Unidentified PKI certificates in your network are a major continuity risk

09 Nov ‘21

In many organizations, the responsibility for the PKI IT infrastructure lies with one or two IT administrators. This management quickly involves several dozen digital certificates from public-facing web servers and several hundred internal certificates issued from a private (or internal) CA (Certificate Authority). These “internal” PKI certificates are installed and deployed by a range of settings from windows group policies, the enterprise root certification authority (CA), network policies, SCCM to the Windows IIS server, among others. Often the validity of the internal certificates is set to several years. It is not uncommon for servers to suddenly become inaccessible after several years because the certificates that ensure a secure PKI infrastructure have expired and were not replaced in time (automatically).

This kind of litter also arises when IT staff who were doing PKI management change jobs or leave the organization. For their successors, it is often difficult to get an overview of all PKI certificates in the network and to ensure that certificates that expire are replaced in time. Without a Certificate Key Management System, which supports management tasks, it is actually not possible to create a new manageable PKI with the increasing complexity of the IT infrastructure and increasing numbers of certificates in the network.

Certificate scanning involves discovering all certificates installed at various endpoints in your network. It records the most important details of certificates, such as their location, validity, type, days to expiry, position in the chain of trust and so on. Such a scan thus provides insight into the security of the network infrastructure and helps to detect defects.

There are several free scanners available, such as SSL Server Test from Qualys and SSL Certificate Scanner Tool from Netscantools. However, such free tools have the limitation that they can only scan from the outside and therefore only reach those servers that are “open” to the Internet. Many commercial scanners that do scan the inside of your network and can also detect internal certificates require a proxy within your network because they are cloud-based. The disadvantage of this, in addition to a possible security risk, is that this scan data is always shared with the commercial party and therefore information about your internal network is shared with a remote external party.

The KeyTalk Smart Security Scan (SSS), like the KeyTalk CKMS, is available as a virtual machine (VM). This means that in a hypervisor environment (VMware, HyperV or AWS, Azure and Google cloud) the server + application are immediately available after the image has been loaded. The KeyTalk SSS can therefore be deployed quickly and easily within your own IT infrastructure, even in airgapped VLANs.

The KeyTalk Smart Security Scan works completely independently and is not a fixed part of the KeyTalk Certificate and Key Management (CKMS) solution. It can find all port-based PKI certificates of both internal and external (web) servers within the IT infrastructure. Once the KeyTalk SSS finds a certificate, the entire certificate with all relevant data is imported into the KeyTalk SSS database for reporting and export applications. While scanning for certificates, the KeyTalk SSS also makes an inventory of the most known SSL-based ‘mis-configurations’ of the web servers present in the network. In addition, the SSS can also scan separately for other vulnerabilities (provided that the end-points allow this). This information is checked against the CVE® database available online and synchronised locally in the KeyTalk SSS. All known vulnerabilities for cyber attacks are included.

In this way, it is possible to get a complete overview of the certificates present in the network quickly and easily. Of course, this is only the first important step in getting full control of your certificate management. The certificates found by the KeyTalk SSS can be very easily imported into the KeyTalk CKMS and from there the PKI management can be taken over completely automatically. That is where you want to be!

If you would like to know more about the KeyTalk Smart Security Scan or how you can manage your PKI IT infrastructure in a fully automated way using the KeyTalk Certificate and Key Management System, contact us today!

The KeyTalk Team