Automated Certificate Management Importance and How to Integrate It

The Importance of Automatic Certificate Issuance & Renewal

In December 2018, approximately 32 million users of O2, the second largest mobile operator in the UK, experienced an outage. The root cause was traced to an expired certificate. In January 2019, during the US Federal Government shutdown, a number of important sites, such as those of Department of Justice and NASA, were down as no one was available to renew the certificates manually.

Automated certificate renewal is no longer a luxury; it’s essential. The same applies to certificate issuance.

Consider the following: you are a certificate administrator for your organization and you have a new hire starting on Monday. She may need a user certificate so that she can log in to the Wi-Fi network or the VPN service, encrypt and sign emails, or electronically sign a document. Do you sit with her on Monday morning to set her up? You don’t have to, if you can leverage auto-enrollment of a certificate. When she comes in, she logs into her corporate laptop and the system automatically obtains a certificate for her. She is all set.

If you have 10 new hires starting that day, you can see how convenient it would be for you not having to set them up one at a time. You could spend your time ensuring that they have access to the right resources so that they could be productive in a short period of time or configure an auto-renewal policy for them so that you are protected in the future.

If your IT team is setting up a new internal mail server during a maintenance window on a Saturday night, you can set the system up a few days before so that when the server is ready and joins the corporate domain, it automatically downloads a certificate from the Sectigo Private CA and installs it. You could be enjoying your Saturday night. The value of time with family and friends cannot be overstated.

Automation is exciting.

How to Implement Certificate Automation

In order to introduce automation in your network, you do not want to disrupt your existing environment too much. You may already have auto-enrollment and auto-renewal set up in your Windows environment using the Microsoft CA. While this takes care of your internal (private) certificates, you will have to choose another vendor for your publicly trusted SSL/TLS certificate needs. Why deal with the overhead of managing multiple vendors? Sectigo can provide you a one-stop shop for everything. You drop a Sectigo Proxy in your Windows Active Directory server and start issuing both public and private certificates from us.

It’s that simple.

You probably have users and devices on a variety of operating systems in your environment. For non-Windows clients, such as Linux servers, MacOS devices, and networking gears, you can use Sectigo’s SCEP server to enroll certificates automatically. For many web servers such as Apache, Nginx, and others you have the option of using the ACME protocol.

Using ACME Protocol

The Automation Certificate Management Environment (ACME), designed by the Internet Security Research Group, is popular for certificate management. Over 27 million web sites use it. More than 130 open source tools support it to make an administrator’s work easier. If you use DevOps for managing deployments, apps and tools such as Kubernetes, Chef, Ansible, Salt Stack, Terraform, Puppet, Istio, Docker, and others support ACME to help automate certificate management. By plugging into this ecosystem, not only are you reducing deployment time, you are also eliminating any possible human error from the mix.

We cannot underestimate the impact of not using automation in certificate management. At Sectigo, we are treating it as a top priority to be innovative and provide new ways of achieving total automation. To ensure the safety and efficiency of your site’s security, learn more about Sectigo’s Automated Certificate Lifecycle Management solution.