The journey of FreeSSL


SSL/TLS certificate management: convenience or requirement?

Working with, and having to manage SSL/TLS certificates, can be a daunting task. Whether you are a new user and not very familiar with what an "SSL/TLS certificate" is or whether you are an experienced PKI administrator that deals with this sort of thing on a daily basis, managing SSL/TLS certificates comes with its challenges.

SSL/TLS certificates have multiple components that need careful attention. You need to:

  • Create public and private key pair that’s necessary to perform the encryption, decryption and authentication of an SSL/TLS encrypted connection
  • Retrieve and install the SSL/TLS certificate you receive from you Certificate Authority
  • Confirm your SSL/TLS certificate is installed on your web server correctly
  • Then, you must monitor that the information remains secure by renewing the SSL/TLS certificate at regular intervals based on its validity (typically, every 1-3 years though industry trends are becoming shorter)

Fortunately, there are several tools that make it possible to automate much of the processes outlined above.

For instance, Symantec provides a cloud-based SSL/TLS certificate discovery and automation service that addresses several of the key pain points associated with SSL/TLS certificate management. Let's start by looking at the discovery service.

Discovery allows you to scan for any SSL/TLS certificate installed within your network. The tool finds SSL/TLS certificates based on various criteria. The service catalogues each SSL/TLS certificate and records all the important details such as validity and expiration, certificate issuer, if the certificate is installed correctly. In gathering this information, the service monitors your SSL/TLS certificates’ lifecycle and ultimately helps prevent system outages arising from expired certificates. It will also go a step further and search for any vulnerabilities that may compromise the security of connections.

Discovery helps you paint a bigger picture of your company’s security ecosystem however the burden of having to create key pairs, retrieve and install certificates still remains. This is where Automation closes the loop, allowing you to properly and conveniently manage your SSL/TLS certificates.

Automation is the ultimate answer to SSL/TLS certificate management. The service fully automates the entire certificate lifecycle process and takes care of all the complexities involved in making sure that certificates remain valid and continue to protect your sensitive data. In order to automate, you install a trusted agent on your web server (unless you’re using a load balancer, then an agentless option is also available to perform the same operation).

Recently, the CA/B forum passed ballot 193 which highlights the need to optimize SSL/TLS certificate management as the industry is moves away from long term certificates. This ballot requires all CAs to reduce their maximum validity from 3 years to 2 years. When the maximum term is shortened further, in the future, it will become impractical to manage SSL/TLS certificates manually.

Learn more: Discovery and Automation