Managing SSL/TLS Certificates at Scale
The adoption of complex infrastructure tools means “organizations have in use hundreds of thousands of machine identities secured by SSL/TLS certificates, with lifespans ranging from years to minutes,” says Mary Branscombe.
And, she explains, “manual scripts, spreadsheets and homegrown automations don’t scale to support those numbers, especially as most enterprises have poor visibility of how many certificates and machine identities they’re already using.”
In this detailed article, Branscombe describes various challenges facing organizations that need to revoke and reprovision TLS certificates at scale, noting that “NIST’s 2020 certificate lifecycle framework (SP 1800-16) is a good starting point, covering the risks and best practices for large-scale TLS server certificate management, including automated issuing, renewal, and revocation processes.”
Learn more at CIO.
Related content
- Forum Approves Requirements for SSL/TLS Certificates
-
Windows security with public key infrastructures
A rarely used feature for improving security in Windows environments relies on certificates issued for various applications, services, and procedures that is based on a public key infrastructure. -
Automate the Active Directory Federation Services install
Installing Active Directory Federation Services is complex and involves several GUIs. For admins entrusted with building a farm, repetitive clicking in various management consoles can become an annoying and error-prone process. The call for automation is loud. -
Certificate management with FreeIPA and Dogtag
The Dogtag certificate manager integrated into the FreeIPA open source toolset generates SSL/TLS certificates for intranet services and publishes them on the network. -
Transport Encryption with DANE and DNSSEC
Those who think that enabling STARTTLS in the mail client will make their mail traffic more secure are wrong. Only those who bank on DANE can be sure that a mail server or a firewall will not switch off encryption in transit.