Certificate Lifecycle Management

A BEST PRACTICES GUIDE FOR BETTER

SECURITY AND COMPLIANCE

15 best practices to
avoid downtime, protect your brand,
maintain compliance, and
avoid data breaches.
Certificate Lifecycle Management Best Practices Guide

Why Implementing Certificate Management Best Practices Is a Must

Following industry-accepted best practices for certificate lifecycle management
can help your organization avoid downtime, breaches, and other incidents.
What do Azure Active Directory, Ericsson, Equifax, LinkedIn, Microsoft, and many other major companies have in common?
They’ve all experienced certificate-related outages in the past few years. Research from Keyfactor and Ponemon Institute shows
that 81% (four in five) of surveyed organizations have experienced two or more outages due to certificate expirations in the
previous two years.

Whether it’s SSL/TLS, email signing, code signing, client, device, or IoT certificates, digital certificates are the bedrock of trust
for your organization in the digital age. Mismanaging certificates (and, therefore, mismanaging your organization’s digital trust)
can lead to catastrophic consequences. The purpose of this guide is to help you implement certificate management industry best
practices to avoid similar issues for your organization.

Massive Outages Angry Customers

When certificates expire, websites break,
applications go down, and business lurches to
& Partners
In business, trust is currency. Your customers, your
a halt. And these issues don’t only affect your
partners – they trust you to be open, easily identified,
business — anyone relying on your organization
with your services available. When that doesn’t
will experience outages and downtime, too. For
happen, your brand and reputation can suffer long-
example, Microsoft experienced a certificate
lasting damage. Over a year after the Ericsson security
expiration issue in 2020 that prevented Microsoft
certificate incident that affected 32 million users
365 users globally from accessing the Microsoft
globally, their customers were still angry. In fact, one of
Teams communication app for several hours
their partners was reportedly seeking up to £100 million
during the day.
from Ericsson as compensation for the downtime.

Regulatory Penalties & Critical & Costly

Non-Compliance Fines Data Breaches
Encryption and authentication are critical Certificate expiration is more than just an HTTP
components of compliance and regulatory browser warning. It can open the doors for far
frameworks. So, too, are digital certificates and greater attacks and devastating data breaches. The
keys. Ponemon Institute & Keyfactor report that Equifax data breach wasn’t detected for 76 days
undocumented, unenforced & insufficient key because an expired certificate knocked out traffic
management policies and practices cost an inspection. With last reported costs surpassing $1.7
average of $13.4 million per year due to failed billion in 2020, the credit bureau is still reeling more
audits and compliance issues. than five years later.
 Forecasted Compound Annual Growth Rate (CAGR)
THROUGH 2027

6.7%
Domain Registration

15.5%

Web Hosting

21%

SSL

Source: ResearchandMarkets.com

How Many Certificates Does the Average Organization Use? So Many…

Imagine if certificates
attended sports games…
If each seat in the world’s
largest stadium (Narendra
Modi Stadium) represented
one digital certificate, that’s
Companies and Organizations Globally Are
still less than half as many Managing More Certificates Than Ever
certificates as the average
How many certificates does the average organization use? A lot. Keyfactor and the Ponemon
organization uses. Institute report that 46% of organizations have between 50,000 and one million internally
trusted digital certificates in use. Another 8% report having more than one million such
certificates within their IT environments.

These are astonishing numbers, particularly when you consider the average number of
internally trusted certificates survey respondents reported having was 267,620. Imagine if
certificates attended sports games. It means that if each certificate took up a seat, it would
require more than double the seating capacity of Narendra Modi Stadium, which is the
world’s largest cricket stadium (located in Ahmedabad, India). This number is in addition to
the average of 1,942 publicly trusted certificates they report having. And each one of those
certificates represents a security risk opportunity for your organization.

