PKI’s Role in Digital Certificates
Public key infrastructure (PKI) can be an overwhelming beast to manage. With tens to hundreds of thousands of keys and digital certificates in your environment, there is a never-ending battle to inventory them and ensure that best practices are followed. For this reason, most organizations choose to narrow their scope of certificate management and only focus on the certificates that have been manually generated. This belief ignores auto-enrolled certificates and somehow makes them less important.
To fully discuss the topic of why every digital identity within your environment needs to be handled with the same care, let us start with a basic definition for PKI:
A public key infrastructure (PKI) is a set of roles, policies, procedures, software, and hardware needed to create, manage, distribute, use, store & revoke digital certificates and manage public-key encryption.
By definition, a PKI includes processes for managing the entire certificate lifecycle from enrollment through revocation. This process is critical for every certificate issued by your PKI.
While many organizations have the enrollment automated through group policy and auto-enrollment, very few can actually manage the entire process.
To make matters worse, PKI management requires a very specific skill set that can be a hard position for organizations to fill. This can also lead to people taking on the role that may not be adequately trained to do so. Lack of skills and understanding can lead to inadvertent mis-configurations that can lead to critical issues with performance and security.
Manage Every Digital Certificate
Throughout an enterprise organization, certificates enable additional security processes to better secure the environment. For this reason, digital certificates are a common target for people with criminal and malicious intent. These certificates give them an increased level of access across the environment, or even the capability to impersonate another user. One of the most common types of certificates for this type of attack are the user or machine certificates that are automatically issued to the devices on your network.
These certificates exist all over your organization, typically tens of thousands of them in most large organizations. They probably exist in nearly every system in the environment. For this reason, they are always at risk because of the very wide footprint.
A single virus-infected workstation could result in the loss of one or more certificates. Once compromised, these certificates could allow access to critical functions within the organization, including:
- Wifi Access
- VPN Access
- Authentication for Network Access Control systems
- Multi-factor authentication for single sign-on applications such as Office 365 or ServiceNow
- Email signing or encryption
It is common for PKI admins to confuse auto-enrollment with automatic management. Many times, there is an assumption that since the certificates are deployed automatically to the user or machine, management is no longer required.
However, this is not reality. Enrollment is only one piece of the certificate lifecycle process. As part of a well-run PKI operation, every certificate should be managed all the time. This includes all aspects of the certificate lifecycle, including inventory and reporting, all the way through revocation of certificates when they are no longer needed, or potentially compromised.
Within a PKI environment, it is necessary to continuously inventory and monitor the issuance of all certificates in your environment. Several things need to be monitored in the environment to ensure that issuance within your environment is secure and optimized.
Here are some helpful questions:
1. Are we issuing the right number of certificates?
You should always know how many certificates are being issued within your environment. If you typically issue 1,000 certificates per day, and suddenly you have 10,000 certificates issued in a day, you should quickly be aware of this situation, and resolve it. Changes to this number could indicate compromise or an unhealthy PKI environment.
2. Are certificates being issued to the appropriate locations?
Knowing where your certificates exist can help you better secure them and identify potential policy violations or security risks. PKI admins must always ensure that certificates are used for the purpose for which they are intended.
3. Do the certificates have the appropriate capabilities?
Every certificate has specific key usage definitions. A misconfigured certificate template (either intentional or malicious) can result in a large-scale risk to the organization. For example, if someone were to enable code signing on your auto-enrolled user certificate, they could deploy thousands of code signing certificates within your environment.
The Risks of Unmanaged Certificates
It’s easy to ignore potential issues if they do not see an immediate problem. “We have not seen any issues, so we are probably OK.” Unfortunately, with certificate management, that may not be the case.
Just because you don’t see issues, it doesn’t mean they aren’t there. Some issues can go unnoticed, or even get worse over time. Having the tools to manage and detect these issues is critical to maintaining a healthy PKI environment.
Below are some real-world examples of incidents to illustrate the importance of managing every certificate in your environment.
Keeping Pace with Crypto-Agility
As certificate standards change, there is a constant need to audit your issued certificates and identify certificates that are still in use that may be using outdated standards. This requires you to report on all your certificates in order to fully understand the scope of your project or the issues that need to be resolved.
Recent changes such as SHA-1 to SHA-2 or moving from 1024-bit certificates to 2048-bit certificates will require you to inventory all of the certificates that have been issued in your environment.
For example, the possibility exists that someone may have issued 1024-bit certificates previously that are still within their validity period in your environment, even if the template is currently set to 2048-bits. You will need to have an inventory of these certificates so that you can address all of them.
Having the ability to quickly re-issue and replace certificates in bulk can also help your security response time. When vulnerabilities are identified, you must be able to quickly inventory the certificates at risk, inventory their locations, and notify the owners. The ability to automate their replacement can help you quickly remediate the risk.
