Remediate Certificate Issues

Remediating certificate issues involves identifying and resolving problems related to digital certificates within an organization's infrastructure. By regularly deleting expired and revoked certificates, regenerating high-risk and critical-risk certificates with enhanced parameters, and renewing or regenerating certificates nearing expiration, organizations can significantly improve their crypto score. This proactive approach ensures robust cryptographic security, compliance with industry standards, and a well-maintained certificate infrastructure, ultimately safeguarding digital assets and maintaining stakeholder trust.

Delete Expired and Revoked Certificates from Inventory

Expired and revoked certificates pose significant security risks as they can no longer provide the necessary cryptographic protection. To improve your crypto score:

  • Identify Expired Certificates: Regularly scan your inventory to detect certificates that have passed their expiration date.
  • Remove Expired Certificates: Delete these expired certificates from your system to prevent any potential misuse.
  • Identify Revoked Certificates: Similarly, identify any certificates that have been revoked due to compromise or other reasons.
  • Remove Revoked Certificates: Ensure that revoked certificates are promptly removed from your inventory to maintain security integrity.

Regenerate High-Risk and Critical-Risk Certificates

High and critical-risk certificates typically have vulnerabilities or weak cryptographic parameters. Regenerating these certificates with enhanced security settings is crucial.

  • Identify High and Critical-Risk Certificates: Use your certificate management system to identify certificates flagged as high or critical risk.
  • Review Risk & Crypto Settings: Access the Risk & Crypto settings in your management system to understand the parameters required for secure certificate regeneration.
  • Regenerate Certificates: Follow these steps to regenerate the identified certificates:
    • Generate new keys with stronger encryption algorithms (e.g., using RSA with a 2048-bit key or ECC with a recommended curve).
    • Ensure the use of longer key lengths and secure hashing algorithms.
    • Implement certificate policies that align with industry standards and best practices.
  • Deploy New Certificates: Replace the old certificates with the newly generated ones in your infrastructure.

Renew or Regenerate Certificates That Are About to Expire

To maintain continuous security and avoid service disruptions, it’s essential to renew or regenerate certificates nearing their expiration date.

  • Identify Certificates Near Expiration: Regularly monitor your certificate inventory to find those that are approaching their expiration dates.
  • Renew Certificates:
    • Contact the issuing Certificate Authority (CA) to renew the certificates.
    • Follow the CA’s renewal process, ensuring that the renewed certificates meet your security requirements.
  • Regenerate Certificates: If renewal is not possible or practical, regenerate new certificates using updated cryptographic parameters as described above.
  • Deploy Renewed/Regenerated Certificates: Ensure that the newly renewed or regenerated certificates are deployed across all relevant systems and applications before the old ones expire.
Check Certificate Expiry
  1. Navigate to Insights > Summary > Crypto Score section.
  2. Click Critical or High priority certificate in the chart that takes to intermediate page.
  3. Click the Remediate button to redirect to the Server/Client/Code signing certificate inventory.
    Note: It allows you to initiate the renewal or replacement process for these certificates.

  4. Take necessary actions for critical and high-priority certificates. For more details about CLM inventory actions, refer to the Managing the Certificate Inventory.

Remediate Non-Standard Certificate

Effective remediation of non-standard certificates is essential for maintaining a secure and compliant digital infrastructure. By regenerating self-signed certificates with trusted CAs, replacing wildcard certificates with individual domain certificates, verifying or deleting unknown certificates, issuing certificates from intermediate rather than root CAs, correcting SAN mismatches, and associating all certificates with their intended devices, organizations can significantly enhance their security posture and ensure adherence to industry best practices.

Self-Signed Certificates

Issue:

  • Self-signed certificates are not issued by a trusted Certificate Authority (CA) and are typically used for internal testing or small-scale applications.

Remediation:

  • Regenerate the Certificate from a Trusted CA: Replace self-signed certificates with ones issued by a trusted CA. This ensures that the certificates are recognized and trusted by other systems and browsers, thereby enhancing security and trust.

Self-Signed Certificates

Issue:

  • Self-signed certificates are not issued by a trusted Certificate Authority (CA) and are typically used for internal testing or small-scale applications.

Remediation:

  • Regenerate the Certificate from a Trusted CA: Replace self-signed certificates with ones issued by a trusted CA. This ensures that the certificates are recognized and trusted by other systems and browsers, thereby enhancing security and trust.

Wildcard Certificates

Issue:

  • Wildcard certificates are used to secure multiple subdomains with a single certificate. While convenient, they can pose security risks if compromised, as they grant access to multiple subdomains.

Remediation:

  • Create Individual Certificates for Each Domain: Instead of using a wildcard certificate, generate individual certificates for each subdomain. This limits the scope of any potential security breach to a single subdomain.

Unknown Certificates

Issue:

  • Certificates issued by unknown or untrusted entities can’t be verified for their authenticity and may pose security risks.

Remediation:

  • Trust the Issuers or Delete the Certificates: Verify the legitimacy of the issuing entity. If the issuer is trustworthy, add them to your list of trusted entities. If the issuer cannot be verified, delete the certificates to avoid potential security risks.

Root CA Issued Certificates

Issue:

  • Certificates issued directly by a root CA are typically less secure than those issued by an intermediate CA, as they do not follow the recommended hierarchical trust model.

Remediation:

  • Regenerate the Certificates from a Trusted Intermediate CA: Replace root CA-issued certificates with certificates issued by a trusted intermediate CA. This follows the best practice of using a hierarchical trust chain, improving overall security.

Subject Alternative Name (SAN) Mismatch

Issue:

  • SAN mismatch occurs when the certificate’s SAN fields do not match the actual Fully Qualified Domain Name (FQDN) it is supposed to secure.

Remediation:

  • Enroll New Certificates for the Actual FQDN: Generate new certificates that correctly list the intended FQDNs in the SAN field. Deploy these new certificates to ensure they match the domain names they are intended to secure, preventing security warnings and potential man-in-the-middle attacks.

Unassociated Certificates:

Issue:

  • Unassociated certificates are those that are not currently linked to any device or service within your infrastructure, leading to potential management and security gaps.

Remediation:

  • Manage Respective Devices to Associate Certificates: Identify the intended devices or services for these certificates and properly associate them. This ensures that all certificates are actively managed and utilized, reducing the risk of forgotten or unused certificates that could lead to security vulnerabilities.