Sep 19 2013

Getting a Handle on Digital Certificates

Here’s a primer on digital certificates and website security best practices.

It's happened to all of us: The phone rings at 4 a.m., and on the other end of the line, someone from operations is telling us that they’re getting bombarded with calls from customers complaining that the organization's website is down. Someone forgot to renew the digital certificate, and a $499.00 gaffe is preventing any transactions from taking place.

Chances are that your organization relies on a set of digital certificates to secure e-commerce transactions, email messages, network traffic or any of a wide variety of communications that require encryption.

Let’s examine a few ways that IT workers can better manage those certificates to avoid being on the receiving end of that middle-of-the-night telephone call.

What Is a Digital Certificate?

Digital certificates are a convenient way to leverage the benefits of public-key encryption technology between parties that have no prior knowledge of each other. Their basic purpose is to provide a secure, trusted means for exchanging public encryption keys that can be used for subsequent communication.

The most common use of digital certificates is for the implementation of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption to support secure website communication. Websites wishing to implement SSL/TLS purchase a digital certificate from a third-party certificate authority (CA) that ensures that the public encryption key used by the website is valid and belongs to the organization that owns the domain name.

When a user accesses the website, the user's web browser downloads a copy of the certificate, verifies that it was issued by a mutually trusted CA, and then uses the public key to establish a secure communications channel.

A website protected by SSL/TLS encryption allow users to feel confident that they are indeed communicating with the claimed website and that their communication is protected against eavesdropping.

Tracking Certificate Expiration

Every digital certificate issued by a CA contains an expiration date, typically one or more years in the future, depending on the number of annual fees paid by the certificate subject at the time of issuance. When a user accesses a website that offers an expired digital certificate, the browser displays an ominous security warning that the digital certificate is not valid and that communications with the website may not be secure.

Seeing this type of message can erode users' confidence in the security of the website and make them hesitant to continue with their visits.

To avoid this scenario, website administrators should carefully track the expiration dates of the digital certificates in use on their sites. Administrators responsible for many domains may have a large number of certificates to track. While CAs typically send several warning messages before a certificate expires, it is best to maintain your own tracking system to ensure that those messages don't slip through the cracks.

It's not necessary to replace your certificate on the exact expiration date. Check with your CA for its specific renewal procedures; most will allow you to renew your certificate 30 to 90 days in advance and simply tack the remaining life of your current certificate onto the end of the renewal certificate that you purchase. This gives you enough leeway to ensure that you have time to renew and properly install your new certificate.

Protect Your Private Keys

Every digital certificate has an associated private key that is used by the protected server to decrypt communication from site visitors. Protecting the secrecy of this private key is critical, because anyone gaining access to it will be able to impersonate your website. In addition to securing the storage of your key on your server, you must also ensure that any backup copies of the key, in digital and/or paper format, are properly protected against theft.

Digital certificates play an important role in the security of websites and other applications requiring encrypted communications. Applying the best practices described here can help you ensure the security of applications certificates protect and the smooth continued operation of your security technology.