5 Ways to Keep Up with Authentication Certificates

Monday February 24, 2020

When it comes to protecting an organization’s data and users, CISOs have no shortage of hurdles. Identity attacks have become sophisticated and convincing, thanks to ransomware, phishing and deep fakes. CISOs have long known the importance of strong identification and authentication controls, but with threats constantly changing and intensifying, having these controls in place is just one piece of the puzzle; they must be managed correctly in order to do their job.

Firstly, organizations have a wide range of technologies available to prevent fraud. In terms of managing a company’s identification and authentication processes, using a public key infrastructure (PKI) is invaluable. It allows the company to issue certificates to users as well as machines, aiding in authentication, identification and encryption.

SSL/TLS certificate(s), which confirm identity, are used for machines to talk to each other, and code signing certificates make sure software and binaries are legitimate, and not malware.

For users, corporate services that sign documents and emails help verify identity and the authenticity of any message. In addition, technologies like the Virtual Smart Card (VSC) on Microsoft Windows help deliver certificate-based identification and strong authentication.

In short, every user and every machine within an organization needs to be verified by certificate of some kind.

But what is the best way to manage these certificates and keep them current? Recently, Microsoft Teams experienced a three-hour disruption of service when an authentication certificate expired. As a result, Microsoft Teams users went hours without being able to log in. Microsoft isn’t alone in this experience. LinkedIn has dealt with expired certificates twice in the past two years, as have popular apps like Pokémon Go, and even the White House.

These outages are certainly inconvenient, but more than that, they cost productivity and revenue. The number one best practice with certificates is: do not let them expire. What can CISOs do to prevent this gaffe in the first place? The five tips below will help.

  1. Take full advantage of the certificate authority’s (CA) management portal. Most CAs offer a way to view all certificates and filter them by expirations. Leverage any automation the CA provides to keep track of dates.
  2. Take inventory regularly. A CISO must make sure to be aware of any certificate that exists within the organization. Make clear corporate policies about authentication certificates so none of them fly under the radar.
  3. Be diligent about housekeeping. Check to make sure that the email address tied to all certificates is one that gets used and checked regularly. This ensures that email renewal reminders are seen, and action is taken.
  4. Only work with a CA that offers streamlined and comprehensive control for managing certificates. Again, ensure visibility of all certificates so none becomes neglected.
  5. Invest in a fully automated PKI solution for certificate provisioning and management. Doing so lets a company issue certificates and manage them throughout their lifecycle (including renewal) to make better use of IT resources.

Clearly, powerful and useful automated resources exist help CISOs keep a handle on all authentication and identification certificates throughout an organization. Gone are the days of manual tracking through spreadsheets. Even if that method worked at one time, the risks are too great to rely on them now. Investing in a modern solution to manage certificates will provide peace of mind and efficiency. Companies that automate their certificate management strategies can enjoy greater security now and into the future.

This article was originally published by the "CA Security Council". In 2021 the CASC was restructred and renamed to the "Public Key Infrastructure Consortium" shortly "PKI Consortium".

Learn more about the PKI Consortium
Participate in our community discussions and/or join the consortium