Web Server SSL/TLS Certificates
Automate and control your Server Certificates
Outages caused by expired server certifcates are costly and can easily be prevented by automated certificate renewals or even notifications of the administrators.
Google and Apple are pushing certificate validity periods of 90 to 45 days.
TLS Server Certificates
The communication via HTTP or other application protocols is protected by the TLS protocol (former SSL). X.509 certificates are used for the authentication of the server and negotiation of session keys. For public web servers, these certificates must be issued by a trusted public CA. For internal servers, certificates from an internal private CA like Microsoft ADCS may be used but also the usage of certificates from a public CA like Let's Encrypt is possible.
Challenges for Server Certificates
Manual processes
Manual management processes are time-consuming and costly. Absence of administrators or human errors in a spreadsheet-managed environment bury a high risk.
No clear overview
The number of server certificates, their origin and their location is unknown. Hundreds or thousands of certificates with unknown expiration dates from a variety of CAs are used.
Unclear responsibilities
The ownership of certificates is often not defined. Who is responsible for the renewal in-time? Who manages the CA-contract?
Decreasing lifetimes
The lifetime of public TLS certificates is currently one year and some CAs offer even 90 days. It will decrease more and more and exacerbates the renewal problem.
The SECARDEO Solution
Full TLS automation
Autoenrollment and -renewal using standard protocols as ACME, REST and SCEP for popular web servers. Support of multiple CAs like public CAs, managed private CAs or a Microsoft CA.
Certificate discovery
Your network may be scanned manually or automatically for TLS server certificates or for SSH keys. The found certificates and keys are then available for a central management.
Convenient self-services
An administrator can upload or easily generate certificate requests. He can find and download, delegate, renew or revoke his certificates. Additional meta information helps to structure management processes.
Advanced control
Control certificate operations by role-based user authorization, manual approval, server validation and domain authorization. Use customizable e-mail notifications on certificate events. Group-sharing of certificates facilitates and secures their management.
Implementation
Secardeo TOPKI provides software components that serve for specific management tasks for SSL/TLS server certificates. By this you can request certificates from public or private CAs in the cloud. For this purpose, commercial CAs such as SwissSign, DigiCert or GlobalSign or free CAs such as Let's Encrypt or ZeroSSL are supported. Or you can use an internal Microsoft CA. Autoenrollment of SSL/TLS certificates is provided by support of the standard ACME protocol. For a manual enrollment, web-based self-services for server administrators are provided. For higher security requirements approval and acceptance workflows can be used. Certificate management is divided to specific roles. The management of users, groups, roles and permissions is done by using Active Directory mechanisms. Automatic notifications and generated reports help to get a full control over all certificate related events. A REST API can be used for the integration of IT applications into the certificate management workflow.
Proxy for the automatic enrollment of server, client or device certificates using the standard ACME protocol.
Service for certificate lifecycle management, discovery, central autoenrollment, self-services, notifications and REST API.