Mitigate Risk: Automate Your Shorter Digital Certificate Life Cycles
Earlier this year, Google® announced its “Moving Forward, Together” roadmap with intent to reduce the maximum possible validity for public transport layer security (TLS) certificates, also known as secure sockets layer (SSL) certificates. Manually managing shorter certificate lifespans isn’t scalable and poses exponential risks and data breaches.
In our next webinar, subject matter expert Mark Flegg, CSC global product director, and Patrick Harris, Sectigo Strategic Accounts – Certificate Lifecycle Management, PKI, TLS/SSL, IoT, will cover what shortened digital certificate life cycles mean for you and how to automate it to avoid unnecessary risk:
90-day maximum lifecycle by the end of 2024
Sectigo Certificate Manager (SCM) demonstration
Disclaimer: Please be advised that this recorded webinar has been edited from its original format, which may have included a product demo. To set up a live demo or to request more information, please complete the form to the right. Or if you are currently not on CSC Global, there is a link to the website in the description of this video. Thank you.
Christy: Welcome to today's webinar, "Mitigate Risk: Automate Your Shorter Digital Certificate Life Cycles." My name is Christy DeMaio Ziegler, and I will be your moderator.
Joining us are Mark Flegg and Patrick Harris. At CSC, Mark is our Global Product Director, responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets through innovative technology solutions. Patrick has been a PKI account executive at Sectigo for 10 years. For the last five years, he has focused on Fortune 1000 clients, advising them on ways to address certificate lifecycle management and the help of Sectigo Certificate Manager. Patrick is well trained on both public and private PKI management and the full portfolio of automation features that Sectigo provides its customers today.
And with that, let's welcome Mark and Patrick.
Mark: Thank you very much, Christy. So today we're going to cover TLS certificate lifetime reduction, management solutions, how we deliver digital trust, and CLM, which is another acronym we have in the industry, certificate lifetime management.
So let's go into this lifetime reduction to start out with. We've known it's been coming for a number of years. When I started in the industry, we could get certificates for 10 years, publicly trusted. Then it dropped to five, then four. Then I think three, two, one. And Google have finally done what they have been looking to do, and that's reduce them to 90 days.
This is a huge change. This no longer becomes an annual event for business. We're going to have to do things four times a year where we were doing it once. It's going to be a huge change. And for those that have got a number of certificates, a bigger portfolio, we're going to have to make sure that we utilize the tools that are available to us today, namely automation.
So why is the change happening? Google believe 390 days is too long. We've got quantum computing around the corner that will change the industry dramatically obviously. But from a Google perspective, they think everything should be automated. Reduce the time-consuming, error-prone issues and processes and avoid the need for revocation solutions. And it allows faster adoption.
And just to put this into context a little bit, if there is a compromise on a private key, for example, if somebody has pasted that into the system by mistake, we have to revoke the certificate that has been issued. And the CAB Forum give us 24 hours to do that. And for business, 24 hours might seem a long time for installing a cert. It's really not because everybody has to drop everything they're doing and install it.
And we've had revocations in the past, but 24 hours is still a challenge for businesses. So the whole notion from Google here is, well, if you had automation in place, this would not be a problem. So that's one of the bullets that they always include in their notifications.
So things that you've got to consider here. How large is your certificate portfolio? Patrick will hopefully get into a little bit of this later on. I think anything where you've got 40 or 50 certificates or in excess of that, you really need to be looking to automate that process because it won't be manageable four times a year to replace every certificate.
The second question, do you need to automate the entire process? There are varying things that you can do. You can use APIs to provision certificates and get your hands on them and then install them manually. Or you can provision them separately and use an implementation, an automation called ACME. It's an automated certificate management environment. You need to figure out for your business what that looks like where you need to automate. We highly recommend doing the whole lot, and then it can be completely hands-free and risk-free.
