SSL Certificate Management

When Microsoft announced a "Patch Tuesday" update that would block RSA keys under 1024 bits, system administrators scrambled to find certificates using sub-standard key sizes.

Situation

Managing SSL certificates is one of the many mundane but important IT management tasks that weigh on IT Operations teams. ExtraHop makes these tasks easier, helping IT teams to proactively address security and performance issues.

When Microsoft announced a "Patch Tuesday" update that would block the SSL keys using less than 1024-bit encryption, system administrators had to scramble to make sure they were in compliance. After the update, all Windows servers and clients that used sub-standard key lengths would experience problems ranging from blocked access to encrypted websites in IE to an inability to encrypt or cryptographically sign Microsoft Exchange and Outlook emails. The update would affect certificates from well-known certificate authorities as well as internal certificate authorities.

Alternatives

Microsoft recommended a four-fold approach to identifying sub-standard keys across the enterprise:

  1. Checking certificates manually
  2. Enabling verbose logging on servers
  3. Inspecting certificate templates
  4. Deploying the update and turn on logging on machines to determine what had broken

When managing critical infrastructure services that determine whether applications work or not, deploying an update before you've solved the problem is totally out of the question. Enabling CAPI2 logging involves registry edits, filtering queries, and old-fashioned waiting. Ensuring compliance needs to be easy and verifiable, and by-hand correction is neither.

Solution

With ExtraHop, SSL certificate management is easy. In the Activity Groups view, you will find two groups listing all SSL servers and clients that are communicating over the network. These devices are discovered and classified automatically.

In the SSL Server and SSL Client activity groups, you will find a wealth of information including SSL session details and SSL version breakdowns. By clicking Certificates, the ExtraHop system generates a list of the certificates passing over the network, which can be sorted and filtered using the header bar and textbox. Using a filter of 512 generates a list of non-compliant SSL certificates, providing actionable information in minutes instead of hours or days.

Benefits

SSL certificates are critical to modern business applications. They enable cloud-based services, server-to-server communications, and user authentication. However, SSL certificate management can be easy to take for granted.

ExtraHop makes it easy to see all the SSL certificates in use in the enterprise, including key size and date of expiration. Without having to turn on logging or manually inspect certificate templates, system administrators get a comprehensive view of all the certificate information they need to find and fix issues fast.

Get the overview white paper Start your ExtraHop demo