Let’s look at it from another way. Companies have an average number of certificates that
falls within the population ranges of several small countries, including French Polynesia
Image Credit
Lucifer Danglinton (284,999). And 17% of surveyed organizations indicate that they have more privately and
The Narendra Modi Stadium publicly trusted certificates in their IT environments than the populations of Maldives
Creative Commons Source
(565,272) and Djibouti (1.025 million).
15 Certificate Management Best Practices

1 Create a Certificate Management Operations Policy

Set parameters. Specify who is authorized to do various tasks, what you want deployed, and how things should be escalated.
Keep it simple, though — a one-pager should work. Just ensure the document covers:

How digital certificates are used within your organization

The individuals and/or roles involved in certificate management
The permissions each individual or role has
Your primary and backup CAs (using 1-2 CAs makes management simpler; we recommend
enforcing your selections with a CAA record)
The specific certificates used for each use case, including:
Validation level
Certificate coverage – we recommend using single name certificates to minimize risk

2 Dump Manual Methods and Centralize Your Certificate Management

Small organizations like to manually manage certificates using spreadsheets and other individual tools. But wrangling
resources, tools, and people from across your organization is inefficient and can lead to a lot of headaches as your
organization grows. Manual certificate management just doesn’t work at scale.

Unless you’re a security organization that’s technically mature and sophisticated, spinning up a proprietary management
solution isn’t ideal, either. This is why many companies opt to use a third-party centralized certificate lifecycle management
(CLM) solution.

Using a centralized CLM tool gives you complete visibility of your certificate management lifecycle and IT environment. This
way, you know

what certificates exist on your network,

where they’re located,
what they’re used for,
who’s responsible for maintaining them, and
when they’re set to expire.

You can simplify the certificate generation

process by preconfiguring your mandatory
and optional certificate fields and values
using DigiCert's Software Trust Manager
Templates tool.
34 Scan Your Network Frequently for Unknown Certificates
Shadow certificates are ticking timebombs that are ready to blow your defenses wide open at any moment. These digital
certificates, acquired outside your standard procedures, cause countless unplanned expirations and cost millions of dollars
each year. The good news, though, is that they’re easily preventable:

Run discovery scans (internally and externally) on your network to ensure shadow
shadow certificates don’t escape your oversight.
Monitor CT logs for your domains via API and set email notifications to ensure no certificates
slip through the cracks.
When you find a shadow certificate, talk with the requestor to educate them on the proper
procedures to use in the future.

You’re going to find shadow certificates eventually. Scanning frequently (ideally, weekly) ensures you don’t find them
too late.

4 Set and Manage Granular Permissions

The principle of least privilege applies to certificate management, too! Assign permissions for users (request, approve, and
revoke), giving them only the permissions they need. This is where the Operations Policy you created in step one comes
in handy. Everything should already be documented there. You can assign highly granular permissions (by user, role,
department, company, branch, etc.) quickly and easily from within your certificate management platform.

With great power comes great responsibility. Ensure that you have the right people in place to take these critical functions
and give them — and only them — access to do them.

5 Create Approval and Escalation Workflows

Because you’re limiting employee permissions, requests for issuances, renewals and revocations will need to be routed to
the right parties. To ensure there’s no bottlenecking — should, say, an employee be absent or leave the company — there
needs to be an escalation path, too.

Start with the lowest-level employee with permissions to fulfill the request. Escalate over the next few hours, days, or weeks
to ensure that things are dealt with in a timely manner. This is especially critical for renewals, to ensure there’s no margin
for downtime due to an expired certificate.
6 Issue All Certificates From a Fully Managed PKI
(Avoid Self-Signed Certificates)
For some organizations, the simplest, most secure option is to always use certificates issued by a publicly trusted certificate
authority, even within your private network. This gives you the certificates you need, issued from a fully audited CA with minimal
management workload.

Whatever you do, never use self-signed certificates. If your company has a use case that requires issuing your own certificates
(for example, a non-existent domain), be sure that you’re issuing certificates from a fully managed private CA that offers:
Certificate logging
Certificate revocation list (CRL)
Issuance policies and auditing
Vulnerability testing

7 Assert Your Digital Identity (Use OV or EV Certificates)

Organization and extended validation certificates give you greater control over who issues certificates for your properties.
Furthermore, they make your website look more professional than a basic domain validation certificate because they bring
your verified digital identity to the forefront.. It’s a win-win for organizations and customers alike as far as we’re concerned.

