Certificate Awareness & Automated Renewal with Qualys CertView

The Challenges of Managing Digital Certificates

Everything we do in the digital world relies on certificates. Whether this is accessing services using our computer or phone, for work or for leisure-certificates are ubiquitous.

However, for many organizations, managing digital certificates can pose a major challenge. It can be extremely difficult to keep track of expiry dates, chains of trust, and encryption requirements.

Not a single organization is immune to the risks arising due to poorly managed certificates. Even well-known companies have suffered outages due to flaws in the process of managing digital certificates, sometimes amounting to millions of lost customer hours.

In this blog, we will see how Qualys Certificate View (CertView) helps security teams gain complete visibility into their digital certificates and their underlying configurations- regardless of location, business unit, or operational silo.

CertView is provided free for all Qualys VMDR customers, is tightly integrated with the Web Application Scanning (WAS) and External Attack Surface Management (EASM) modules of Qualys, uses existing Qualys sensors, and provides actionable insights "out of the box."

How Does Qualys CertView Help You Reduce Risk?

Qualys CertView helps you better measure, communicate, and eliminate risk for your business. Here's how:

For Measurement: CertView Goes Beyond Expired Certificates

CertView enables you to gain insights about which of your certificates are insecure, using weak encryptions/unsupported protocols such as SSLv2/SSLv3 or TLSv1. Most organizations have adopted TLSv1.3 as the standard for better security and improved handshake performance.

Qualys CertView has a very comprehensive coverage of detecting certificates across your estates, such as on-premises/external network, workstations, cloud instances, and Qualys Cloud Agents. This gives you complete visibility of certificates issued by approved/trusted Certificate Authorities (CAs) and self-signed CAs. With the latest updates, you can now also monitor certificates for root and intermediate CAs.

If you are a VMDR customer using the Windows Cloud Agent, contact your TAM or the Customer Support Team for activation. Support for CertView on the Linux Cloud Agent is planned for upcoming quarters.

CertView Free Licensing Model - External Scans & Certificate Visibility

With the CertView Free licensing model, you can perform unlimited external scans to monitor certificates exposed to the internet. This feature ensures that you have complete visibility into the state of your certificates, both internal and external, allowing you to proactively manage certificate expirations and avoid downtime or security vulnerabilities.

Key benefits of this model include:

• Unlimited External Scans: Leverage the capability to continuously scan your publicly exposed assets for certificate issues, ensuring timely remediation.
• Comprehensive Visibility: Get a complete view of all certificates, whether internal or external, to better track expiration dates, vulnerabilities, and compliance.
• Proactive Management: Take corrective actions before certificates expire, reducing the risk of service interruptions and security breaches.

This enables you to manage and secure their certificate infrastructure more efficiently, ensuring that any issues are identified and addressed promptly.

Weak Certificates Are Categorized for You

For every instance of the certificates detected, based on running port/services, you can see the grades for each of the certificates. Keeping yourself up to date with security protocols and technologies is not necessary, as CertView uses a simple grading system that allows administrators to quickly assess the very real risk incurred by using weaker cipher suites, older protocols, and poorer key exchange parameters.

The grades for every certificate are based on multiple parameters/scoring methods such as Certificate Issuer, Protocol Strength, Key Exchange, Cipher Strength, and Cipher Suites. Here is an example of an evaluation for one such certificate:

You can explore the technical, internal logic of how the grading by heading over to ssllabs.com. SSL Labs also provides a free certificate check for anyone to use anytime!

To Communicate: Easily Manage the Certificate Lifecycle

CertView not only stops expired certificates from causing an outage but also gives you advanced warning as to which certificates will expire soon. Figure 6 shows how easy it can be - with dashboard widgets that highlight the riskiest assets with expired and expiring certificates.

You can deploy (and bulk deploy), renew, and automatically renew certificates issued by Digicert, Mocana, and GeoTrust. Going one step further, Qualys CertView will soon make use of the Automatic Certificate Management Environment (RFC 8555) to fully automate the certificate lifecycle.

Enforce Organizational Standards

With CertView, you can enforce organizational standards by creating a baseline inventory of all certificates in the enterprise. You can clearly see how many certificates are out of compliance or don't follow organizational policies for key length, signature algorithms, or the use of trusted and approved Certificate Authorities.

Communicating any upcoming certificate expirations to the stakeholders is critical, and you can configure alerting rules to get notified via Email, Slack, or PagerDuty.

We will recommend configuring various alerts based on expirations like 7 days, 30 days, or even 90 days. This ensures your certificate owners do not miss these alerts and that certificates are renewed in a timely fashion.

To Eliminate: Enroll or Renew Your Certificates with DigiCert Renewal

With the integrated renewal process in Certificate View, you can use the enrollment options to initiate the renewal process for certificates that are about to expire. This workflow assists in sending a renewal request to DigiCert. You can enroll, renew, and even auto-renew certificates issued by DigiCert, as well as those from DigiCert acquisitions such as Thawte, Mocana, and GeoTrust. This streamlined process ensures that your certificates remain up-to-date and compliant with security standards.

Certificate View Rapid Certificate Deployment Option

The latest Certificate View release enables bulk deployment of certificates using the Qualys Cloud Agent for upcoming certificate expiration, allowing proactive remediation. You can reach out to your Technical Account Manager to activate this feature.

Certificate View allows you to deploy certificates to endpoints in collaboration with the Qualys Cloud Agent, providing proactive remediation for upcoming certificate expirations.

CertView Actionable Dashboard

The fastest way to gain insights into your CertView is to download and import the latest CertView Actionable Dashboard into your subscription.

CertView Actionable Dashboard is available here - Download the Dashboard

This dashboard enables a quick assessment of all your organization's certificates and the risks associated with upcoming expirations. It significantly accelerates the process and focuses on the most urgent items to mitigate risks rapidly.

What's upcoming in Certificate View - Automated Certificate Renewal

Qualys Certificate View is expanding its capabilities to support renewals using the Automated Certificate Management Environment (ACME) protocol, enabling automation of the issuance and renewal of certificates. You can create a Certificate Signing Request (CSR) that involves generating a server-side request that must be copied and pasted into a field for your CA. After that, the agent can download and install the certificate and inform the assigned contact about it.

This will address the need for Certificate Lifecycle Management.

Next Steps

If you are already a Qualys VMDR customer, click on the application menu and select Certificate View to begin the journey. You will find that your certificates have already been added, assessed, and graded! Use the pre-configured dashboard to proactively manage all your digital certificates- for internal assets and public cloud resources.

Reference Links

Qualys CertView

Qualys SSL Labs

Qualys VMDR with TruRisk^TM

Qualys CertView Guide

Qualys CertView API Guide

Start your no-cost trial of Qualys VMDR with TruRisk today!

Co-author: Ramesh Ramachandran, Principal Product Manager, VMDR, Qualys

Contributor: Anthony Williams, Subject Matter Expert, VMDR, Qualys

Related

Public link

Please use the above public link if you want to share this noodl on another website.