How to Detect Expiring Certificates
Elephants and Other Hi-Tech Methods
All X.509 digital certificates expire. It’s only a question of time. If you follow best practices then your end point certificates expire in two years or less. Once a certificate is expired it is considered invalid and likely will cause some kind of service outage. It doesn’t take a rocket scientist to understand that renewing certificates before they expire is crucial to preventing service outages.
Handling certificate renewal for expiring certificates can be done by a fully automated Certificate Management System (CMS) like Revocent’s CertAccord Enterprise, can be partially automated with a Monitoring and Alert System (MAS), or can be done manually. When using a CMS the product should automatically detect and renew certificates before they expire. The other methods require you to manually or automatically detect expiring certificates and then manually renew each one.
Let’s explore the best practices and the not so best practices of certificate expiration.
The Elephant Method
The person who creates each certificate memorizes the date of expiration, the system the certificate is installed on, and the location in the system of the certificate. He/she can then “remember” a few days before the expiration to renew the certificate.
Works Best For
People who have memories like an elephant (advanced users have photographic memories)
Downsides
- Difficulty finding people with amazing memory skills
- Single point of failure if the person suffers head trauma or simply leaves the company
- Time it takes to determine the storage capacity of People Memory Storage Devices (PMSD)
Old School Bureaucratic
The certificate creator scribbles a note on a piece of paper with the date of expiration and other details (advanced users will create a custom paper form) and then place the note in the large stack of carefully organized papers on their desk. Once a week the pile of notes should be reviewed for certificates that need to be renewed.
Works Best For
Old school bureaucratic organizations
Downsides
- Loss of notes if pile is knocked off desk (advanced users can use sealed folders)
- Fire that partially or totally burns the office
- Termination (or early retirement due to insanity) of employee which results in all notes being thrown out (hopefully shredded for security) because nobody understands their importance
- Poor scalability once you get to hundreds or thousands of certificates
The Calendar System
The certificate creator can add a reminder to his/her calendar to renew the certificate before it expires. Advanced users may use a shared group calendar.
Works Best For
Organizations who have little or no budget for security and PKI
Downsides
- Certificate creator forgetting to add an entry in the calendar
- Error prone: Missing a reminder results in a certificate expiration and likely service outage
- Not scalable: Having hundreds or thousands of certificate reminders in a calendar can be overwhelming
- Does not automate the renewal process – you still have to manually create and install renewed certificate
Certificate Monitoring And Alert Systems
There are commercial and free Monitoring and Alert Systems (MAS) products which will monitor and alert for expiring certificates. These products typically run an automated discovery process to find most (but rarely all) X.509 digital certificates. Often the product will need some manual feed of certificates to augment the automatic discovery. The product then sends an email alert containing a list of certificates that are expiring in a certain period.
In some products you can configure an alert via email for an individual certificate or any certificate matching a given subject. Configuring this level of detail requires manually configuration of course.
Many of the previously discussed downsides are addressed by this type of solution, though some crucial ones are not: Don’t have to worry about individual people remembering to renew expiring certificates and increased scalability because the tracking part of certificate life-cycle is automated.
A good MAS will find many certificates in your enterprise, though it will likely miss some simply because not all certificates are discoverable remotely. MAS discovery is usually performed by scanning a range of IP addresses and opening a connection to well known ports like 443 (HTTPS) to check for a certificate via TLS. The scanning host may not have access to all networks and/or individual ports due to firewall rules. Applications often use ports other than 443 and the MAS discovery likely doesn’t check every port. These problems lead to certificates that are never discovered by the MAS.
What’s also not addressed by this type of solution is the actual certificate renewal process which still must be done manually in most cases. It’s also a well known fact that the more alerts someone receives the more likely they are to ignore or miss an alert that requires action.
More challenging is receiving an alert for an expiring certificate you know little about. Best case is the MAS alert may include the system hostname (or IP address) where the certificate was discovered. How does the person receiving the alert know if the certificate should be renewed? Who is responsible for the renewal if the system the certificate was found on is managed by a different department? Most likely the alert is received by someone in IT and the certificate was created by a departmental user. Who created the certificate will often be difficult or impossible to ascertain. The MAS is unable to provide this information because it was not involved in the certificate creation or installation.
Works Best For
Organizations who need a quick band-aid solution
Downsides
- Not all certificates will be discovered and thus monitored
- Little or no information about certificate renewal: who is responsible, should it be renewed, where is the actual certificate installed, what app is providing the certificate, etc.
- Alerts can overwhelm and be ignored or missed leading to expired certificates and service outages
- Does not automate the renewal process – you still have to manually create and install renewed certificate
- Installation and configuration can be expensive in terms of time and product cost. Why spend the time on a band-aid when you can invest in a fully automated Certificate Management System?
Automated Certificate Management System
A fully automated Certificate Management Systems (CMS) like Revocent’s CertAccord Enterprise will manage the entire life-cycle of a certificate from creation to renewal. When the CMS is used to create a certificate it should have all the data it needs to not only monitor the certificate for expiration but automatically provision a replacement certificate without human intervention. This eliminates the need to track certificate expiration manually. No need to both remember an upcoming certificate expiration and then perform the actual renewal. The CMS handles the entire certificate renewal.
Some people choose a Monitoring and Alert System (MAS) because they believe that to be faster and cheaper than implementing a CMS. While some CMS can be incredibly complex, expensive, and time-consuming to install, there are CMS like CertAccord Enterprise that can be installed in a similar amount of time and expense as a Monitoring and Alert System.
Works Best For
Organizations who want to fully automate certificates and PKI, lower their costs, free up staff time, reduce service outages
Downsides
- Decreases demand for people with elephant and photographic memory
- Greatly reduces paper usage in old school bureaucratic organizations and the need for large desks
- Frees up your calendar so you are more vulnerable to meeting invites
Summary
If you have a manual process for certificate expiration tracking today you may be tempted to implement a Monitoring and Alert System (MAS). This can solve some of your headaches but it introduces different ones while modestly improving your time management, service outages, and sanity. For a similar amount of time and cost implementing MAS you could implement a fully automated Certificate Management System like Revocent’s CertAccord Enterprise to provide a much faster, no-headache solution that solves the full problem not just a slice.