But there are staunch free DV SSL/TLS certificate lovers in the industry. And we get it — who doesn’t like free stuff? What we
also must point out, however, is that they’re also the go-to tools for cybercriminals. PhishLabs reports that 94.5% of domain
phishing attacks used DV SSL/TLS certificates.

Let’s put it another way: Encryption = secure but encryption ≠ safe. It’s only safe if it’s secure, the message integrity is
protected, and you know who’s on the other end of the connection to receive your data.

Bad guys can use these free certificates on their phishing websites to make them look more legitimate. (PhishLabs reports
that nearly 83% of phishing attacks use HTTPS.) But without a way to check your website’s authenticity with verifiable digital
identity, then visitors may not be able to distinguish your website from the imposter’s. That’s bad news for you and your
customers and great news for bad guys everywhere.

8 Streamline Validation to Issue All Certificates Instantly

Virtually everyone knows you can automate DV issuance. Did you know you can automate business authentication, too?
Whether you want to automate Organization or Extended Validation, the right certificate management solution enables you to
validate with your CA(s) of choice once and then not have to do it again for the next 12 months.

When you don’t have to wait two to three days for validation, certificate issuance becomes instant!
9 Automate the Entire Issuance Process
While automatic certificate validation is great, it’s not the only automation you can put to use when it comes to certificate
management. You also can automate other crucial steps in the certificate issuance process:

Generating key pairs

Creating and submitting code signing requests (CSRs)
Collecting your certificates for installation

You can save time by automating these processes via an integration — for example, a pre-built server agent, API, Active Di-
rectory integration, the ACME protocol, and/or a key management tool, etc. But the fun doesn’t end there, though. You can
use automation in other ways as well…

10 Automate Certificate Installations

Don’t want to be bogged down with the manual process of installing certificates? Don’t worry. Some integrations (server agent,
API, Active Directory/Microsoft CA, ACME protocol, etc.) enable you to set it and forget it, thereby eliminating this burden alto-
gether.

Although the specifics vary from one platform to the next, the concept is the same: install a client on your server and/or endpoint
that will handle everything regarding the installation and configuration of your digital certificates.

11 Automate All Renewals

Once again, regardless of what mechanism you’re using to achieve Zero-Touch capabilities (API, Active Directory, ACME, etc.),
you’ll be able to automate the renewal cycle, too. Simply configure your management platform to renew (and even rotate keys)
at set intervals and it takes care of everything else in the background.

This is particularly important when you consider the shifting landscape around SSL/TLS certificate validity periods. In the
past few years, we’ve seen moves to shorten the certificate validity lifecycle. They’ve gone from just over to two years (825
days) to just over a year (398 days). The shorter the periods become, the harder it will be to manage all of your certificates
manually. If even one certificate accidentally falls between the cracks and expires, your organization will be in for a world of
hurt.

12 Set Up the Right Notifications

As a minimum, two parties should be notified for every certificate expiration at least 30 days in advance. Why at least two?
Because you’ll have a higher chance of taking care of a certificate before it expires, regardless of whether people are on
vacation or leave the company. Simply put, even while using automation, having multiple people notified serves as a safeguard
in case anything fails.

If you’re renewing 30 days before expiration, set a notification for 15 days prior. If you get the notification, it means that
something went wrong and you still have two weeks left to address the issue. Renewals aren’t the only reason to set
notifications — you should also set notifications for pending requests, revocations, reissuances, etc.
13 Generate and Review Reports Regularly
Compliance isn’t fun, regardless of your industry. It’s a time-consuming, taxing, and burdensome process that has to be
done. But there is good news: having the right certificate management platform can help you ease this burden, too.

