Tightening security for your applications: how to audit your digital certificates, and why

Why carry out a digital certificate audit?

The primary purpose of electronic certificate audits is to generate an in-depth snapshot of an infrastructure’s assets.

Certificate auditing allows an organization to identify all certificate-issuing bodies within a given infrastructure to ensure that no fraudulent digital certificates are issued.

An electronic certificate audit generally entails several certificate scans across a network, servers, and user stations,

running a sweep through the infrastructure’s different services to pinpoint and inventory all certificates in use.

The results of a digital certificate scan should contain details of the certificates in question, namely:

• Where the electronic certificate is located within the file system
• What application uses the certificate
• The type of digital certificate
• The expiry date
• The chain of trust

 What type of digital certificate audit should I run and what for?

Certificate auditing involves running different types of scans on your electronic certificates. You’ll also need to cross-check compliance with company security policy.

The different types of digital certificate scan include:

• Network scans
• Scanning IP addresses and URLs on one or more ports for certificates
• Scanning file systems
• Scanning server file systems for certificates
• Scanning applications
• Parsing an application’s configuration files (web servers, application servers) for certificates

The first step in any digital certificate lifecycle management process is mapping all the digital certificates in use.

Keeping track of certificates manually is an option, but be aware that this does come with its challenges. Firstly, doing so costs time, money, and human resources. What’s more, managing certificates in a spreadsheet leaves you open to security risks and failures caused by human error. Finally, managing certificate lifecycle ‘by hand’ drastically lessens infrastructure scalability:

Keeping up with manual management becomes increasingly complex as you grow. Across the organizations we work with, we’re seeing certificate volumes rocket, with a 73% jump in numbers recorded in 2020 in France alone! Don’t forget that digital certificate lifespans are growing shorter and shorter by the day, too. When you consider a rise in volume paired with shorter expiry dates, it isn’t hard to see how manual management can lead to headaches and mistakes.

Certificate scans sweep a company’s entire network to identify and record digital certificates used by the network’s nodes and endpoints, building up a certificate inventory in the process.

Certificates are used to identify and authenticate an organization’s machines and staff. They also enable secure communication channels between interconnected networks within an organization, or between several different organizations.

Interconnecting an organization’s networks is dependent on the network in question being secure and available, which relies on each individual node’s security and availability in turn. This is why scanning your infrastructure on a regular basis is important to tracking certificates and managing their lifecycles.

In short, certificate-scanning is used to:

• Build up a certificate inventory.
• Identify servers and applications providing services on the network.
• Ensure secure communication between a network’s different nodes.
• Ensure network and service availability.

Compiling a certificate inventory lets you check that certificates comply with company security policy.

Digital certificate audits: what should we be scanning, exactly?

Network scans: scanning an application or web server’s certificates

Network scans aim to retrieve certificates exposed by one or several applications or web servers. They can be used to scan service ports, and draw on TLS Handshake to retrieve certificates.

Web servers can be used in two modes during certificate scans:

• As a web server to provide web services or applications.
• As a reverse proxy over one or several applications and services.

The best-known web servers are NGINX and APACHE. Application servers expose business logic to client applications via various protocols, including HTTPS.

The best-known application servers are JBoss/Wildfly and Apache Tomcat.

Essentially, application and web server scans involve scanning configuration files to retrieve the certificates used by the applications or web servers in question.

Don’t forget your load balancer scans…

Load balancers are generally set up within their own dedicated infrastructure, whether physical or virtual. As with web server scans, load balancer scans are configuration scans that aim to retrieve certificates in use by a given load balancer.

Remember to audit your digital certificates by scanning your truststores

A truststore is a bundle of several CA certificates — generally root certificates, although they can contain intermediate CA certificates, too.

Truststores contain certificates from CAs that have signed certificates from other parties with which the systems are set to communicate. These certification authorities identify and authenticate the other parts in the communication chain.

Lots of different systems use truststores, including:

• Operating systems.
• Applications/web servers.
• Load balancers.
• Cryptographic libraries.
• Web browsers.

Take stock of your digital certificates with a file system scan

File system scanning runs through an operating system’s file system to retrieve and inventory certificates.

Certificates issued by Certification Authorities: scanning CAs’ public directories

Certification authorities publish certificates issued on public directories or databases. Retrieving these certificates is key to getting a snapshot of all the certificates that have been issued and how they are used within the infrastructure.

Identity providers and authorization servers

Identity providers and authorization servers can contain user certificates to authenticate them.

How do digital certificate audits work? What are the go-to tools for running them? 

Successfully scanning certificates requires scanning your organization’s network and the various parts of the infrastructure, such as operating systems, web servers, truststores and CAs.

The results of these scans allow you to:

• Automatically build a certificate inventory.
• Draw up an overarching snapshot of how certificates are used by the infrastructure’s different services and users.
• Ensure service availability and security.

A range of tools are on hand for you to use to scan certificates, but unfortunately not all let you structure the results in a way that’s clear and easy to understand for decision-makers such as administrators, security officers, CISOs and CIOs. Furthermore, scanning and identifying certificates is just the first step in managing your certificates’ lifecycle.

Digitalberry’s Certificate Lifecycle Management tool is here to help: BerryCert acts as a digital certificate hub that lets you map out all your electronic certificates by scanning, identifying, inventorying, and analyzing your digital certificates. Each scan results in an inventory of certificates you can track and manage with ease via a dashboard that gives you an overview of all your certificates and any action required.

BerryCert goes further than just mapping, however: it sends notifications to spare you service disruption linked to expired digital certificates, and it makes managing requests, renewals, and revocations that little bit easier, too.

What’s more, BerryCert calculates the compliance score for each certificate in line with recommendations issued by cyber security agencies (ANSSI, NSA, NIST), various security standards and norms (ETSI and eIDAS, ISO 27001), and internal security policies.