PKI Spotlight updates help PKI admins catch CRL publishing errors

PKI Solutions announced its latest update of PKI Spotlight. PKI Spotlight is a PKI management solution that provides organizations with real-time monitoring and alerts of availabilities, configurations, and security of all their PKI and Hardware Security Module (HSM) environments. This is consolidated into an easy-to-use dashboard.

This latest release of PKI Spotlight introduces Certificate Revocation List (CRL) monitoring and pre-failure CRL error detection, Microsoft Network Device Enrollment Service (NDES) Is-Alive monitoring, and 38 Best Practice rules.

Most comprehensive CRL monitoring and Best Practice Enforcement

PKI Spotlight introduces CRL monitoring and Best Practice Enforcement rules with this release, addressing the most common causes of CRL errors and PKI outages. Expired CRLs are one of the most common causes of business wide outages. CRL issues can also lead to degradation in a company’s security posture because individual devices and products may fail “open” when encountering an expired CRL.

“Every customer I have worked with over the past 20 years has had multiple CRL problems per year. Allowing CRLs to expire will cause unintended and hard to trace security consequences,” said Mark B. Cooper, President, PKI Solutions. “Our new Best Practice check for CRL publish failures provides organizations with advance notice of an impending outage. We want to help PKI admins catch CRL publishing errors and resolve them before they create panic and cause sleepless nights for IT, Security and Business functions alike.”

The Best Practice Rules Engine automatically checks and alerts if CAs are configured to ignore revocation checking failures. This situation often goes undetected in most organizations as PKI admins need to know what exactly to look for in obscure CA configuration settings.

Monitoring and Best Practice Enforcements for Microsoft NDES role

With this release PKI Spotlight introduces Is Alive checks for Microsoft NDES. This functionality adds 7 scheduled and automated health checks on Microsoft NDES and associated IIS servers. One of the checks if NDES has access to cryptographic key store and if HSM protected NDES keys are accessible

The Best Practice Rules enforce checks for critical Microsoft NDES configurations, such as expired NDES encryption and signing certificates. The rules engine also checks so checks for static NDES and no password settings.

“One of the most fragile components I have worked with is NDES and a certain level of attention to detail is required in order to provide an enterprise-class service to certificate consumers. Maintaining NDES is not trivial and it is not the easiest service to troubleshoot. PKI Spotlight provides a consolidated view of everything you need to monitor and help maintain and troubleshoot NDES for any size deployment,” said Shawn Rabourn, CTO, PKI Solutions.

38 new best practice rules

“We continue to see organizations struggle with retaining and hiring enough PKI expertise to operate their environments. It seems that, on average, we observe most PKI admins remaining in their role for less than two years. In most organizations, PKI management is one of the many hats cybersecurity professionals wear,” said Cooper.

The latest 38 “Out of the Box” (OOTB) best practices are derived from PKI Solutions’ decades of experience in PKI. In addition to best practice enforcement for CRL and Microsoft NDES roles, this rule set covers CAs, CRLs, Web Enrollment Services, NDES, and OCSP configurations and proactive health checks.