Comprehensive software reviews to make better IT decisions
Using PKI Jiu-Jitsu to Build a Powerful Digital Trust Ecosystem
In 2020, Google and Apple shortened TLS/SSL certificate lifecycle policies to 13 months. In March of 2023, Google once again proposed updates to its Certificate Lifecycle Management (CLM) policies, including lowering TLS/SSL certificate maximum validity to three months (90 days) rather than the thirteen months (398 days) issued just a few years before. What if you could use jiu-jitsu to turn those aggressive public key infrastructure (PKI) requirements into a powerful platform of digital trust?
Building a powerful digital trust ecosystem requires a powerful PKI platform. This platform needs to be resilient and well architected and it requires broad-spectrum support for full automation. During my time at the RSA Conference 2023, I learned that there are many frameworks, proven platforms, and vendor solutions that can make this digital trust reality come true.
The automated certificate management environment (ACME) protocol is a framework designed to allow agent communication with a certificate authority (CA) and provide full CLM automation without the need for credentials, supporting ephemeral use cases such as just-in-time microservices. ACME solves key management on endpoints; protocol standardization and connectivity normalization to avoid impact from expired or misconfigured certificates. If you’ve ever tried to deploy this through solutions like WinAcme, ACME.sh, or Certbot, you will likely agree that it can be challenging (enjoy the pun) to properly configure your environment to support the three primary challenges employed. These challenges verify control over a domain before issuing an SSL/TLS certificate (HTTP-01, DNS-01, and TLS-ALPN). The four solutions I reviewed remove the burdensome configuration and integration required to leverage ACME efficiently. Think of how your machine identity initiative could benefit from implementing something like this.
EJBCA, formerly known as enterprise java beans certificate authority, is an open source CA, released in 2001, that is fully capable of broad-spectrum support for complete CLM. If you are stuck with Microsoft CES/CEP for your CLM program, this is a multi-tenant solution that can scale. It will allow you to automate CLM for your DevOps pipeline, workloads, and microservices. In some cases, this can support IoT trusted identities in manufacturing environments. Finally, the free EJBCA solution is the full package – it supports multiple CAs, registration authorities (RAs), and validation authorities (VAs) in a single instance and is extended to support discovery and other enterprise use cases by PrimeKey and Keyfactor. I was asked by some members if it integrates with HashiCorp Vault or Microsoft Intune. The answer: it sure does.
I spoke to four PKI vendors at RSA this year, below are some insights on their capabilities.
- Venafi – A privately held cybersecurity company founded in 2004. They are headquartered in Salt Lake City, Utah. Venafi can provide complete PKI CLM capabilities if implemented correctly while leveraging its discovery and automation strengths. They developed the open-source project, cert-manager, that was one of the first cloud native machine identity protection platforms. Machine identities and CLM are very possible and intuitive with their Control Plane offering for Kubernetes clusters.
- Keyfactor – Initially starting as CSS, a PKI consultancy, in 2014 the company took what they had learned over the years solving problems for customers and built a SaaS-delivered PKI solution and CLM automation platform. Keyfactor’s strong EJBCA foundation allows you to get closer to zero-trust compliance and remediate risks such as wild card certificates, that previously might have been difficult to discover and manage.
- AppviewX – A privately held company founded in 2008, AppviewX started its journey as a network management and automation software outfit. Today, it has a solution that I believe is a very powerful automation platform for CLM and very capable at solving machine identity challenges at large scale. Among the features in the demo that worked well is the Smart Discovery tool – a tool to do discovery across hybrid environments (CAs, cloud, etc.) and end-to-end CLM automation. This last one seemed particularly powerful to me, because it had many pre-built automated workflows and self-service certificate operations.
- Globalsign – This company became a public CA in 1996 and today it is in the top five largest CAs worldwide according to Netcraft. Over 60 million certificates and over 207 cloud signatures rely on Globalsign. When I spoke to the Globalsign engineers, it was clear the company has the experience, platform, and capabilities to provide an end-to-end PKI CLM solution. It offers a trusted root CA out of the box to fully automated certificate self-service. It is also very focused on IoT support and keen on the industrial setting, mentioning that it has over 50 million IoT certificates issued by its GlobalSign roots.
Sources:
Moving Forward, Together (chromium.org), Company website 2023
What is the Maximum Validity Period of TLS/SSL Certificates? (appviewx.com), Company website 2023
Who is GlobalSign?, Company website 2023
About Us | Why Venafi is Trusted by Global 5000 Organizations, Company website 2023
About Keyfactor, Company website 2023
Our Take
Google’s announcement is applicable to public-facing workloads and services, not your internal CLM or encryption policies and standards. The Google guidance, at a minimum, should have you exploring automation solutions to solve for the inevitable. As machine identities and zero trust become ubiquitous, your PKI and CLM will need to scale to support the demands for self-registration and automation. The four vendors I interviewed all have capable solutions. Ask if their discovery solution will charge you for the discovered assets or only the ones being actively managed, this varies across the industry. Define the use cases you will support and what you will need from the solution – digitally signing email, encrypting email (S/MIME support), certificate provisioning and management, Active Directory (AD) integration, and auto-enrollment support for domain-joined assets.
Although there are many protocols that aim to solve the CLM dilemma, ensure native support for ACME, but also ask for Enrollment Over Secure Transport (EST) and Simple Certificate Enrollment Protocol (SCEP) support to provide broad spectrum CLM support. It might be important to you to minimize key roaming. With that in mind, many of these solutions integrate with your existing hardware security module (HSM).
Want to Know More?
Build Your Security Operations Program From the Ground Up | Info-Tech Research Group (infotech.com)