a spreadsheet or
other basic tools, but many features, such
as discovery, will be missing. If this method
is chosen, specific individuals or roles need
to be assigned to managed certificates
on groups of machines, and to scheduling
reminders for certificate renewal before the
installed certificates expire. Gartner clients
should be advised that this method only
accounts for known certificates. This potentially
leaves security leaders with a number
of unknown certificates (such as rogue
certificates), exposing them to a number of
issues such as unexpected certificate expiries
and downtime. One vendor that provides
a CMS pointed out that it typically observes
clients that execute on a discovery process
seeing five to 10 times more certificates in the
environment than expected.
Security leaders should proceed with caution
if management by spreadsheet is used.
Gartner advises clients to conduct a periodic
evaluation of certificate usages, volume and
expected use-case expansion. If use cases
increase along with certificate volumes,
10
then security leaders will need to consider
leveraging a CMS (see the Recommendations
section) over spreadsheet-based methods.
Recommendations
Below are some additional recommendations
for security leaders:
• Ensure that you understand at least
the known number of entities of X.509
certificates in your environment. If this
number exceeds 200, then CMS and other
tools should be implemented to mitigate a
variety of risks.
• Determine if the incumbent PKI or external
SSL/TLS certificate providers offer X.509
certificate management solutions or
tools. As a minimum, discovery tools
should be used to determine the scope
of the X.509 environment, covering both
known and unknown certificates that
exist in the environment (see Table 1 in the
Representative Vendors section).
• Implement automated certificate
discovery and renewal/management
tools, which work to minimize the risk of
unplanned expiry and ensure policies
are met. Manual or automatic certificate
management should be leveraged to
attribute accountability and ownership
of X.509 certificates within organizations.
Security leaders must recognize that not
all discovery solutions are perfect, and
therefore some certificates might remain
undiscovered.
• Consider full life cycle certificate
management tools over discovery-centric
tools when dealing with large, complex,
multivendor certificate environments
(see the Representative vendors section);
especially when dealing with multiple
certificate-based enterprise use cases,
such as mobile and IoT. As security leaders
formalize plans to add additional missioncritical use cases, formalized and more
holistic X.509 certificate management
will transition from a “nice to have” to a
“must.” As the dependency on X.509
certificates increases, so does the impact
of an operations or security incident.
Security leaders can increase operational
efficiency and security by using full life
cycle management tools for complex
environments.
• Ensure that X.509 certificate operations
and management align with the overall
cybersecurity incident response plan,
in order to better prepare for security
incidents that relate to deprecated
cryptographic algorithms and/or
certificate authority comprise. Ultimately,
this is to minimize the impact and
downtime in the event of a certificate
issuer compromise, critical vulnerability
exposure, suspected compromise or
attack.
Representative Providers
X.509 certificate management tools can be
segmented into two high-level categories:
• Discovery-Centric Tools: These tools
may be offered by your current SSL/
TLS provider. They are a great first step
for security leaders and organizations
that are new to certificate management.
These tools help to identify and locate
X.509 certificates. Reporting capabilities
can vary, but overall, security leaders can
gain valuable insight when compared to
manual/spreadsheet-based methods.
Some of these tools also provide the
ability to auto renew and/or notify
security leaders for manual renewals.
From a cost perspective, Gartner clients
state that these tools are typically much
less expensive when compared to full life
cycle management tools. Security leaders
should leverage these tools, especially
if they can get them for an attractive
price (or in some cases, bundled in with
certificate packages).
• Full Life Cycle Management Tools: These
tools are generally for organizations
and security leaders that deal with
11
large and/or complex X.509 certificate
environments. They can provide
advanced functionality, such as the ability
to manage certificates from multiple
certificate authorities or issuers, in
addition to support and integration into
other IT systems, such as load balancers,
enterprise mobility management (EMM)/
mobile device management (MDM)
and IoT devices, among others. From
a cost perspective, these solutions
typically require a much greater level of
investment over discovery-centric tools.
Security leaders should consider these
tools, when dealing with vast numbers
of certificates across complex missioncritical systems and environments (see
Table 1).
Acronym Key and Glossary Terms
SHA-1 – Secure Hash Algorithm 1
SSL – Secure Sockets Layer
SHA-2 – Secure Hash Algorithm 2; is seen
as the successor to SHA-1
TLS – Transport Layer Security
SHA-256 – A SHA-2 family member,
specially designated with 256-bit hash value
VPN – Virtual Private Network
PKI – Public-Key Infrastructure
CA – Certificate Authority
Shadow IT – IT devices, software and
services outside the ownership or control of
the IT organizations (see “How CIOs Should
Deal With Shadow IT”)
Table 1. Sample List of X.509 Certificate Representative Providers
Vendors
Full Certificate Life
Cycle Management
Certificate
Discovery
Multiple CA Full
Life Cycle Support
Provides Public Trust
SSH Key
Certificates and/or Enterprise Management
PKI or PKI Tools
Features
Amazon Web
Services (AWS)
a*
AppViewX
a
a
a
a — PKI Tools
a
CSS
a
a
a
a — PKI
a**
Comodo
a*
a
a — Certificates and PKI
Tools
DigiCert
a*
a
a — Certificates and PKI
Tools
Entrust Datacard
a*
a
a — Certificates and PKI
GlobalSign
a*
a
a — Certificates and PKI
Tools
SSH
Communications
Security
a**
a**
Symantec
a*
a
Venafi
a
a
a — Certificates
a**
a**
a
a — Certificates and PKI
a
a — PKI Tools
a
* Provides full life cycle management for certificates issued by vendor CA; specifically, only with its certificates. Most vendors here provide the ability to track and monitor other certificates but are typically limited when dealing with certificates from other CAs.
