Enterprise PKI Automation

A WHITEPAPER BY SECTIGO

Enterprises Need an

Authentication Solution

to Address Increasingly

Complex Requirements

Enterprise authentication needs are

becoming increasingly complex.

Applications and data running across

multiple cloud environments, a distributed

workforce, and innovative connected devices

are all intersecting in ways that demand a

strong digital identity approach to protect

against constantly evolving threats.

Enterprises rely on PKI certicates as the

gold standard for ensuring identity and

as a foundational part of a Zero Trust,

passwordless architecture for users, devices,

servers and application identities.

While there is no stronger, easier to use

authentication and encryption solution

than the digital identity provided by PKI, the

challenge for busy IT teams is that manually

deploying and managing certicates is time-

consuming and can create unnecessary

service outages. Whether an enterprise

deploys a single SSL certicate for a web

server or manages millions of certicates

across all its networked device and user

identities, the end-to-end process of certicate

issuance, conguration, and deployment

can take hours per certicate. Manually

managing certicates also puts enterprises at

signicant risk of certicates being forgotten

until expiration and of exposure to gaps in

ownership, resulting in sudden outages of

critical business systems.

Enterprise PKI Automation

www.sectigo.com

The Financial Cost of Manual Certicate

Management

As already-complex environments expand to include mobile devices, cloud infrastructure,

DevOps, Internet of Things, and more, the nancial cost to effectively manage PKI certicates

has increased dramatically.

The most effective security investment is security that is both easily deployed and easily

used by employees. But security solutions like passwords often burden individual users with

remembering, updating, and managing their own security. And IT teams are inundated with time-

consuming password reset requests, and training employees not to surrender their passwords

to sophisticated phishing schemes. As an example, if the employees cannot encrypt/decrypt on

their mobile device, they will simply bypass using email encryption.

Additionally, your customers as well as internal users rely on critical business systems to be

always on. Expired certicates have already led to numerous high-prole website and services

outages. resulting in billions of dollars in lost revenue, contract penalties, and lawsuits as well as

the signicant loss of brand reputation.

Insucient certicate management can also put enterprises in jeopardy of noncompliance with

regulatory mandates. To guard against information theft, regulations such as HIPAA/HITECH,

GDPR, and the U.S. federal government acquisition rules (DFARS) require data encryption to

mitigate or minimize the consequences of a breach or accidental disclosure. Not meeting

compliance requirements can result in substantial nes. Further, GDPR mandates that nes are

not only based on the scale of an individual breach, but also on the level of negligence. So putting

strong protection on your systems and devices not only helps reduce the risk of a breach itself

but helps reduce the amount of the ne should a breach occur.

Enterprise PKI Automation

www.sectigo.com

Administration Costs Add up Quickly

Certicate management may be perceived as a

simple, day-to-day task for an IT or web administrator,

but ensuring certicates are valid one at a time

is costly. Using manual processes to discover,

install, monitor, and renew all the PKI certicates in

an organization is labor-intensive and technically

demanding.

For example, even a minimal manual SSL certicate

installation with a single web domain involves

multiple steps and can easily add up to over $50 per

web server. Figure 1 breaks down each step a web

administrator is required to perform to correctly install

a single SSL certicate. For an organization with 2,000

web servers, it would require one person working full

time to just replace certicates before they expire.

Time

Minutes to Hours

< 2 Minutes - Look up of server address & credentials.

Minutes to Hours - Read documentation, type appropriate

commands. Web admin forums are lled with Q&A and

troubleshooting, suggesting that many have problems with

this step.

Up to 5 to 10 Minutes - Read documentation, type

appropriate commands.

<2 Minutes - Look up of server le location, type

appropriate commands.

Minutes to Hours - Read documentation, type appropriate

commands, save le. Web admin forums are lled with

Q&A and troubleshooting, suggesting that many have

problems with this step.

<1 Minute

Minutes to Hours - If no error messages then testing will

be quick. Responding to error messages will require re-

modifying the web server conguration le.

Steps

Selection/Purchase of SSL Certicates

SSH Login to the web server

Enter a set of commands to achieve domain control

validation (for new domains)

Request issuance of the certicate and download

Copy the certicate les to the appropriate server le

location (varies based on web server)

Modify the web server conguration le to enable the

web server to utilize the SSL certicate and publish

https

Refresh//Restart the web server in order to recognize

the conguration

Test

All of the above steps must be done precisely. Otherwise,

human time and effort is wasted, and critical business

systems will be taken out of service.