Some certificate management platforms generate comprehensive reports that help you to stay abreast of the following:

Upcoming expirations Pending requests

Summarized data on all active certificates Discovered vulnerabilities and shadow certificates
Expired certificates

14 Store Your Certificate Keys Securely

PKI certificate keys are like precious jewels: you don’t want to leave them laying around where just anyone can find them.
Your private keys are the secret element that enables your certificates to do what they do. If someone gets hold of even
just one of those keys, it’s game over for your compliance and reputation.

When possible, protect your keys by storing them in a secure cryptographic solution such as a key vault or a hardware
security module (HSM). For example, an HSM is an appliance that serves as an isolated, secure place to store keys while
enabling their usage. This way, authorized users can still use the keys as needed without risking their exposure through
direct access. To meet new industry standards, all code signing certificates and keys must be securely generated and
stored on FIPS 140-2 Level 2, Common Criteria EAL 4+ or equivalent compliant physical cryptographic devices or cloud-
based cryptographic storage solutions.

Carefully review your processes and systems to avoid inadvertent disclosure of your private keys. Here are a few ways keys
are accidentally disclosed:

Committing keys into a GitHub or other code repository

Storing keys on a PC that’s not fully secured

Copying/pasting keys into emails (either internally or with a vendor)
Storing keys in a directory accessible from the web root

15 Scan for Vulnerabilities

Certificates and TLS implementations can have vulnerabilities, too. That’s why a critical part of certificate management is
vulnerability scanning. There are many certificate-related vulnerabilities that enterprise security teams need to stay on top
of, such as SHA-1 hashing algorithm, 1024-bit key size, and outdated protocols like SSLv3. Schedule regular vulnerability
scans and ensure notifications are sent to at least two parties for identified issues.
How to Choose the Right Tool to Make Certificate Management Painless
Keyfactor and Ponemon Institute report that 70% of survey respondents in 2022 indicated that managing the growing number of
digital certificates and keys is becoming increasingly burdensome. Looking for a way to simplify managing your PKI but aren’t
sure where to begin? No worries. We’ve got you covered.

The Best Certificate Management Platforms In One Handy Guide

ficate lance o Find

nt e ent
gemenlaagnecm
Mana -Aa-G
i
G u i de ecifica
tions,

t
s
icing, sp ll with one
icaCteertificnasteAtM
r
’ KI
iled pr

e
ca

r
if e deta a free Meet

afincdatCe reanAct-eA-eGnt Solutionresmt ents

e r t for mor ? Schedule sin ation.

e
C I& o y .
PKI & PK | Soluti
ad e fo rm
Re info tabitiasved

y
oduct tions.

P
refoser nun to many solu
I
and pr expep

u e
rts

K
t re

r
r PK s
I
men
P h saonlece, get ac cess.

i
Bp a
es.ofitou

w-aGlelManagem ique Requi

ce

parde Cenrtt Sotf-tA

e tativgs w -Glan

KCoI m
g
ana n tin A ltation
repnre t smeee ns At- e Consu
te M olutio
o m dleifsfere Schedul

P
ica ndith15sa cee.nt S

PKI
& C ertif C I aagnemtw e arfiecatAe Lifecyacnization’s Un rskeofho resur
rc
of
esa ngs
eeti Cs.
h aw
ifoicnasteA
M
t- Aa n
- a
G genm
la

K
t ta ertti
oukeldhn’ou rent m:en
P n
re MapatreSPoKIf& Caetcrthes Your Org
i PKInso
lu tionsn’t shta
hould nitdh u1sa deifsefere
5 frle
e PmK
guprides
taInti&tveSolu
ge guide:
e

a
ri ng s s w r a n a
tio sh itah o
p
pa ee
ely comPKI soluent mee tiang
srcw M
ateh our fr
mn
Com gem
Accuratparing 15 recses tifsicwit
Coe
differ gopf ro eres
com and ion-mhaokuin rs -makinKgI &prCoc e.
at M ratelysearch decista kedecisionuide: P olutions At-
A-Glanc
ne Th
i
Venaf
Accu re yourlin
-
en’tyo ur S crypto

a
g
ement
the O
e ag er in
ould
mlinetream frean
n ur M Pione certificate I
Strea tioSns sh erwtiitfihcaote