The third question, do you want to manage mainly TLS certificates or extend to others as well? So again, taking an inventory of what you have, especially looking at the servers that the certificates are installed on, what versions they are using because that plays into what you can and cannot automate. I'd like to think everybody is on the latest and greatest versions of their software. Chances are there might be some applications or old servers that are not, and they would require upgrading prior to implementing automation. So take that inventory, understand what your certificate usage is, and then figure out what your automation strategy is going to be.
An obvious question, do you already have an internal PKI that can help with the automation as well? And if you do, how do you plan to evolve the model?
So from a management solutions perspective, clearly CSC partners with Sectigo. We have their Certificate Manager, Sectigo Certificate Manager or SCM as we call it. And this is the kind of turnkey solution. It will do everything. It will generate CSRs. It will request certificates. It will provision them, issue them, and physically install them on the servers as well through agents using the ACME protocol. So this is the kind of Rolls-Royce solution it, if you like.
But there are other alternatives. If you're using Venafi, ServiceNow, Keyfactor, AppViewX, all of those companies that are doing other things for you internally, then perhaps using an API to get certificates to those organizations is the right way for your organization. But again, all of this needs to be kind of thought about and a plan put together.
With that, I will hand over to Patrick.
Patrick: Thank you so much, Mark. I appreciate that. And thank you all for attending today. Really what I just want to open up with is in my experience at Sectigo, as Mark mentioned previously, we've seen a lot of change when it's come to certificate life cycles in the past. We've seen them decrease time and time again. And the key differences or the key changes that I've noticed in my tenure here is that having SSL certificates in place has turned from a luxury to a necessity. And now, having certificate lifecycle management and automation in place is turning from a luxury into a necessity.
These are some of the common problems that people and organizations that have people in place who are handling SSL certificate renewals are facing. The root of these issues and why we're using SSLs to begin with is to remain compliant. And when you have to remain compliant in as many places as we do, whether it's a public-facing website, an internal device, having to renew the certificates more frequently, now that we're going to 90 days, means that organizations that are big and vast and has certificates being used globally need to be as agile as possible.
So what Sectigo Certificate Manager will also help organizations do is remain crypto agile, so whether that's using one feature to solve one use case, another feature to solve another use case, and then us integrating with another vendor that's potentially in your security stack today to get certificates to solve that use case. We like to give you a lot of options to allow you to remain flexible and again agile to solve your certificate issues.
But with those features, that introduces some complexity. So having Sectigo, having CSC as trusted advisors to help guide you on the best ways to implement automation, I think that's pretty key as well. It's more of just a vendor service provider relationship now. With this change to 90 days, it's an aggressive timeline. So we have to work together and really in a consolidated effort to help our customers scale certificate automation just so we're making sure that we're achieving all of these use cases and we're solving all of the problems an organization might face together.
And really, to summarize things, resources are hard to come by everywhere these days. So a solution like Sectigo Certificate Manager can help implement features and integrations that don't strain your resources, that maximize the resources you already have today, making them and empowering them I should say to do their job in the most efficient way possible.
Along with everything else, consolidation is a big solution and really a big goal of companies today. And tying to everything that we just discussed, in order to remain crypto agile, you can't be managing 5, 10 different vendors to achieve one job. So consolidating things down to a CA that's able to manage those certificate renewals as well helps you cut down on some of those other providers, like Mark mentioned. Some of the competition we have out there, that might not be a dedicated CA, like Venafi and AppViewX. But we give you the ability to maybe tie into those solutions. So we recognize that while they're competition, they also are kind of partners as well, where we all have to really work together and make sure we're providing a fast and scalable solution for all customers out there, CSC's and Sectigo's alike, who need to use certificates in a quick way.
And the best way for us to position our customers for success with consolidation, with scalability, and with automation is Sectigo Certificate Manager. What's really key about Sectigo Certificate Manager nowadays is not only can we automate all of the certificates that are issued by Sectigo, but we are also CA agnostic. So we can automate certificates that are issued from other certificate authorities. We can automate certificates that have been issued from a Microsoft CA.
