Everything you need to know about Certificate Ownership

code certificate

TLS server certificates provide a secure backbone to digital infrastructure across the globe, yet a lot of organisations are severely lacking the policies and processes needed to guarantee sound certificate management. These organisations are further challenged by the vast scale at which TLS certs must be managed and lack the modern, automated technology stack that would enable them to do so.

Until these issues are addressed, incidents and downtime resulting from TLS certificate issues will continue to abound.

The Challenge of Effective Certificate Management

Some of the key factors that make certificate management so difficult for many organisations include the fast-paced deployment of TLS servers, the numerous roles that take part in the issuance and management of certificates, how certs are diffusely allocated amongst enterprise groups and environments and the convoluted processes required to manage them. In many organisations it’s commonplace for a Public Key Infrastructure (PKI) team, or a Certificate Services team, to handle the issuance of TLS certificates. Yet once these certificates are issued, they tend to be installed and maintained by the certificate owners – the teams of system administrators who manage the servers, network appliances and various other devices on which the certificates reside.

The Certificate Services team is often the group in charge of handling interactions with public CAs as well as internal CAs. This team is usually composed of between one to three employees. Though the team members have substantial skills and experience in TLS server certificates, they lack the means and permissions necessary to directly administer certificates on the vast array of devices where certificates are installed. When TLS certificate issues, like outages, happen, the Certificate Services crew is frequently held responsible.

Dedicated Teams & Defined Responsibilities 

“Certificate Owner” is a title that designates an individual or a group as maintainers for systems where the certificates reside. A certificate owner group may contain members from a diverse set of positions, such as sys admins who are in charge of overseeing specific systems and the certificates on them, application owners who can evaluate and authorize certificate requests from system administrators to make sure that only approved certificates are granted and the executives who have the ultimate responsibility for making sure that any duties relating to certificates are fulfilled.
Certificate owners are often unaware of the risks connected with certificates or the recommended best practices for handling certificates correctly.

Certificate Provision in a Rapidly Changing Environment 

The emergence of widespread virtualization means DevOps teams now often provide systems and software programmatically. Technology stacks involving containerisation and orchestration may utilise short-living applets, which create a new category of certificate owner as well as novel kinds of TLS server certificate challenges for enterprises. As enterprises strive for faster and more effective application deployment, some DevOps teams’ resort to distributing certificates without first consulting with their Certificate Services division.
Bugs and flaws in DevOps tools or scripts can generate erroneous deployment or updating of certificates, which in turn may lead to certificates for essential applications not being adequately monitored. As recently seen by the serious outage for Spotify’s Megaphone podcast platform, poorly tracked, expiring certificates can cause huge problems that harm even the largest and most innovative organisations. Moreover, it is crucial to keep an eye on certificates and apps delivered and maintained by previous DevOps frameworks and tools when DevOps teams embrace modern practices.

As you can see, the landscape of certificate ownership is not without its perils and improper management of certificate ownership can cause major headaches for organisations. It’s recommended that all organisations have clearly defined certificate owners and to ensure that the Certificate Services team have a constantly updated list of owners. Furthermore, the certificate owners need to be actively preserving correct certificate policy enforcement.

If you need any helping creating a system that ensures best practice of certificate ownership (or any other PKI related needs) please feel free to contact one of our sales reps at sales@trustzone.com or call +45 88 33 10 00