What are the stages in a certificate’s lifecycle? How do you protect the certificate lifecycle?

The authenticity of those sending emails or running websites is questioned every day, as attackers will pretend to be someone they are not to compromise sensitive data of Internet users. The easiest way to prove this authenticity is through use of a digital certificate. Digital certificates utilize key pairs that only the creator of the key pair can own, thus proving they are who they say they are. The certificates are also created and signed by trusted authorities called Certificate Authorities, or CAs. CAs utilize a Chain of Trust, leading back to the original CA which is kept offline and secure, to ensure it cannot be compromised.

Certificates are not just created and given to users, however. They follow an important lifecycle which works to protect and renew certificates, so they can be continually used without fear of attackers stealing them and masking themselves as the owner of the certificate. The trust in certificates created by a certificate authority begins with the assurance that its certificate lifecycle is well managed and immune to compromise. The certificate lifecycle is extremely important to implement, as it is the equivalent of the identity of the user it is issued to.

Why is the Certificate Lifecycle important?

One of the reasons implementing the certificate lifecycle is important is due to what certificates are used for. Certificates identify websites and users on the Internet, meaning if a certificate were compromised at any point in its lifecycle, an attacker could pretend to be that person, and the user who that certificate belongs to would be blamed for any attacks associated with that certificate. Also, since the user’s key is associated with their digital certificate, that key would also be compromised, as would any data that was encrypted by that same key.

Another reason to maintain a strong certificate lifecycle is its use with websites. A compromise of a website’s digital certificate can result in outages, causing losses for the organization whose website it is. The website could also be used to infect user’s computers with malware or execute phishing campaigns, under the guise of the website owner. The first step to the proper implementation of a certificate lifecycle is knowing what each stage of the lifecycle is, and how to protect each stage.

What are the stages of the Certificate Lifecycle?

The stages of the certificate lifecycle are as follows:
  • Discovery
  • Creation/Purchasing
  • Installation
  • Storing
  • Monitoring
  • Renewal
  • Revocation
  • Replacement

Discovery: The discovery phase of the certificate lifecycle involves searching the network for missing, expired, compromised, or unused certificates that must be revoked, renewed, or replaced. This is an important part of the process, as it finds gaps in the security of certificates and relays these gaps to the monitoring phase, allowing for the sealing of these breaches. Normally, this phase also deals with the inventorying of certificates to help in future Discovery phases, along with any certificate audits that may occur.

Creation/Purchasing: This is the phase where the certificate is created. An online user, organization, or device requests a certificate from a Certificate Authority, which contains the public key and other enrollment information needed to enroll the user. The CA then verifies the given information and, if it is legitimate, creates the certificate. The Certificate Authority used to create the certificate can be owned by the organization that desires the certificate, or by a third-party. If the certificate is obtained from a third-party, then it must purchased from them.

Installation: The installation of the certificate is straightforward, but still just as important. The certificate must be installed in a secure, but reachable, location, as users attempting to verify the authenticity of the certificate must have access to it. When the certificate is installed, the CA puts policies in place to ensure the security and proper handling of the certificate.

Storage: As previously mentioned, when the certificate is installed, it must be in a secure location to prevent compromise. It should not, however, be so secure that the users that need to read the certificate cannot reach it. The proper policies and regulations to implement for storage of certificates will be discussed later in this document.

Monitoring: Monitoring is one of the most important stages of the certificate lifecycle. This is an almost constant phase where the certificate management systems, whether automatic or manual, watch for breaches, expirations, or compromises of digital certificates. The Monitoring stage uses the inventory created in the Discovery phase to keep track of when certificates should be revoked, renewed, or replaced. The certificate management system then moves those certificates to the next phase, which can be renewal, revocation, or replacement.

Renewal: Renewal of a certificate occurs when the expiry date of the certificate is reached. This occurs naturally with certificates, as best practice is to not use a certificate for more than 5 years at the most. Certificates can be set to renew automatically, or a list can be kept of certificate expiration dates and the administrator of the certificates can renew it at the proper time.

Revocation: If a certificate is found to be compromised, stolen, or otherwise negatively affected, then that certificate will be revoked. When a certificate is revoked, it is put on a Certificate Revocation List (CRL). This list ensures that other CAs know that this is no longer a valid certificate.

Replacement: When users switch from paying for certificates to creating their own Public Key Infrastructures (PKIs) and CAs, the certificate is replaced. This is rarely done, as it is much easier to just renew a certificate from the original provider rather than replace that certificate.

Protection of each phase of the Lifecycle

Each portion of the certificate lifecycle requires its own level and methods of protection. The Discovery phase acts as a security measure in and of itself. By searching for expired or missing certificates, breaches can be detected before they become an issue. The Monitoring phase is similar, as it monitors for expired, improperly implemented, or compromised certificates. Both of these phases can be automated to allow for a better detection process. There is the potential for a manual management system missing a compromised or expired certificate.

The remaining phases require a strong level of protection and authentication. The Creation stage should ensure that the CA issuing the certificates has a valid Chain of Trust each time a new certificate is created. Installation should be correctly, as poorly implemented certificates are a breach of security that an attacker can leverage for malicious purposes. The Storage phase needs to have strong security, so that the certificates are not compromised and misused by threat actors. The revocation, renewal, and replacement of certificates must also be done securely and correctly, as these stages begin the cycle again from the beginning.