Getting a handle on certificate management in Windows shops (original) (raw)
A certificate that isn't renewed by its expiration date will cause dire consequences for administrators who will need to find a fast remedy when systems can't communicate.
By
Published: 28 Apr 2020
Certificate management is one thing that IT pros often forget until an application fails or resources are unavailable because a certificate was not renewed before its expiration date.
Certificates are typically used to identify a webpage as a known site to create an encrypted HTTPS session. Most static webpages don't use them. With known secure pages, the certificate handling is often done behind the scenes.
Certificates also manage authentication and communication between systems across an organization's network; a lapsed certificate in your data center can have serious consequences, such as preventing users from logging into Microsoft Exchange to access email and calendars.
As an administrator, the process to check certificates in Windows is easily done by running certmgr.msc at the command prompt to open the Certificates Microsoft Management Console (MMC) snap-in tool.
On the surface, it doesn't look too difficult to manage certificates, but problems with them have caused some of the largest applications in the world to go offline.
The Certificates MMC snap-in tool displays the installed certificates on the current Windows machine.
The most common use of certificates is to establish a secure communication tunnel with a website so both your login information and what you do is hidden from the rest of the internet. For example, when you load LinkedIn, the site uses a certificate to encrypt communication using Secure Sockets Layer between your machine the site.
As you start to look at the websites you visit, you are likely to find many that use login information have certificates to protect your privacy. These certificates are not permanent and they do expire. When I checked, the LinkedIn certificate is due to expire in September. An expired certificate will cause problems. Once you cannot establish a secure connection, a website can simply go dark until the certificate is renewed.
Like many sites on the internet, LinkedIn uses a certificate to secure the traffic between the site and its users.
While losing LinkedIn might not be drastic, what if it was the certificate to a cloud-based application you use? Or worse yet, what if it was your company's application and now your customers can't access their data? An expiring certificate is simple to overlook and problems with certificate management happen to even the largest of companies, including Microsoft. It costs next to nothing to renew these certificates, but once they pass their expiration date, the resulting chaos can cost money and cause embarrassment for the IT staff.
Certificates often remain out of sight, out of mind
One of the main challenges with certificates is they remain hidden in plain sight. They are not complex to deal with and often last several years.
Your IT admins are used to the hustle and critical need of many IT services that remain front of mind. Because certificates last for a long time -- often, several years -- their importance fades into the background; they fall off the daily list of tasks that must be completed.
It's easy enough to check the status of your certificates in Windows, but there is no mechanism to alert you about an imminent expiration. For some sites, it's possible to click past the warning you might see when a certificate has expired; we train our users to avoid these types of potential security risks, so why is it an option to proceed? This practice doesn't work for other key functions, such as single sign-on; other more automated functions will simply stop working when the certificate expires.
Certificate management issues happen for several reasons
Renewal of certificates is not hard and can be done by even the most junior person on your team, except for one critical piece: You need a company credit card to charge the renewal to, and those are typically not given to junior admins. The stigma of needing to ask permission to use a corporate credit card or wanting to avoid the hassle of getting reimbursed can prevent IT staff from proceeding.
Oftentimes, this certificate task falls outside the realm of IT and into the accounting department. This also means they are the ones who would get the renewal notices, and they may not understand how critical they are until it's too late.
If both the communication related to and the payment of the certificates is outside of the main IT department, then it's up to IT to be proactive and stay on top of certificate management. You should not rely on an email or a spreadsheet to track these expiration dates. A group calendar appointment, even years out, still helps, even when turnover occurs. There are also several vendors that offer certificate management add-ons to popular monitoring tools, such as SolarWinds and Quest Software.
While you don't want to reinvent or deploy large-scale solutions to address certificate management, it's not something to ignore. They can be at the root of many wide-ranging issues. An expiring certificate is not usually on any type of disaster recovery or backup plan because they are so unique. Look to incorporate certificate monitoring into existing tool sets so your staff has ample time to get them renewed and deployed before your secure connections go offline along with your customers and reputation.
Checking a certificate isn't hard and the renewal process isn't difficult, but remembering to stay on top of certificate management continues to evade many IT shops. Another complication is the number of certificates to keep track of. You might have multiple sites, each with its own certificate that are all required to make one application work. It can be very easy to lose track of one, which can then cause a cascade of events that lead to application failure. While co-terming certificates to line up the expiration dates would make the most sense, sometimes that is not possible in every environment.