But not only can we issue and install certificates that are issued from those other certificate authorities, we can also do a lot of other things. We can discover certificates. So you'll be able to know and locate where certificates issued from my previous vendor are. So when you're setting up a plan to migrate to a new CA or you're setting up a plan to automate those certificate renewals, you can map where you need to implement automation, the exact place where the certificates need to be automatically renewed and installed. And when you're needing to run reports, you're seeing where certificates have been used in the past, being able to discover where they came from originally is a key pillar to certificate management that seems to be forgotten now that everybody is talking about automation and things of that nature.
And really, what Sectigo Certificate Manager's goal is, is again, tying back to my slide previously, optimize resources, ensure compliance, and achieve ROI through efficiency gains. What we want to do is give our customer base a tool that can empower them to be the best employee that they can be and really to make certificate management as seamless and simple for their organization as possible.
I like this slide personally because it gives our customers a good view and clients and prospects alike a nice view of what they're able to achieve through Sectigo Certificate Manager. If we're talking about Sectigo Certificate Manager scientifically, think of SCM as the nucleus here. And all of these different aspects are other ways that we can integrate with an organization's network in order to facilitate certificate lifecycle management to whatever variety of places that they might need it within their organization.
So, for example, we give you the ability to discover, automate, renew, manage, and govern certificates from public CAs, private certificate authorities, and for various use cases. But in my opinion, what I think is most important to highlight is all of the different tech partners, all the DevOps solutions, and the endpoints that we seamlessly integrate with to help you scale distribution of certificates among the enterprise. So not only can you scale them to the endpoints that need them, once we push them, we'll help you automatically renew and install those certificates as well.
So you're probably seeing a lot of logos, a lot of icons that you're familiar with, and a lot of standards or a lot of things that you might have as a goal or as a project for 2024. Sectigo Certificate Manager does give you the ability to automate certificate renewal and help with scaling our solution given the vast integration list that we support today.
But when it all boils down to it, these are the most common pain points that we're seeing in our customer base today and really where we're able to add the most value, along with CSC, to help provide you with a solution that, again, can help you tackle the main objectives that come with managing certificate lifecycle management.
So just to recap, some of the items that I think are really most troubling for our customer base today is, again, certificate discovery, knowing where those public and private certificates are today. That's where everything starts.
Private certificate authorities, now that's something we didn't talk much about. But a lot of enterprise customers today have a lot of trouble with managing a Microsoft Certificate Authority. Sectigo Certificate Manager gives us the same ability that you might see with some of those other certificate lifecycle management solutions out there today to integrate seamlessly with a Microsoft CA or a Microsoft PKI and even replace that with a hosted private PKI solution to offload not just the certificate automation piece, where some of that may be manual, but if you wanted to perhaps sunset some of the on-prem infrastructure from a Microsoft CA, with a provider like Sectigo, that's possible.
Mark spoke about ACME. We offer ACME for both public and private SSL. And why ACME is so important, especially now, is that with this announcement to 90-day SSL certificates, Google has endorsed ACME as a solution for automation. So you're not just hearing it from your friends at CSC. You're not hearing it from Sectigo as a certificate authority. Google, who is intending and is forcing this 90-day SSL certificate term, has advocated ACME as well.
And really, this second half of this slide, we can summarize it in a few easy words. But being able to address multiple use cases, whether that's a device certificate, a user certificate, a certificate that might be used in IoT use cases or device authentication or things of that nature, what Sectigo Certificate Manager allows you to do, regardless of the certificate type, is give you a lot of options when it comes to being able to deploy that certificate to an endpoint easily. And once it's deployed, we allow you to automatically renew and install that certificate so when it does come up for its expiration, you don't have to manually log in, request a new certificate, and install it. This all happens automatically for you.
So with that, I want to thank you all for attending, and I want to thank you for your time. Christy, I'll hand it back over to you.
Christy: Excellent, Patrick, thank you so much and Mark. Thank you so much, both of you, for a great presentation.
WE'RE READY TO TALK
Our specialists are ready to answer your questions.