Confused about certificate management/PKI

Preface – I'm new to working in netsec but I have had experience with certificates as web dev, so I understand the basic concepts behind how certificate authorities and digital certificates work from that role. I'm also aware that X.509 certificates are used for a lot more than just providing HTTPS communication for websites.

My last company automated certificate deployment for hosts, but required manual processes for managing certs used by servers and applications. In my new org, I noticed from vulnerability scans that the environment has tons of SSL certificates that are untrusted (self-signed, unknown or unrecognized CA) or even years past expiration. As far as I am aware, the only trusted certs are the ones used for our websites, since those are managed by a different team.

Managing certs for hosts seems to be a very different beast and I'm confused on how to deal with this situation. The harder I look into it the more confused I become. I'm hoping there are some resources that could help point me in the right direction. Is there an industry standard for generating and managing certificates? Do organizations run their own CA using something like SimpleAuthority?

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s