** Provides capability via partners and/or OEM relationships.
PKI Tools: Indicates that the vendor provides a variety of PKI enhancement tools, such as private CAs and/or other capabilities that enhance internal/external PKIs.
Source: Gartner (September 2016)
11
Evidence
“Fraudulent Digital Certificates Could Allow
Spoofing.” Microsoft Security TechCenter. 29
August 2011.
Note 1. Transport Layer Security (TLS) Versus Secure Sockets Layer (SSL)
1
Based on conversations with Gartner
clients and vendors offering certificate
management solutions, organizations
constantly underestimate the work needed
to track and manage certificates. When they
dig in and actually start doing the work, they
are surprised by the amount of time it takes.
On average, clients tell us it takes three to
six hours to generate a key pair on a server
(depending on location and access); export
the public key; get it certified with a certificate
authority so it is now in an X.509 certificate
format; install it; verify it is active; and then
returned to live operation. Additionally,
organizations report that they need to take
into account the time required for manually
tracking down assets that have certificates, as
well as the general maintenance of this list.
This process itself can result in a significant
effort. According to clients and CMS providers,
organizations typically have several people
managing different pools of certificates.
Larger organizations with many hundreds or
thousands of certificates have been known
to have 10 or more people performing this
manual activity part time for different groups
of servers. When downtime occurs, the
number of FTE hours can go up dramatically
— obviously to address the issue.
2
Source: Gartner Research Note G00308940, David
Anthony Mahdi, 23 September 2016
12
It is important to note that the industry uses SSL and TLS interchangeably, and while SSL has
been replaced with TLS, the industry generally uses SSL from a naming perspective. The Secure
Sockets Layer protocol was developed in 1994 as a security mechanism built into Netscape’s
Navigator browser. It is supported by virtually all browsers today. While the term “SSL” is
commonly used, the industry accepts that SSL is now succeeded by TLS 1.0 or greater. This
change was introduced due to security issues with SSL. Threats such as POODLE demonstrated
that SSL is vulnerable. Attackers can exploit the vulnerability by decrypting and extracting
information from inside a secured (encrypted) session. This nullifies one of the most common
security layers — communication channel security via SSL. TLS was chosen by the Internet
Engineering Task Force (IETF) as SSL’s successor. Therefore, when organizations purchase SSL
certificates today, they are based on TLS.
Note 2. X.509 Certificate Mobility Use Cases
With X.509 certificates deployed on mobile devices, security leaders can enhance use cases
such as, Wi-Fi, VPN and secure email (S/MIME):
• Wi-Fi: Allows for secure and seamless connectivity without have to share a single username
and password. This can provide organizations with the ability to audit Wi-Fi access logs, and
pinpoint specific devices with a stronger notion of nonrepudiation. That is in contrast with a
basic username and password, and other potentially spoof-probable dynamic identifiers,
such as IP and Media Access Control (MAC) address.
• VPN: By leveraging mobile device certificates, users can seamlessly and strongly access
the corporate VPN with their mobile device. Similar to the Wi-Fi use case, by using an X.509
certificate, authentication security is enhanced over a basic username and password.
Additionally, it is also much more user friendly from a UX perspective when compared to
other authentication methods such as one-time password (OTP) soft or hard tokens.
• Secure Email (S/MIME): Email security, such as email encryption and digital signatures, on
mobile devices can also be enabled with the use of X.509 certificates (see “Market Guide for
Email Encryption”).
Note 3. SHA-1 to SHA-2 Migration
The industry, primarily browsers and certificate authorities, deemed that the issuance of SHA-1
based certificates be discontinued (see “Ballot 118 — SHA-1 Sunset [Passed]” from CA/Browser
Forum) because the SHA-1 hashing algorithm is weaker than previously thought. With everincreasing computational power and techniques, the economics for attackers to compromise
an SHA-1-based certificate are much more achievable. Therefore, to reduce the risk to the
online community, the best practice is to migrate from SHA-1 to SHA-2-based certificates.
Google described its approach to the migration and sunsetting of SHA-1 in its online Security
Blog, “Gradually Sunsetting SHA-1,” published 5 September 2014.
About Comodo
Comodo is a global innovator of cybersecurity solutions, protecting
critical information across the digital landscape. Building on its
unique position as the world’s largest certificate authority, Comodo
authenticates, validates and secures networks and infrastructures
from individuals, to mid-sized companies, to the world’s largest
enterprises. Comodo provides complete end-to-end security solutions
across the boundary, internal network and endpoint with innovative
technologies solving the most advanced malware threats, both
known and unknown. With global headquarters in Clifton, New Jersey
and branch offices in Silicon Valley, Comodo has international offices
in China, India, the United Kingdom, throughout Europe, as well as
Central and East Asia.
Comodo and the Comodo brand are trademarks of the Comodo
Group Inc. or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners. The current
list of Comodo trademarks and patents is available at comodo.com/
repository.
13