WHITE PAPER:

MANAGING SSL CERTIFICATES

WITH EASE

White Paper

Managing SSL Certificates

with Ease
Best Practices for Maintaining the Security
of Sensitive Enterprise Transactions

White Paper: Managing SSL Certificates with Ease

Managing SSL Certificates with Ease

CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Costs of SSL certificate mishaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Challenges in SSL certificate management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Needed: A comprehensive SSL certificate management system . . . . . . . . . . . . . 6
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

White Paper: Managing SSL Certificates with Ease

Introduction
SSL certificates make it possible for users around the world to communicate
sensitive information with the confidence that it is safe from malicious hackers,
allowing anyone to confidently use the web for business and social interactions
including banking, shopping, social interactions, and product development.
Information explosion and the accelerating adoption of cloud computing is making
SSL certificates more important than ever. Users must feel confident that they are
at legitimate URLs before sharing valuable information or work on what might be
a spoofed site. Additionally, the popularity of social media and emphasis of online
collaboration in the modern enterprise makes SSL certificates essential in both
work and play. Online users are sharing increasingly large volumes of personal
and professional information, and need to know that their accounts will not
be compromised.
With the standardization to 2048-bit SSL certificates, website owners can be even
more confident about the protection of their online data communications. Yet even
enterprises using this higher level of security still face serious threats. One key
reason for this risk: poor SSL certificate management.

In a survey by ReRez Market

Research in 2012, 82 percent of
companies with an average of
2,000 SSL certificates reported
seeing rogue certificates on
their systems.1
Other results of this survey showed
the complexity of SSL certificate
management:
Most organizations use multiple
methods to track their SSL
certificates
Only 40 percent are sure
cloud-partners certificates
comply with internal standards
A full 33 percent say their SSL
certificate catalog is less than
somewhat accurate

Poor SSL certificate management can happen for four reasons:

Enterprises with hundreds (if not thousands) of SSL certificates from several
different providers could lose track of certificates in their environments. When
this happens, certificates could expire and go unnoticed for months, leaving
websites unprotected and subject to browser warnings, and visitors vulnerable
to hackers.
Some certificate users in a company may deploy self-signed certificates on their
own initiative. These certificates are largely unknown to IT, go unmanaged and
could violate corporate policy.
Poorly configured or incorrectly installed SSL certificates could result in
business disruption if browser popup warnings occur when users try to access
the site.
By failing to follow best practices companies could find themselves with noncompliant certificates that make websites vulnerable to hackers or other risks.
Their SSL certificates could have unsecure key length or algorithm, or issued
from a Certificate Authority with security breaches.
This white paper will present the lack of operational efficiencies and compliance
pitfalls associated with poor SSL certificate management, why poor management
is potentially dangerous to the enterprise, and how the right SSL certificate
management tool can help enterprises keep track of and manage SSL certificates
more effectively.

Source: ReRez Market Research, January 2013.

White Paper: Managing SSL Certificates with Ease

Costs of SSL certificate mishaps

The cost of possessing rogue or expired SSL certificates can be significant. SSL
certificate management is complex with just 27 percent of enterprises feeling
that managing cloud-based SSL certificates is easy, according to the ReRez survey.2
Errors that occur from installing and configuring them manually can be costly.
Business is impacted, and IT time and resources are redeployed from critical
projects to fix problems that arise from improper installations. Human errors could
put both website and users at risk.
Then there are the painful, multistep processes required to track certificates
manually using Excel spreadsheets that eats away at IT department time. For large
data centers, it is time-consuming to manage certificates from different certificate
authorities (CAs). Lost sales are another very significant cost. Forty-three percent
of enterprise users said they would abandon a transaction if told a certificate
had expired; 77 percent of consumers would abandon their shopping carts if
confronted with an expired certificate.3

According to the ReRez survey, the

median business lost $222,000
and some businesses lost as much
as $3.8 million in the past 12
months due to certificate mishaps.
In addition to all the previously
named costs, theres the risk
of stolen intellectual property,
along with damaged brand and
reputation, if certificates
are misconfigured.

