DigiCert has announced the DigiCert Automation Manager. It is a containerised enterprise solution that will site both behind customers firewalls and in their on-premises environments. It will make it easier to manage certificates from acquisition to configuration and destruction. The goal is to eliminate many of the issues and costs that enterprises face when managing large numbers of certificates across an increasingly complex architecture.
The need for better automation comes from a survey DigiCert is due to release in May on the State of PKI Automation. It highlights several key issues that organisations face. More than a quarter (26%) have had site downtime due to unplanned certificate expiration.
Other challenges include:
- Compliance issues (54%)
- Security issues (53%)
- Cost issues (53%)
All of these point to a significant problem with the way organisations currently manage their certificates.
John Merrill, CEO, DigiCert, said: “Lifetimes for public certificates are decreasing at the same time that organisations are deploying rapidly growing volumes of digital certificates, making automation a necessity.
“Automation Manager is designed to meet our customers’ need to become more efficient and effective in managing their certificates at scale. The architecture provides secure certificate automation on-premises — for any distributed environment.”
What does DigiCert Automation Manager offer?
DigiCert Automation Manager is designed to support both public and private Organisation Validation (OV) and Extended Validation (EV) certificates. It runs in a Kubernetes container that provides a single touchpoint for certificate management. It also allows administrators to create a set of workflows that can determine how different certificates or groups of certificates are managed.
There is also a Hosted Certificate Automation solution. This will allow organisations to pass control to a service provider to act on their behalf. DigiCert also says that customers can also build a hybrid solution where they could manage some certificates
The company also claims that Automation Manager:
- provides a lightning-fast, standards-based deployment mechanism
- simplifies certificate administration through a single pane of glass for both public and private certificates
- reduces network complexity, requiring only a single, secure API connection on port 443 back to DigiCert, for all your servers
- currently supports popular load balancers (i.e., F5, AWS, A10), with support for popular web servers such as Apache, Nginx and IIS coming soon.
Why should you automate?
In a press conference, Avesta Hojjati, Head of R&D, DigiCert, talked about Automation Manager and what it means for customers. He started with the case for automation. There are four areas where DigiCert sees automation playing a major role:
Efficiency: Certificate life is continuing to fall. A certificate that used to have a three-year life is down to 13 months. An increasing number are down to 90-days. This reduction in time increases the amount of work for administrators. It also increases the chances of a certificate not being renewed in time. Hojjati also said that DigiCert saw a significant rise in demand for certificates putting further pressure on administrators.
Security: Hojjati said: “Humans make errors frequently. Automation is able to solve many of these problems because automation has been designed to follow specific guidelines. Whenever an admin requests a certificate, they have to extract data from a web server and put it into the certificate. Automation can do this consistently and without error.”
Crypto-Agility: Algorithms change which means certificates need to change. That happens quickly to stop systems from being out of date. Automation makes it easy to highlight a set of certificates that need to be updated. It can extract the data, get the new certificates and apply with little to no downtime.
Compliance: Certificate Authorities (CA) have to work to set compliance requirements. Automation means that any change in compliance requirements means a certificate can be reissued immediately. Hojjati refers to this as: “Automation can provide the shortest path.”
Customer challenges with automation
The yet to be published survey threw up some interesting challenges from customers around automation. For example:
- Distributed environments prevent secure deployment of automation (31%)
- Disruption caused by automation transformation (30%)
- Our environment is too distributed to get automation on all servers (26%)
- Automation will replace parts of a staff members jobs (23%)
In the case of the first three, Hojjati says that automation will improve security by removing many of the errors. It will also help those with complex environments ensure that any changes, updates, or renewals will be far more seamless than if carried out manually from certificate to crypto standard.
The issue of replacing parts of jobs is a common blocker for automation. Hojjati made the case above when talking about security. However, what is more important is that organisations see this as not job replacement but freeing up time for other tasks. One area that Hojjati talked about was creating and refining the automation rules. Another is a better understanding of compliance requirements and ensuring that organisations understand what they have to do. Codifying those into the automation systems will take time and experience. It is not something that is being replaced by ML and AI systems.
Improve the stability of certificates
Hojjati was asked if automation would reduce the incidence of certificates expiring unexpectedly.
He replied: “For us to be able to automate everything, we need to have a human factor who could tell us what they need to automate and when. For example, to prevent certificate outages at the weekend, renew your certificates on a Monday morning, not Friday afternoon. It is a capability that we have included in our automation solutions.”
But what about the cases in the past when certificates have failed to be obtained and applied in time?
“Outages can happen especially around Black Friday and Christmas time. At the beginning of the year, customers will come in and request a certificate valid for 13 months. If the customer issued this in November 2020, 13 months later, it would need to renew around the holiday time. This is a very high traffic period, and there is always a short downtime when replacing certificates.
“We have processes in place where customers could give us black dates. These are the dates that we will block from issuing certificates. They will calculate when they have to automatically replace a new certificate to have the application running when the traffic is high. It will prevent downtime for that specific customer.”
Will DigiCert automate compliance and audits?
Large organisations with multiple certificates often struggle to align compliance across certificates and systems. They also have very specific audit needs. Hojjati was asked what DigiCert was doing here.
He said: “We just finalised one of our biggest audits requirements for automation manager, which will be part of the launch on May 5. Audits are extremely important in the back end. We are empowering our customers with different functionalities. Auditing is one of those we are providing as part of the automation manager. There is an extensive audit trail. Customers can look at the type of certificates they have issued, the detail of those certificates and the location of those certificates.”
Will Automation Manager help companies identify compliance issues and how will it do so?
“Definitely. Certificate issuance for all of our automation solutions are publicly trusted and still happen back at DigiCert. We are not pushing the certificate issuance inside a container to customers environments. The only thing that we are pushing will be the automation workflows, the permissions audit trails, the data that customers collect. Everything that evolves around automating the Certificate Lifecycle Management.
“You may have a customer who resides in Europe. They will ask that they want to have the reports reside within Europe, specifically around that data centre that they may have. They don’t want to push that back to DigiCert main Data Centre, and this is absolutely possible. As far as issuing certificates for a specific region, we have a specific compliance team that looks over these. All certificate issues happen from our central CA, which we manage. Therefore, we can enforce specific compliance policies evolving around each region.”
Enterprise Times: What does this mean?
Automating the management and issuance of digital certificates is a necessity, not a nice to have feature. The explosion in digital certificate use has created a nightmare for administrators. When a certificate expires due to not being renewed in time, it can seriously impact business. It is not just about users not getting to the company website. It means customers cannot get to the website. No customers mean no business, and that means money lost.
By creating a tool that manages all an organisation’s certificates will appeal to a lot of administrators. Although 23% of the survey respondents were concerned about it impacting jobs, the likelihood is that this won’t happen. One of the problems for administrators is trying to create trusted workflows. Automation Manager wants to do that for them. The time saved will provide more opportunity to tighten security and compliance around certificate usage.
One area where this will have a significant impact is in the deployment of certificates around IoT. Automating a task that could affect hundreds, thousands and even tens of thousands of devices is a necessity. As organisations look to secure that growing explosion of autonomous devices, automation will be their friend.