What is the first thing on your mind when someone says Certificate Lifecycle Management (CLM)? Within the answer you can discover different perspectives many kinds of businesses can have on CLM. During our experience with multitude of public key infrastructures and their uses cases, we have found that for each customer CLM can have a different meaning. At times we ourselves are surprised by the ideas our customers come up with regarding CLM. Life never stops to provide opportunities to learn something new.
Let’s start from the very beginning, with the certificate itself and the standard types of operations during its lifecycle we may wish to manage.
Certificate Lifecycle Stages
When managing certificates, we need to understand the different stages they may go through their lifecycle. The typical example of the certificate lifecycle stages would be: enrolment, validation, using, distribution, monitoring, revocation, expiration, renewal, recovery, decommission and destruction. This is similar as with key management. Unfortunately, a single golden standard unifying the different certificate stages and their interconnectivity does not exist.
As an example, we can define a simple certificate lifecycle:
Credentials and other inputs are provided to enroll for certificate. For example, certificate signing request with Common Name and identification of service together with authorization details are provided.
Certificate enrolment data is validated, and certificate is issued. Certificate is stored in a database and provided to the end entity which provided the initial enrolment.
Certificate approached the end of its validity period. Expired certificate will no longer be valid and trusted, therefore end entity should be aware of it and decide to either renew or decommission.
After expiration and validity period the private key and certificate are no longer needed. Private key is securely destroyed, and certificate is decommissioned from the public key infrastructure.
In a typical PKI setup, there are of course more than one certificate type. Certificate lifecycle stages should be defined for each of the types. To effectively manage certificates, a process view or functional perspective is a baseline.
Certificate Lifecycle Management and Interfaces
For some customers, the term CLM is focused on the management itself. This encompasses the available tools and procedures incorporated into the PKI. A basic set is necessary whenever you seek manual process or automatization to archive any form of CLM.
Every modern PKI solution provides you with the ability to perform certificate lifecycle management through a graphic user interface or a set of APIs. The operators can use these to perform various tasks for users and other end entities.
How do we choose the right solution? Unfortunately, there is no straightforward answer. The certificate lifecycle stages that you need for your operations should act as a clue thought. Each stage is represented by a set of operations. And these should be supported by the solution to be performed both manually and throughout APIs.
Some of the typical interfaces that support the certificate management are:
- Web or desktop GUI
- Web Services
- REST API
- SCEP (Simple Certificate Enrollment Protocol)
- EST (Enrollment over Secure Transport)
- CMP (Certificate Management Protocol)
- ACME (Automatic Certificate Management Environment)
Automatization of Certificate Lifecycle Management
For other customers, the term CLM immediately brings into focus automatization. This is the process of controlling the different stages of a certificate with as less human input as possible. Of course this is tied to the above mentioned APIs, but bear in mind there is a huge difference between them in the context of CLM automatization.
Automation goes deeper and further into the process of the certificate lifecycle management and it may include additional stages:
Discovery of certificates used and deployed in the infrastructure, applications, file systems, web servers, cloud service providers, certification authorities, HSM and keystores, etc.
Monitoring of certificate attributes, such as expiration date, compliance to cryptographic algorithms, use of compromised certification authorities, self-signed certificates, and many more.
End to end management
Certificates are managed end to end, meaning that the automation includes initial private key generation, submitting CSR, distribution of certificates, renewing, and alerting in case of any issues.
The automation plays a crucial role when managing thousands of certificates, because it helps to minimize risks associated with service interruption caused by expired or invalid certificate while also minimizing costs associated with the operations of certificate management. Imagine you have thousands of certificates and each of them need to be managed by the operators or administrators. This quickly becomes a routine that everyone would like to avoid. In the end it will become ineffective and prone to human error.
The automation has a key place in certificate lifecycle management.
Infrastructure and applications
For customers focusing on IT automation and DevOps CLM can have a different meanings and perspectives. In this particular case, tools for configuration management are heavily integrated in the deployment and change management processes and procedures.
Infrastructure is written in a code; playbooks define tasks that are scheduled to run periodically. Where is the place of certificate lifecycle management in this environment?
Certificates in this case usually have very short validity and therefore its lifecycle is integrated directly to configuration management tools. Certificate management interfaces are used to achieve lifecycle management of all certificates (like SCEP, EST, CMP, ACME). Configuration and IT automation tools can handle the rest, enrolment, distribution for the end entities, renewal, validation and decommissioning.
What means Certificate Lifecycle Management for you?
Certificates are becoming an asset, and the good understanding of the certificate lifecycle management will give us the best value from using it.
Think about it from the use-case perspective and start from building the certificate lifecycle blocks from the beginning:
- Core PKIWhether you have in-house or outsourced PKI, this is the core of all certificate related tasks and trust. You need to have good PKI in place in order to start using the benefits of digital certificates.
- Certificate Lifecycle StagesThink about the process of using the certificate from end to end and define all lifecycle stages for each certificate. Take the role of the user or end entity and think about the management process from their perspective. Good design of certificate lifecycle will become a benefit in the next phases.
- Certifcate Management InterfacesWhat interfaces do we need to support certificate lifecycle stages? There are many factors which should be considered, IoT, manufacturing, DevOps, each use-case has its own requirements and limitations. It is also important to consider future evolution and the agility of the use-case.
- AutomationDo I need automation? How is the certificate lifecycle handled from end to end? Where it starts and ends? Do I need to have a complete visibility on all certificates?
- Something else?