Additionally, the enterprise bears higher costs in the form of increased calls to the
IT help desk by employees, and increased calls to customer support lines when
customers get warning messages that certificates are out of date.
For enterprises that are required to comply with federal and state regulations
such as the Health Insurance Portability and Accountability Act (HIPAA) or Payment
Card Industry (PCI) Data Security Standard mandates expired SSL certificates can
be very serious. In healthcare, data breaches must be reported and each incident
can carry heavy fines mandated by law. And in credit card transactions, having
valid SSL certificates is required or heavy fines ensue.
Then, many companies have their own internal security best practices that
must be complied with. Non-compliance can end up costing organizations
almost three times as much as taking the necessary steps to comply with data
security standards.

2
3

Ibid.
Ibid.

White Paper: Managing SSL Certificates with Ease

All in all, the complexity of tracking certificates manually leads to many challenges
and costs. Loss of business continuity and reduction of IT efficiency were cited by
administrators as the top contributors to the costs of certificate mismanagement.
(see Figure 1).
The Complexity of Tracking Certificates Raises Challenges
Makes our business less agile

33 %

Increased costs

33 %

Compliance issues

33 %

Lowers IT efficiency by increasing the labor required

to manage certificates

50 %

Loss of business continuity from unplanned certificate expirations

50 %

0%

10 %

20 %

30 %

40 %

50 %

60 %

Figure 1: Top contributors to costs of non-compliance with SSL certificate

management best practices.4

Challenges in SSL certificate management

The fact is, managing large numbers of certificates is challenging. Enterprises can
have hundreds, if not thousands, of certificates, each expiring at a different time.
Employees responsible for managing certificates sometimes leave the organization,
which increases the chances that certificate management tasks can fall through
the cracks.
Plus, if the organization possesses certificates from a number of different CAs, or
has any self-signed certificates, matters are complicated even further. Although
some CAs offer management tools, most cant manage certificates from different
CAs, even within the same environment.
Enterprises with distributed networks and various different applications running
in their environments can have different security policies, and require different
kinds of SSL certificates. They also need to adhere to industry standards. For
example, companies need to be compliant with National Institute of Standards
and Technology (NIST) mandates to migrate all SSL certificates from 1024-bit to
2048-bit SSL certificates. Enterprises must have visibility across their networks to
discover all the certificates that need to be migrated.
CAs with infrastructure that is not well secured could get hacked. When
that happens, companies need to know if they have SSL certificates by the
compromised CA in order to terminate or transfer the certificates to CAs with
secure infrastructure.

Ibid.

White Paper: Managing SSL Certificates with Ease

The complexity and variance of approach with regards to installing SSL certificates
could cause mistakes to happen. For example, some certificates may require an
intermediate certificate to be installed and others not. Installation and renewal
of certificates are not necessary a daily routine. Manual deployment of SSL
certificates would necessitate administrators to constantly refresh their memories
and track their work diligently to make sure the certificate renewal and installation
process is adhered to correctly.
Needed: A comprehensive SSL certificate management system
The solution: an SSL certificate management system that simplifies SSL certificate
discovery and monitoring and automates certificates renewal and transfer. An
effective SSL certificate management solution will enable organizations to know
what kinds of certificates they have, help them renew certificates in a timely
fashion or have automated transfer from one CA to another.
Characteristics of an effective SSL certificate management solution include:
Automates discovery and monitoring. No need to manually search for the
number or types of SSL certificates that exist in your environment.
Automates lifecycle management, including renewal and installation.
Installing intermediate certificates can be challenging for system administrators
unfamiliar with SSL certificates. An SSL certificate management system with
automated transfer and renew capabilities for intermediate certificates will help
avoid incorrect installation and ensure business continuity.
Provides strong reporting capabilities. Can report on all SSL certificates in
the inventory for accountability and compliance verification, and can provide
both detailed and executive-level reporting.
Works across SSL certificates from multiple CAs, including self-signed
certificates. No need for multiple CA management tools you should be able to
manage all certificates from a single console.
Works across distributed networks. A comprehensive solution works no
matter where the SSL certificates have been installed.
Notifies organizations when a certificate is about to expire. No more risk of
expired certificates alarming users or website visitors.
Rates security of SSL certificates. Makes sure you are adhering to industry
best practices and standards.
Provides easy access. You can manage certificates from desktops as well as
mobile devices.
Is easy to manage. The ideal SSL certificate management solution lives in
the cloud so organizations dont have to worry about managing the server
or software.
With a single, comprehensive method of managing SSL certificates, organizations
currently struggling to manage SSL can find relief and achieve enterprise-wide
visibility with a simple, straightforward solution.