Enterprise PKI Automation

www.sectigo.com

Figure 1 – Steps Required to Manually Install SSL Certicates

Cryptographic Evolution Creates New Enterprise

Security Challenges

Now enterprises face another new security

threat as cryptography evolves. Within a

few short years, quantum computing will

render the current RSA and ECC encryption

algorithms that our digital systems depend

on worthless. While NIST and Certicate

Authorities like Sectigo’s Quantum Labs are

developing quantum-safe X.509 certicates

that use encryption algorithms to withstand

quantum computing, it is clear that

enterprises will have to adopt entirely new

families of cryptography with unprecedented

speed.

For a company that has 10,000 certicates

manually installed across users, servers,

devices, and applications, it would take up

to ve people one year to nd and replace

all the certicates. Before they are done, the

bad guy will exploit the weak cryptography

to impersonate the rightful owner or decrypt

sensitive information.

Enterprise PKI Automation

www.sectigo.com

0606

Automation

Speed up deployment of certicates

while eliminating costs and errors

Scalability

Managing certicates numbering in the

hundreds, thousands, or even millions

Crypto-agility

Updating cryptographic strength and

revoking and replacing at-risk certicates

with quantum safe certicates very quickly

in response to new or changing threats

Visibility

Viewing certicate status with a single pane

of glass across all users, devices, servers

and applications

The Modern Enterprise Needs Automated Solutions

With the pitfalls and nancial ramications inherent

in managing PKI certicates manually, the return

on investment for automated certicate lifecycle

management is clear. IT professionals must rethink

their certicate lifecycle management strategy.

Particularly as enterprises go to market more quickly

with new services enabled by DevOps, organizations

need an automated solution that ensures certicates

are correctly congured and implemented without

human intervention. This automation not only

eliminates service outages but allows IT departments

to control operational costs and launch services to

market faster.

Recently, PKI has evolved to become even more

versatile. Interoperability, high uptime, and governance

are still key benets. But today’s PKI solutions are also

functionally capable of improving administration and

certicate lifecycle management through:

Enterprise PKI Automation

www.sectigo.com

Save Time and Maintain

Control With Sectigo PKI

Automation

Given the disparate systems, applications,

and devices that use digital certicates, IT

teams often manage distinct automation

services from many different vendors, with

different user interfaces, and quality of

support. A single certicate management

dashboard that automates discovery,

deployment, and lifecycle management

across all use cases and vendor platforms

creates the eciency that automation

promises. And IT teams still maintain control

of conguration denitions and rules so that

automation steps are performed correctly.

Sectigo provides certicate automation

solutions that allow enterprises to be agile

and ecient, and maintain control of all the

certicates in their environment. Sectigo

supports automated installation, revocation,

and renewal of SSL/TLS and non-SSL

certicates via industry standard protocols,

APIs, and third-party integrations.

Moreover, with Sectigo, you will never run

into a certicate volume cap, as you might

with open source alternatives. Sectigo’s

automation solutions enable your security

team to easily enforce cryptographic

security policy; protect communications;

prevent data loss via unauthorized access;

and future-proof systems, applications, and

devices across the enterprise.

Enterprise PKI Automation

www.sectigo.com

For SSL/TLS certicates, Sectigo provides

automated certicated management through:

• Support for Automated Certicate

Management Environment (ACME) protocol:

Sectigo Certicate Manager supports the

protocol ACME, allowing you to automate

certicate issuance, installation, and revocation

for a wide range of web servers and load

balancers. The ACME protocol requires very

little time for IT teams to congure and execute

their certicate management automation,

making it an increasingly adopted component

of enterprise security.

Automating Management of SSL/TLS Certicates

Sectigo supports DV, OV, EV and

private SSL certicate types via

ACME and provides full control to

IT administrators. Sectigo provides

the ACME server and works with

ACME-compliant clients, including

Certbot by the Electronic Frontier

Foundation (of which Sectigo is

a sponsor). See Figure 2 for how

certicate authentication works

using ACME.

4c322ke3

RETRIEVESADDS

DNS/HTTPS

Challenge

TOKEN | KEY THUMBPRINT

Client collocated

with the web server

or load balancer

SIGNED NONCE

Enterprise PKI Automation

www.sectigo.com

Figure 2 – Authentication process using ACME protocol

How the ACME Protocol Works for

Automated PKI Certicate Management

• REST API: In some instances, companies prefer

to integrate applications with Sectigo using

Sectigo’s REST API. While this requires additional

development on the application side, it allows you

to leverage certicate management and customize

your workow.

