Dispelling four myths about automating PKI certificate lifecycle management

The public key infrastructure (PKI) underpins the most effective strategy for securing communications between machines, network and mobile devices, virtual servers, and the IoT, whether inside or outside the firewall. As the volume of machines, devices and network endpoints soars, the management of associated digital certificates exceeds any efficient or reliable manual approaches to lifecycle management. This has led many organizations to move to automated solutions.

Those who have not yet transitioned to automated management may be waiting, as the saying goes, until “the pain of staying the same is greater than the pain of changing,” but this thinking is no longer valid with the advent of cloud-based solutions delivered as a service (also known as PKI-as-a-Service).

There are four primary myths about cloud-based PKI solutions and digital certificate lifecycle automation that have kept organizations from adopting such solutions. Eliminating the pain of manual digital certificate management requires dispelling these myths and learning how to maximize the benefits of today’s cloud-based solutions using PKI best practices.

Myth #1: It is easier to just install certificates manually than to install and configure the utilities required for PKI certificate automation.

There was a time when automating PKI certificate management required an intermediary command-and-control management platform that imposed additional cost, configuration, support, and point-of-failure risks. This is no longer the case. Today’s solutions use a Connector model for communicating with endpoints, making it much easier to add commercial certificate utilities such as Automatic Certificate Management Environment (ACME) clients to the lifecycle management platform. It also enables these utilities to be embedded into enterprise platforms such as Microsoft Intune using native APIs.

Myth #2: Different solutions are needed for private trust and public trust certificate authority management.

On the contrary, today’s offerings increasingly are available as a one-stop solution for automating the installation and renewal routines for many different types of certificates. Particularly valuable is the ability to manage both trusted SSL certificates and – for greater chain-of-trust control – customer-dedicated private Intermediate Certificate Authorities (ICAs) through a single cloud-based service with the option of both a web-browser-based portal for quick deployment and representational state transfer (REST) APIs for integrating certificate management with existing infrastructure. In addition to reducing cost and complexity, having this one pane of glass for managing all enterprise public or private trust digital certificates reduces the risk of certificate-related outages.

The solution’s automation capabilities should be robust enough to streamline certificate usage across channels and on a range of devices. It is also important that the solution cover the most comprehensive range of certificate services and administrative features possible for the given industry requirements and the network’s size and complexity. The alternative of patching together multiple solutions can lead to holes in security and logistical headaches.

Myth #3: The only way to outsource PKI automation is on a per-certificate basis, which makes management and budget planning difficult.

Both private and trusted certificate services can now be supported through a single cloud-based service. It is also important that this service be performed through a single, transparent subscription fee, otherwise users could be blindsided by the cost of certificates. If the provider charges on a certificate-by-certificate basis with no clear thresholds or limits, budgeting for a security solution could become a much tougher task than securing the network.

Myth #4: There is no security downside to continuing manual PKI certificate lifecycle management.

Not only is there a security downside to managing PKI certificate lifecycles manually, but it is extremely risky to do so. Using manual certificate renewal or certificate database management in today’s complex device and user ecosystem is especially dangerous, in part due to shortening of certificate validity.

The expiration date has an important benefit: it helps certificates remain secure. But it means they need to be renewed periodically. The scale and complexity of doing so today is much different than in the past when certificates secured a limited number of stationary devices, users and webpages connected through comparatively simple infrastructure. It used to be that certificates could be set up and forgotten for multiple years, and managed through homegrown, on-prem certificate lifecycle management solutions with a bit of occasional manual intervention from IT.

Today it is far too easy to miss a certificate renewal using dated and self-driven setups. The modern device and user ecosystem is simply too complex for IT departments to safely shoulder the burden of manual certificate renewal or database management. An expiration will inevitably occur and create security liabilities. Plus, the workflows associated with correcting the expiration, especially with system and service interdependencies in play, can be enormously complicated and time-consuming. If expiration goes on to cause an outage, every minute spent fixing the problem could result in millions of frustrated users and potential loss of business and diverting IT staff from mission-critical systems.

PKI automation

As organizations move to automated solutions they should look for “out-of-the-box” integration with existing network infrastructure components and automated provisioning using standard protocol(s). This can reduce the overall cost of implementing PKI automation by 75 percent. Implementing a solution with end-to-end PKI coverage within the organization will deliver the benefit of eliminating security gaps and the risk of expired certificates.

Organizations will also need to choose PKI automation solutions that can help them adapt to a new, hybrid workplace environment created during the global pandemic. As an example, organizations from businesses to universities purchased a massive volume of Chromebooks that they sent home with people so they could work and study remotely.

Now, they will be bringing these devices back into an environment that, increasingly, mixes many different devices and operating systems, from PCs to Macs and from Linux to Windows. They will need PKI automation solutions capable of issuing and managing the digital certificates for these devices that will be a prerequisite for seamlessly and securely connecting them to corporate and university networks, without passwords.

No organization is immune from the need to implement effective and reliable certificate lifecycle management software and policies. It is a critical function that is challenging to execute manually. Digital certificates provide powerful, PKI-based security to enable the creation of trusted device identities, but their strength and ease-of-use in today’s rapidly expanding device ecosystem comes with one caveat: they have an expiration date.

Making sure they are renewed can be a pain point for organizations that do not understand the benefits of digital certificate lifecycle management and how best to implement it. Organizations that leverage cloud-based PKI services with strong emphasis on automating Digital Certificate Lifecycle Management are better equipped to increase their information security posture.