Manual certificate management falling way behind PKI growth

DigiCert survey reveals the increase in digital certificates has created new management challenges.

Public key infrastructure (PKI) is a system of processes, technologies, and policies for encrypting and signing data. It plays an essential role in authenticating users, servers, devices, software, and digital documents. Yet enterprises are struggling with the growing number of PKI certificates they must manage, and many are considering PKI automation to address this problem, according to a new DigiCert report.

The report, "State of PKI Automation 2021," explores how organizations are handling the challenge of PKI certificate management. Expired certificates are a problem because they disable encryption and create an attack surface for hackers. DigiCert commissioned ReRez Research to survey IT leaders from 400 global organizations of 1,000 employees or more. The survey focused on specialists managing digital certificates for users, servers, and mobile devices.

The report revealed that today's organizations manage more than 50,000 certificates, a steep upsurge from previous years. More than half (61 percent) are concerned about the time it takes to manage certificates. According to 37 percent of the respondents, their organization has three or more departments managing certificates, which creates silos that hide certificates from IT security teams until something goes wrong.

A lot of unmanaged keys are out there

A typical organization has as many as 1,200 certificates that are unmanaged, while 47 percent of organizations say they often discover rogue certificates. Rogue certificates are essentially a form of shadow IT, certificates that are ordered outside the purview or processes of IT and frequently are neglected and not managed. This is causing major problems for organizations, such as outages due to certificates expiring unexpectedly, which two-thirds of the respondents have experienced. Even more troubling, one in four organizations have experienced five to six PKI-related outages in the past six months.

Organizations struggling with PKI certificate management lack visibility into their certificate deployment landscape and need PKI automation. In fact, most organizations (91 percent) are thinking about it. Only 9 percent of the respondents aren't discussing PKI automation and have no plans to do so. For 70 percent of the respondents, a solution is likely to be implemented within 12 months. A quarter of the respondents are either implementing or have finished implementing a solution. 

To gauge how companies are approaching PKI automation, DigiCert separated the respondents into groups of leaders and laggards. The results showed major differences between the two groups. Not surprisingly, 33 percent of those in the leader category are more likely to say PKI automation is important.

When diving deeper into the data, the report found the leaders are two or three times better at reducing PKI security risks, avoiding PKI downtime, minimizing rogue certificates, managing digital certificates, and meeting PKI service level agreements (SLAs). In contrast, the laggards — those who aren't skilled at managing PKI certificates — experience problems with compliance, security, and delays. They're also less productive, overworked, and losing revenue. 

Reining in rogue certificates

Furthermore, PKI management leaders are more accountable for their certificate inventories, whereas laggards are less concerned. When comparing the two groups, the leaders reported fewer certificate-related outages or rogue certificates.

While most organizations believe PKI automation is important, the transition isn't easy. Respondents cited several challenges related to automation, such as cost, complexity, compliance, and resistance to change by staff and management. That's why DigiCert recommends organizations take several key steps to assess their PKI certificate management prior to automation. Organizations should:

  • Identify and create an inventory of the entire certificate landscape, from TLS to code signing, and client certificates.

  • Remediate keys and certificates that don't comply with corporate policies.

  • Protect with best practices for issuance and revocation. Standardize and automate enrollment, issuance, and renewal. 

  • Monitor for new changes.

Common certificate workflows include web servers, device identity, code signing, digital signatures, and identity and access functions. When automating certificate workflows, DigiCert recommends organizations should identify unmanaged or manual certificate workflows, adopt automation software that centralizes and manages certificate workflows, and finally, monitor with centralized visibility and control of the workflows.