Small Misconfigurations Cause Critical Issues
Regardless of certificate volume in your PKI environment, a small misconfiguration can quickly lead to large-scale issues. It is important to monitor certificate issuance and usage policies so that you can quickly identify issues. It is also important to have an efficient monitoring tool in place so that you can resolve issues quickly if they do arise.
A PKI admin set the certificate lifetime of the auto-enrolled user certificates to seven years. These certificates were issued to over 5,000 machines before it was changed. It was then necessary to locate all those long-lifetime certificates in order to remove them from the environment. Being able to quickly search and revoke these certificates from a single console would have greatly decreased the amount of time needed to recover from this situation.
An inexperienced PKI admin decided to update the auto-enrollment certificates to allow “Export Private Keys”. After it was discovered that every certificate had exportable keys, all the certificates had to be revoked and re-issued for the entire enterprise environment.
A development team submitted a request to the security administration team to allow them to sign code as a part of their development effort. Rather than creating a new template specifically for code-signing certificates, the administrator decided that it would be best to add code-signing capabilities to the default user certificate template. He then renewed and reissued all of the user certificates in the environment with code-signing capabilities.
A domain admin in an enterprise environment wanted to auto-enroll all of the domain controllers with a certificate. He created the template and enabled auto-enrollment in the group policy. Unfortunately, he set the auto-enroll permissions to allow “Domain Computers” instead of “Domain Controllers”. It deployed over 14,000 domain controller certificates to these devices in the environment prior to the error being discovered.
The Rogue Admin
Although many companies refuse to think that it can happen to them, rogue admins can be an issue in any environment. While at times they perform malicious behavior, they typically perform rogue functions unintentionally. Either way, these rogue actions lead to disastrous consequences.
A desktop admin brought two of his personal laptops into the office and joined them to the domain so that they would get auto-enrolled certificates. He then configured his VPN on demand to connect from all of his machines. He was then able to “work” from any machine.
This opened the enterprise up to greater risk due to having non-managed external machines connected to the corporate network, and by having identity certificates on a non-managed machine. When a user is terminated, it is important to have an accurate inventory of every certificate that has been issued to them so that they can all be revoked quickly if necessary.
An over-privileged server admin thought that it would be funny to send an email to his co-worker appearing to be from the CEO. He changed the user certificate template so that the name would be “Supplied in the Request” and made the private key exportable. This allowed the admin to generate a certificate on behalf of the CEO’s name to spoof and sign an email as the CEO.
Not only was he able to generate the certificate for the CEO (which is a big security issue), he also forgot to change the template back when he was done.
This resulted in breaking auto-enrollment for every user who needed to have a certificate renewed in the organization. Being able to monitor your entire environment for certificate issuance related to key executives within the organization can be a critical piece of your security infrastructure.
The most complete and scalable solution for end-to-end PKI and certificate lifecycle automation.
We’ve have touched on many scenarios that could happen in any organization. Some of them are PKI Infrastructure shortcomings; others are just due to inexperience and lack of knowledge on PKI management.
Proper management of all the certificates in enterprise PKI environments requires the proper toolset and resources in place to efficiently identify and remediate these risks quickly and efficiently.
Keyfactor Command: Cloud-Hosted PKI as-a-Service
Keyfactor Command is the only solution that delivers integrated certificate life-cycle automation and PKI as-a-Service into a single cloud-hosted platform.
The platform enables enterprise IT to discover, monitor, and automate the life-cycle of keys and certificates across their environment while eliminating the need to manage and run their PKI in-house. Extensive integrations with public and private CAs, network and cloud infrastructure, and security platforms enable you to extend automation and protection across your entire environment.
Keyfactor Command runs in a dedicated cloud-hosted environment. This environment is hosted and managed by Keyfactor with stringent security controls, including multi-part authentication, FIPS 140-2 Level 2 HSMs, a dedicated firewall, and robust backup and fail-over.
Proven in environments with more than 500M certificates, the platform enables you to easily scale PKI operations as your business demands grow while retaining complete governance and control.
- Prevent costly certificate-related network and application outages
- Enforce consistent security policies and prevent the risk of key and certificate misuse
- Maximize crypto-agility to respond and remediate security incidents quickly
- Save time and prevent errors for the network, infrastructure, and application teams that routinely request certificates
- Reduce costs and complexity by eliminating the need for HSMs, hardware, software, and specialized PKI training in-house
- Free up IT staff from resource-draining PKI maintenance task
A Powerful Combination
Get all the benefits of private PKI, without the operational complexity and cost of managing the software and hardware required to run it. You maintain control over day-to-day decisions while offloading backend tasks to our PKI experts.
Certificate Lifecycle Automation
Discover, manage, and automate the entire lifecycle of keys and digital certificates across your private and publicly rooted PKI to effectively prevent certificate-related outages and breaches.