Additionally, through the REST API, Sectigo has

direct integrations with all leading containerization

and automation tools environments, such as

Docker, Chef, Ansible, Salt Stack, Terraform,

Puppet, and Jenkins. We also include mechanisms

to incorporate PKI into the continuous integration

and continuous deployment (CI/CD) pipeline,

orchestration frameworks such as Kubernetes, and

third-party key vaults such as HashiCorp’s Vault.

• A customer premise automated install agent:

Using Sectigo’s Network Agent, you can automate

certicate management for a variety of systems,

including Apache, Tomcat, IIS and F5 web servers.

The customer premises Network Agent

is integrated with Sectigo Certicate Manager

to schedule issuance, installation, and renewal

of certicates.

• Integration with Third Party Vendors: Sectigo

directly integrates with leading third party

vendors to help customers achieve full certicate

automation using popular technologies already

in place in IT environments, like F5’s Big-IP

load balancer, Citrix’s ADC application delivery

controller, and ServiceNow’s IT workow platform.

See Figure 3 for a list of currently supported

platforms and technologies.

Automating Management of SSL/TLS Certicates

Enterprise PKI Automation

www.sectigo.com

Platform

Sectigo

Installation

Agent

ACME

Sectigo

REST API

Custom

Integration

Apache HTTP Server Yes Yes Available

Apache Tomcat Yes Yes Available

IIS Yes Yes Available

NGINX Yes Available

Other Certbot

supported web

servers

Yes Available

F5 Yes Yes Available Yes

Citrix ADC (formerly

NetScaler)

Yes Available Yes

ServiceNow Available Yes

Ansible Available

AWS ELB Yes Available

Chef Available

Docker Available

HashiCorp Vault Available

Jenkins Available

Kubernetes Yes Available

Puppet Available

SaltStack Available

Terraform Available

Type

Web Server

Load Balancer

IT Service Management

DevOps Tools

Web Server/Network Gear/DevOps Tools Customer Choice

Figure 3 – Currently supported automation solutions for SSL/TLS certicates

Enterprise PKI Automation

www.sectigo.com

Automating Non-SSL

Certicate Installation

Many systems, applications, and devices utilize

non-SSL certicates, an example being identity

certicates for mobile devices. For non-SSL

Certicate Installation, Sectigo provides:

• Enrollment over Secure Transport (EST)

protocol: Sectigo supports the EST protocol,

which is used for managing networking gear

from many vendors. In fact, a number of vendors

have EST support already built in. EST is also

popular in Internet of Things (IoT) environments

given the eciency of the protocol and support

of Elliptic Curve Cryptography (ECC) keys.

Sectigo offers a commercial EST client and

supports the several open source EST clients

available as well.

• Simple Certicate Enrollment Protocol

(SCEP): SCEP has been around for nearly two

decades and has gained signicant traction

with businesses. As the SCEP protocol has no

licensing fees and requires very little time for IT

teams to congure and execute, it has become

an almost ubiquitous component of enterprise

security. Mobile Device Management (MDM)

systems like Microsoft Intune and AirWatch use

SCEP for PKI certicate enrollment. This allows

mobile devices to replace the Wi-Fi password

and authenticate for VPN. Most networking gear,

including routers, load balancers, Wi-Fi hubs,

VPN devices, and rewalls, also support the

SCEP protocol for certicate enrollment.

Enterprise PKI Automation

www.sectigo.com

In the Sectigo environment, SCEP can be used

to enroll certicates in Linux, MacOS, and other

operation systems.

• Microsoft Agent: A Sectigo Proxy Server can sit

between the Microsoft Desktop and the Active

Directory Certicate Service. It intercepts certicate

requests made over the Windows Client Certicate

Enrollment Protocol (WCCE) and automatically

provides the certicate to the desktop without any

employee intervention.

• Sectigo Mobile Certicate Manager (MCM):

Sectigo MCM issues and manages certicates and

keys across iOS, Chrome OS and Android mobile

devices with little or no user intervention. It supports

all certicate types and is interoperable with all

leading devices, operating systems, and enrollment

protocols. Sectigo uses an MDM built into our

Certicate Manager or a self-service web portal

approach, depending on customer requirements.

SECURE VPN

ACCESS

EMAIL ENCRYPTION AND

DIGITAL SIGNATURE

MOBILE DEVICE

REPLACE THE WI-FI

PASSWORD (EAP-TLS)

Enterprise PKI Automation

www.sectigo.com

MOBILE BROWSER

AUTHENTICATION TO

A WEB APPLICATION

Figure 4 – SCM uses SCEP to pass certicates to the MDM which installs them into the mobile device

SCEP Protocol

MDM

Using Microsoft’s Active Directory Certicate

Service (ADCS), IT administrators can instruct

all desktops and servers to automatically enroll

and renew certicates issued by active directory

certicate services. But this automation only

applies to applications using a Windows operating

system. Today’s enterprises have devices that do

not utilize Microsoft operating systems, meaning

the administrator and employee share the burden

of manually renewing and installing certicates

for any non-Microsoft applications or devices. For

these certicates, administrators often employ an

error-prone method using spreadsheets to manually

track when certicates were issued, where they were

installed, their cryptographic strength, when they

expire, and who is responsible for them.

