Herding Certs: Mandatory Homework for 2016

By   Brian A. McHenry
, F5 | Jan 26, 2016 05:00 pm PST

The exasperating attempt to bring seemingly uncontrollable and chaotic forces into step with one another is often referred to as “herding cats.” Examples range from chaperoning kindergarteners on a museum field trip to managing rock star developers on a software project. In today’s “HTTPS Everywhere” world, enterprise key and certificate management (EKCM) can also seem like an exercise in herding cats. However, with the explosion of SSL/TLS usage, high profile Certificate Authority (CA) compromises, and ever-evolving malware, an effective EKCM program has never been more vital to ensuring strong security.

Mismanagement of keys and certificates can impact security in a variety of ways. Something as simple as an expired certificate can cause a web application to be unavailable to many browsers and mobile apps, both of which are more aggressively alerting users to poorly implemented encryption. More serious impacts of mismanagement can lead to compromised keys or certificates, enabling an attacker to impersonate a web application with a totally authentic certificate or to seamlessly decrypt data streams via man-in-the-middle attacks. A demonstrably secure and well-documented key and certificate management process is not only a vital part of security, it’s also a requirement of many compliance regulations, including PCI DSS.

In the past, the number of key and certificate pairs was limited to only the most mission critical, public-facing domain names, since public certificates were expensive, and encrypting internal traffic wasn’t seen as necessary. For many small to medium sized enterprises, the result was only a handful of keys and certificates, at most. Today, virtually every web application is transported in whole or in part via TLS encryption, including internal or intranet applications that employ self-signed certificates or certificates signed by an internal CA. This means an organization could have dozens if not hundreds of key and certificate pairs. All of which must be audited for not only expiration, but also digital signature algorithm, key length, and potentially other attributes. At this level of scale and complexity, some sort of management solution is required.

There are many EKCM solutions ranging from free and open source software like Barbican for OpenStack to commercial solutions like those from Venafi. No matter which solution you choose, you should ensure that it provides integration with the various terminations points in your infrastructure, and either provides a CA server or integrates with your CA server of choice. It should also integrate with Hardware Security Modules (HSMs), which are increasingly deployed as a method for secure key storage. Integration comes through a few open standard APIs, including PKCS #11, SCEP, and the emerging KMIP standard.

At a minimum, your EKCM solution should enable you to easily audit and alert on the state of all certificates and keys, including:

  • Certificate expiration date
  • Weak certificate signing with SHA1
  • Weak key length below 2048-bits
  • Discovery of unmanaged keys and certificates (especially self-signed certs)

On that last bullet, I’ve written about the dangers of letting users become accustomed to certificate warnings. Part of the solution to this problem is to establish an internal root CA trusted by employees and other valid users. This better internal public key infrastructure (PKI) prevents users from seeing browser warnings for internal apps which they are forced ignore. While these internal root certificates and keys are not distributed to browsers like public root CA bundles, they must be closely guarded, not only to preserve the internal PKI trust, but also to prevent these root trusts from being exploited. Since these explicitly trusted root CAs override many security measures such as HTTP Public Key Pinning (HPKP) and certificate pinning, they can be easily abused as in the high-profile instances of the Lenovo Superfish and Dell eDellRoot certificates.

While the problem of auditing all public and private certificates and keys may seem like a large and time-consuming task, EKCM tools exist to enable us to kick-start better key and certificate management. As with most big management tasks, once a baseline inventory is established, maintenance becomes much easier. Ongoing tasks such as certificate renewal or regeneration become much simpler through API integration and automation with the various encryption endpoints in the infrastructure. And rogue certificates are more easily spotted and “herded” back under control through easier revocation, renewal, and regeneration.