Managing PKI today is hard work. Spreadsheets or homegrown tools may have brought you this far, but times have changed. Between the need for round-the-clock certificate requests and renewals, regular compliance audits, and chasing down rogue certificates, you’ve reached a tipping point.
If you’re looking for a certificate management tool, chances are you’ve experienced one too many outages – or maybe you’ve failed an audit. You’re not alone. Recent reports show that 87% of organizations have experienced at least one certificate-related outage in the last 24 months.
So, like many others, you’ve decided you need to deploy a certificate management tool, but you’re not sure what questions to ask or even where to start. You’re in the right place.
Start With Requirements
First and foremost, determine project requirements. Some questions to ask yourself:
- Which (and how many) CAs will the certificate management tool need to support?
- What are the systems and applications in the organization that rely on certificates?
- What are the criteria required for different user groups within the organization?
- Is there a specific time frame for evaluation and deployment?
- Do I need a certificate management tool that also provides managed PKI?
Once you’ve set your requirements, ask vendors these 10 pre-purchase questions to make sure the certificate management tool you choose meets your needs.
10 Questions to Ask Certificate Management Vendors
Question #1: Does the certificate management tool support more than one CA?
Organizations with internal PKI use an average of 8 different issuing CAs, not to mention one or more public CAs. Don’t get locked into CA-provided tools that only allow you to issue and manage certificates from their own CA. Keeping track of certificates across multiple CA dashboards requires ongoing, manual effort that is not only time-consuming, but also prone to error and oversight.
Question #2: What level of visibility will your tool provide?
It’s not the certificates you know about that will cause your next outage, it’s the ones you don’t – and incomplete inventory will leave you exposed. Network-based discovery is table stakes. Ask the vendor if their solution can inventory CAs directly. Can it detect certificates issued outside of standard processes (i.e. rogue certs)? Can it inventory key and certificate stores in network devices and cloud services?
Question #3: How will the certificate management tool integrate with my existing infrastructure?
A certificate management tool that requires significant changes to existing firewall and port configurations is likely to slow network traffic and trigger all sorts of IDS and IPS alarms. You should ask your vendor for a detailed run down of what discovery and management capabilities they offer and – more importantly – how they are implemented across CAs, network segments, and IaaS platforms.
Question #4: What if I need to change, remove or add a CA to my PKI?
Crypto-agility is key. If a CA or algorithm is compromised, it’s not enough to simply re-issue keys and certificates from a new CA. The vendor should make the process: (1) non-disruptive to the business, (2) attainable within mission-critical timeframes, and (3) achievable within ecosystems that contain hundreds of thousands of certificates across distributed systems and applications.
Question #5: What automation capabilities does the tool offer?
Automation can – and should – take many forms, and be whatever you need it to be. An effective certificate management tool offers agent-based and agentless automation, a robust API library, and support for standard protocols like Windows auto-enrollment, ACME and SCEP. Make sure the vendor can integrate with your target systems – F5, IIS, Citrix, AWS and Azure KeyVault, among others.