Automating the Installation of Certicates Issued by ADCS

Sectigo offers these options:

• Continue to utilize ADCS as your Root CA, establish Sectigo as the CA which issues

certicates and automatically installs the certicates into the device or application. The

enterprise does not need to embed the root CA again.

• Continue to utilize ADCS as the CA which issues the certicates. Sectigo certicate

manager will discover the ADCS issued certicates, report on certicate attributes/

ownership, and send notications prior to expiry.

• Replace both the ADCS root and issuing CA with the Sectigo CA. This eliminates the cost

of operating ADCS, while fully automating certicate issuance and installation.

Enterprise PKI Automation

www.sectigo.com

ADCS cannot automatically install certicates

for many common enterprise use cases,

including:

• Web servers

• Apple, Android, Chromebook mobile devices,

without a mobile management system

• Azure key vault

• People or device identities not in the Microsoft

Active Directory

• Load balancers

• Networking gear

• Code signing

• DevOps containers

• Authentication of server administrators

using SSH

• Publicly trusted Secure/Multipurpose Internet

Mail Extensions (S/MIME)

• Document signing trusted by Adobe Reader,

Adobe Sign

• Internet of Things devices

• Ability to provision the same encryption key

history to all devices owned by the same user

Sectigo Certicate Manager augments ADCS

by automating the installation of certicates,

removing the need for costly, error prone manual

management. Certicate Manager ensures the

enterprise certicates are properly managed

and won’t unexpectedly expire.

Enterprise PKI Automation

www.sectigo.com

Choice

With Sectigo’s core philosophy around interoperability and the use of open standards such as ACME, SCEP,

and EST as our foundation, you can rest assured you will have a wide degree of choice and control over your

PKI solution. And if anything should go wrong, you have a single, 24/7 point of contact.

Ease of Use

Unlike other companies, Sectigo is laser-focused on digital identity, both as a public CA and as a leading

provider of private PKI. By taking advantage of our certicate deployment automation and single pane of

glass management/reporting technologies to centralize and simplify the tedious tasks associated with

certicate lifecycle management, you will be able to free your team to focus on higher value tasks.

Value

Under the Sectigo licensing model, we do not charge per issuance, but rather per usage. Certicates that are no

longer in use (e.g., when someone leaves your company) can be transferred.

Futureproong

Sectigo is the world’s leading commercial CA, and we are constantly investing in new technologies and solutions.

When you partner with us, you can rest assured your enterprise will remain at the leading edge of cryptography as

your needs change and grow. Our automated technologies will ensure cryptographic agility to adjust for advances

in computing and cryptographic techniques that require updates to your hashing and encryption algorithms.

Peace of Mind

All of this leads to greater peace of mind. Sectigo is WebTrust and SOC 3 compliant, and our connections with the

CA/Browser Forum and select government entities help ensure we receive early alerts on PKI security concerns. In

addition, our open source approach helps reduce security vulnerabilities. With Sectigo’s size, scale, leadership, and

continued investment in PKI, there is no better partner to secure the foundation of your digital infrastructure.

With Sectigo, you get greater:

Sectigo is a cybersecurity technology leader providing digital identity solutions, including TLS/SSL certicates, web security, DevOps, IoT, and enterprise-

grade PKI management. As the world’s largest commercial Certicate Authority, with more than 700,000 customers worldwide and 20 years of experience

delivering online trust solutions, Sectigo provides proven public and private trust solutions for securing web servers, digital identities, connected devices, and

applications. Recognized for its award-winning innovations and best-in-class global customer support, Sectigo delivers the technologies required to secure the

digital landscapes of today, as well as tomorrow.

For more information, visit www.sectigo.com and follow @SectigoHQ

Enterprise PKI Automation

www.sectigo.com

Conclusion: Gain Peace of Mind by Automating PKI

with Sectigo

PKI is the best technology for eliminating passwords and ensuring only authorized devices and

users access enterprise systems.

Sectigo pioneered SSL and related technologies and is now a world leader in PKI. Sectigo continues

to invest in new technologies, standards, and solutions to remain at the leading edge of security, and

protect your business from digital threats.