The Importance of Certificate Discovery – Keyfactor

Organizations have thousands, or even tens of thousands, of certificates. If you handle certificates in your company, this comes as no surprise. It’s very complex and difficult to keep track of these certificates, much less maintain control over how they’re issued or used.

AWS Builder Community Hub

However, it is probably not the certificates that show up on your spreadsheet that cause problems. More likely, the certificate causing your next outage is the one you do not know about.

[Watch “How to Take Control of your SSL/TLS Certificate Inventory“]


Modern PKI Environment


Since you don’t necessarily know where all the certificates in your environment, people in your organization might request certificates without you even knowing. While organizations give their best estimate on how many certificates they have, most of them admit they don’t know the exact number.

Without visibility though, there’s little chance of preventing the next outage caused by an expired certificate.


Certificate Discovery and Management

There are many different evaluation factors to consider before deploying to your network. Many existing market solutions just aren’t successful in effectively manage the large number of certificates in organizations today.

When we break down the core requirements of a solution, discovery is number one, then monitoring and automation beyond that, then how to integrate certificate deployment with different toolsets and applications.


Core Capabilities


Certificate Discovery

Effective certificate discovery can essentially be broken out into three different capabilities:

  1. Direct CA Integration 
  2. SSL/TLS Discovery 
  3. Certificate Stores 

Direct CA Integration 

The first certificate discovery method involves integrating with not just your on-premise certificate authorities, but also third-party certificate authorities. This will allow your to bring all of your inventory into one place right from the source.

Using a direct synchronization with CAs allows you to request new certificates, revoke them, renew them, and automated getting them placed into various parts of your network where they’re needed.

CA Gateways

SSL/TLS Discovery 

Having a direct integration to your CAs is a great first start, but it won’t give you visibility into where those certificates are located on your network. Furthermore, developers and admins will often go out and request certificates from CAs that you might not be managing.

SSL/TLS discovery capabilities allow you to map certificates to your network topography and schedule scans to inventory certificates and ensure that they are still at the endpoints where you expect them to be.

SSL TLS Discovery

Performance is the number one problem we come across with SSL / TLS discovery. Not only has the volume and velocity of issuing certificates increased, but also the sources of those certificates.

Knowing where every certificate is located allows you to quickly and easily replace them in bulk in response to cryptographic changes or a CA compromise, for better crypto-agility. From there you can start doing things like tracking and reporting on those certificates, setting expiration notifications, and automating deployment, but all that depends on getting an accurate and up-to-date inventory.. 

Certificate Stores  

And finally, some certificates aren’t even necessarily on exposed to a port on the network. They are residing in certificate and key stores, such as Java KeyStores (JKS), F5 devices, IIS servers, or cloud services like Azure Key Vault and AWS Certificate Manager.

Keyfactor orchestrators and agents allow for the discovery of these certificates so that you can bring every one under management. This will catch rogue certificates that are out there that could come up unexpectedly and cause an outage. Tools should be able to perform this discovery using agents or agentless methods.

Keyfactor Orchestrator


Take Control of All Your Certificates


Ready to take control of all your certificates?


Join the discussion and watch a demo of the three simple ways that Keyfactor gives you complete visibility of all certificates in your inventory, regardless of where they were issued from or where they live.



Watch Webinar

*** This is a Security Bloggers Network syndicated blog from PKI Blog authored by Sami Van Vliet. Read the original post at: