Managing Digital Certificates

Certificate Management

These days, businesses are deploying an increasing number of digital certificates in order to secure communications between many of their applications, servers and devices. An organisation may have hundreds or possibly thousands of certificates installed on systems and devices through their global network. As the number of certificates a business has increases so does the complexity of keeping track of them all. Without a complete and detailed certificate inventory an organisation can't check their certificates are within their validity period and in compliance with their policies.

Finding SSL Certificates

Red Kestrel have developed a certificate discovery product that is able to scan networks for SSL certificates using IP Ranges or lists of hostnames. The network is scanned for all types of SSL certificates, regardless of issuing CA, including SSL, SSL-EV, and Self Signed Certificates. The product provides detailed information about the certificates found in the form of an in-depth report or via the Red Kestrel Cert Centre product.

Tracking Certificates

The failure to replace expiring certificates can have very serious consequences for an organisation. For example, an outage due to an expired certificate on a mission critical machine can result in a significant financial loss and possibly a loss of reputation. Therefore it is important for the department managing certificates to be able to see a list of which certificates are coming into their renewal period (e.g., 30, 60 or 90 days from expiry) so they can be renewed and installed in a timely manner. The Red Kestrel tools can be used to help organisation keep an up to date inventory of their certificates and create lists of those that need renewing.

Find Expiring Certificates

Like passports, certificates are issued with a finite lifespan - typically one or two years. When certificates are allowed to expire, they can no longer be used and as discussed earlier this can lead to serious problems for an organisation. Checking for certificate expiration is therefore a critical task for any IT department. Red Kestrel has developed a product to monitor certificates; looking for those that are close to expiration or that have already expired. It notifies administrators about these certificates through email alerting and reporting. The certificate monitoring can be scheduled or you can request certificate expiration monitoring on demand.

Locating Problem Certificates

In addition to certificate expiration, there can be other issues that an organisation may have with their deployed certificates. Using Red Kestrel products, an organisation is able to get in depth reports that highlight many certificate issues including:

• Expired and Expiring Certificates
• Certificates created with weak hashing algorithms
• Certificates with keys that are shorter than the NIST recommended minimum
• Certificates not issued by a trusted CAs
• Certificates that don't list the host within the certificate
• Certificates using Debian weak keys