If you use the popular development site GitHub, you may have downloaded one of its apps, such as Desktop or Atom. But how sure are you that the version you have was actually produced by GitHub? In early 2023, hackers have stolen digital certificates for both Desktop and Atom.
This means these malicious entities could make a fake version of Desktop or Atom, give it the stolen certificate, and then allow users to download it. They could also change the Desktop or Atom code so it includes malware, then make it available to people and organizations under the guise of legitimate software. There’s no way your browser would be able to tell the difference.
Fortunately, GitHub has addressed the issue, but the incident underscores how important it is to understand the certificate lifecycle and manage it properly.
Certificate lifecycle management involves managing digital certificates from when they’re created to when they either expire or get revoked. It's a primary component of Transport Layer Security (TLS), which is an industry-standard security protocol for internet communications. TLS uses digital certificates to encrypt data and authenticate the identities of servers.
Here’s a breakdown of the certificate lifecycle and some best practices for safe, convenient certificate management.
What Is a Digital Certificate?
A digital certificate is a document that verifies the identity of a device, website, or application. It’s similar to a passport. Your passport carries information about you that an authority has investigated and verified. So when you present your passport as a form of identification, the other party believes you are who you say you are.
A digital certificate is similar in that it’s issued by a certificate authority that investigates the validity and authenticity of the certificate holder. Then, when the certificate holder presents it to a browser or device it’s interacting with, the browser or device approves the certificate and initiates safe communication.
Certificates also encrypt communications between the app or site and the browser or computer someone’s using to access it. So when you send your credit card data to a website with a valid certificate, the data is encrypted while in transit. Even if a cyber criminal successfully snatches your data, without the decryption key, the data is unreadable.
You may have noticed a small lock icon on the left side of your browser's address bar if you’re using Chrome. This verifies the legitimacy of the site you're visiting, indicating it has a valid security certificate. If a site doesn’t produce this icon, it doesn’t have a valid certificate—meaning it can be a fake site designed by a hacker to disseminate malware or steal sensitive information.
The Stages of the Certificate Lifecycle
Certificate lifecycle management ensures you can continue to interact with safe digital assets. Here are the stages of the certificate lifecycle and how each of them works.
Request and Enrollment
In the request and enrollment stage, a requester asks a certificate authority (CA) for a certificate. To get one, they have to provide vital information such as:
- The identity of their company
- Details about their organization
- Business registration
- Articles of incorporation
- Tax ID numbers
- Who owns the domain
- The identities of the individuals requesting the certificate
- Contact details, such as business phone numbers
- How they intend to use the certificate
The CA then verifies that this information is true. For instance, it may call the provided phone number or check the articles of incorporation against the records of the jurisdiction under which the business is registered.
Once the CA has verified that the provided information is legitimate, they can issue the certificate.
Issuance and Provisioning
During the issuance and provisioning stage, the CA issues the certificate to the entity that requested it. The CA digitally signs the certificate, which is like a stamp verifying its validity. Returning to the passport parallel, the CA’s signature is similar to the watermarks and hidden chip featured in some passports. These would be very difficult to fake.
The provisioning process also involves installing the certificate. For example, with a website, the installation happens digitally on the site’s server.
Usage and Monitoring
During this phase, the certificate requester uses the certificate to interact with users, devices, browsers, and websites. Each time the certificate is used, the monitoring system generates usage data. The monitoring system can also provide alerts regarding certificates that may soon expire.
For example, if you go to Amazon.com and right-click on the small lock icon in the left corner of the browser, you can see that their certificate was issued on January 16, 2023 and expires on January 16, 2024. While monitoring site usage, a CA can use this data to automatically alert a certificate holder of a pending expiration.
Expiration and Renewal
Either the CA or certificate holder initiates the renewal process, which should be done in a timely fashion to avoid connectivity problems. During the renewal process, the information about the certificate holder, such as what they provided during the request and enrollment phase, may have to be verified.
After the certificate has been renewed, the holder gets a new certificate. Like the original one, this new certificate comes with a digital stamp of the CA, which verifies its legitimacy.
If a certificate is allowed to expire, you will no longer enjoy secure, encrypted connections. For a website, for example, certain browsers may prevent users from accessing your site because its certificate is no longer valid. If an application has a certificate, users may not be able to use it—at least not until it gets a new certificate.
Certificate Lifecycle Management Best Practices
The following certificate lifecycle management best practices can make it much easier to maintain consistent, secure connections to your digital assets:
- Integration with existing IT infrastructure and systems. When using internal, self-signed certificates, you can use automated certificate provisioning. This involves issuing certificates to devices so the IT system can authenticate each device as it tries to connect to digital resources. With automated provisioning, you can automatically issue certificates whenever new systems or devices are added to your network.
- Certificate automation. With certificate automation, you can automatically renew certificates and get alerts about certificates that are about to expire. You can custom-design your automations using rules that best fit your IT team’s workflow.
- Efficient certificate lifecycle management tools. With these tools, you can wave goodbye to manual certificate lifecycle management. For instance, you can use certificate discovery tools to discover certificates across your entire IT infrastructure. You can also import and audit certificates, no matter which CA issued them.
Save Time and Energy with Sectigo’s Certificate Manager
The certificate lifecycle, from request to renewal, is a crucial element of your security infrastructure. The safety of your digital assets, as well as those of businesses and individuals you connect with, depends on effective certificate lifecycle management.
The Sectigo Certificate Manager automates some of the most time-consuming elements of certificate lifecycle management, including discovery, tracking expiration dates, alerting IT team members of pending expirations, and importing and auditing certificates.
Contact Sectigo today to learn more about the benefits Certificate Manager can bring to your organization.