White Paper: Managing SSL Certificates with Ease

Conclusion
A full 44 percent of organizations say that it is either somewhat or extremely
common for them to have wrongly installed or misconfigured SSL certificates
in their inventory. Forty-five percent experience security breaches due to SSL
certificate issues. Fifty-six percent struggle with not knowing when certificates are
about to expire (see Figure 2).
Common SSL Certificate Issues

Wrongly installed and misconfigured certificates

44 %

Security breaches related to certificates

45 %

Discovering rogue certificates

47 %

Unanticipated expiration of certificates

(we didnt know it was about to expire)

56 %

0%

10 %

20 %

30 %

40 %

50 %

60 %

Figure 2: Somewhat / Extremely common SSL certificate issues that arise

The solution: an SSL certificate management system similar to Symantec

Certificate Intelligence, which automates the SSL certificate discovery and renewal
process. With an effective SSL certificate management solution, organizations can
mitigate the risks of manually installing, configuring, and tracking certificates,
keeping their IT departments operating efficiently, their businesses free from
disruption, and their users safe.

White Paper: Managing SSL Certificates with Ease

More information:
In United States or Canada
Visit our website
http://go.symantec.com/certificate-intelligence-center
To speak with a Product Specialist, please call or email:
1 (866) 893-6565 or 1 (650) 426-5112 SSL_EnterpriseSales_NA@symantec.com
In Europe, Middle East or Africa (EMEA)
Visit our website
http://www.symantec.co.uk/certificate-intelligence-center
To speak with a Product Specialist, please call or email:
United Kingdom and Ireland +0800 032 2101 Rest of EMEA +353 1 850- 2628 or +41 (0) 26 429 7929
United Kingdom sslsales-uk@symantec.com Rest of EMEA sslsales-ch@symantec.com
In Asia-Pacific
Visit our website
http://www.symantec.com/ap/certificate-intelligence-center
To speak with a Product Specialist, please call or email:
Australia +61 3 9674 5500 New Zealand +64 9912 7201 Hong Kong +852 30 114 683
Singapore +65 6622 Taiwan +886 2 2162 1992
Taiwan, Hong Kong, Singapore ssl_sales_asia@symantec.com Australia, New Zealand ssl_sales_au@symantec.com
To speak with additional Product Specialists outside the U.S.
For specific country offices and contact numbers, please visit our website
About Symantec
Symantec protects the worlds information, and is a global leader in security, backup and availability solutions. Our
innovative products and services protect people and information in any environment from the smallest mobile device,
to the enterprise data center, to cloud-based systems. Our world-renowned expertise in protecting data, identities and
interactions gives our customers confidence in a connected world. More information is available at www.symantec.com
or by connecting with Symantec at: go.symantec.com/socialmedia.
Symantec Corporation World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
1 (866) 893 6565
www.symantec.com

Copyright 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in
the U.S. and other countries. Other names may be trademarks of their respective owners.
UID:197/08/14