Ma
a fi Factor to- , PK
e
V Kn ey ry p & ag ty ement, &
ili
s o lu PKI c&eCs s e r inrcof PaKteI ices ag
PKI pro e de rtific y servI
PioPnrovi ceecuritt, & PKe 2001.
man
ons.
ring king iew X
p a a A ppaV c to r er in a gcy
y, rs
ilitbe e ns sinc soluti
m n-m F ov&id m
e tion
ly co cisio ine
Key erging PprKI tyic&esPKI- m&
Emider ofto agsili
ansoaglu
s.
urate your de eEng erv 01. tion
Acc ne Manag Zoho Prothve creyp urity sp
rs cervisce ceac20e. solu
amli wXform by er einrange cyas
ieat be-a -Stion sin
S tr e A p p
ITVpl v
a id
w id KI- o lu
go ofgfeprsro &tiPons. & s
itylu
Secti thatrgin arageilso
eset
rgin ate Eme so pto
ft w ace.
Sec ongdela Eng certific o e cry ice sp
of
ert icate M amnam ercial by se Zodh onnge th -a-Serv
DigiC ce rt if co rm
oy, fo cu e ra a s
m m ercial d on au
IT plaortfit rs a widINtiG
th o n s.
#1 co y, focuse offe RIColu
thtiorgoit OaBtN. & Pare s
SthM
au
Sec erprise.rgeIC st INFO RMATIof softw
ate
Ent ondBlaAS certific RICIN
G
Sec ercial ns e d
at oNn- AND P
-a
te m lufo tiousATI
cM O
ifica com riSo tyF, OR
ia l cert and BaA uSthICo IN
gl an ce
erc ority .
omm th . SMB
#1 c icate au rovider
if p
cert l trust
a
digit
NG
W
RVIE
OVE Key st
ats

t Names
Produc

model
Pricing

cal
for typi
Pricing ents (see
m
require )
low
key be

er
l custom
Typica
size

Our PKI Buyer’s Guide is a useful resource that explores and compares
several vendors’ managed PKI platforms. This gives you a side-by-side
look at the tools’ prices, features, and support offerings
to help you choose the right solution.

Download the Guide

 We Can Help Streamline Your Certificate Lifecycle Management
Strong certificate management is more than just using a management tool. It’s also choosing the tool that best meets the needs
of your organization and budget and implementing it in the best way to achieve your goals. Our team at The SSL Store is here to
help. We’ve been implementing the best certificate management solutions (at the best prices) for organizations of all sizes for
more than a decade. We can help you with the following, too:
Audit your certificate usage and identify your organization’s needs.

Identify the solution that best fits your goals and budget.
Negotiate the lowest price on your chosen solution.
Implement a best-in-class certificate management solution for your organization.

Like we said at the top: we’ll help you implement a certificate management system that makes your job easier while improving
your company’s security posture, reducing risk, and improving efficiency.

Get started with a free consultation with one of our PKI experts.

Schedule A Free Consultation

What Makes The SSL Store Stand Out

As the world’s leading provider of SSL/TLS certificates, we’re dedicated to providing you with the best service and digital
certificates at the best prices. Since our inception in 2008, we’ve expanded beyond website security certificates to offer a wide
selection of digital certificates (code signing, document signing, and client authentication — to name a few).

We’re partners with several of the industry’s leading certificate authorities and vendors to offer a variety of certificate man-
agement and web security solutions. And now that we’re part of the DigiCert family, our commitment and ability to serve our
customers will also continue to grow.

Need to get more details?

Contact us at (727) 291-0646 or enterprise@theSSLstore.com

www.theSSLstore.com/resellers
146 2nd St. N. #201, St. Petersburg, FL 33701 US
©2023 The SSL Store™. A subsidiary of DigiCert, Inc. All rights reserved. www.theSSLstore.com/enterprise
V1.3 JUNE
V1.2 MAY2023
2023