How to store Security Keys and Certificates safely

How to store Security Keys and Certificates safely

Keys and Certificates

Let’s first introduce the definition of a digital certificate and a public key.

A digital security certificate (or identity certificate) is an electronic document used to prove the ownership of a public key.
A security certificate, as well as a digital key, is a small file that binds a cryptographic cypher to an organization’s detail.
The cryptographic algorithms use certificates to encrypt or sign data in the security messages so they will hide the data from other observers or uniquely identify their authors. 

Types of certificate

  • TLS/SSL server certificate
  • TLS/SSL client certificate
  • Email certificate
  • Code signing certificate
  • Qualified certificate
  • Root certificate
  • Intermediate certificate
  • End-entity or leaf certificate
  • Self-signed certificate

A WEB Server uses an SSL certificate to establish an encrypted channel between server represented by a named URL and WEB site users.

Developers use code signing certificates to digitally sign code distributed to their users. Computers use keys instead of passwords to authenticate users when they login. 
From the point of view of the user, keys and certificates are secret files that unlock some valuable resource or are used as proof of the identity of the user, organization or software.

A typical organization has many certificates. Numerous internal software services require unique certificates and keys bound to multiple domains, computers and endpoints. In most cases, it is hard or impractical to consolidate these certificates. Also, too much consolidation leads to more security risks in cases when one key provides access to too many resources. It’s hard to control role-based access to resources and, losing or compromising a certificate becomes a major network issue.

Storage for Keys

With so many certificates or keys to store the question is where to store them? The storage should ideally provide role based access to certificates, allow sharing them inside the organization and include audit trail logs covering permission and access related events. The storage should have some form of encryption on the back end too.

However, the typical state of certificate handling involves storing these keys in a network folder open for everybody or in a mail server where they end up after many forwards by users who cannot access this folder but still need them. Designating one person to keep watch on these keys also seems like a poor solution. In this case these certs will most likely end up on this person’s laptop and sharing is still a problem. Even just a slight improvement upon this situation would better the handling of company security and identity.
Let’s try to analyze several options to store digital keys and certificates that are realistic to implement without investing too many resources and without sacrificing even more security.

Options for the Storage

Content Management System

Compared with storing certificates on a laptop hard drive, Content Management System (CMS) sounds like an upgrade. Both on-premises (Microsoft SharePoint) or cloud (Google Drive, Office 365 or solution will do the job. Modern WEB based CMS can provide central storage, secure remote WEB access, item level permissions, metadata associated with certificates, search and logs for the audit.

Many organizations already have CMS implemented for content workflow. It simplifies their adoption as certificate storage.

Identity Vault

Identity vault is a specialized content management system to store passwords, keys and certificates. In addition to the benefits provided by CMS, identity vaults can encrypt data in the back-end storage, generate additional logging and implement field level permissions. Also, identity vaults usually include special API to access certificates in the places that need them, like code signing or computer access. It improves overall system security because some users can initiate or use the process that requires a certificate from the storage without actually accessing the certificate itself. The process will retrieve the certificate when needed instead.

CyberArk, Thycotic and Manage Engine are examples of the vendors distributing enterprise class identity vaults.

Session Manager

In addition to the benefits provided by identity managers, session manager can establish access to a remote computer using the certificate from the vault. It solves the problem of exposing the certificate to the user. Not all certificates are used as keys to access remote computers but those that are could benefit from using session managers.

CyberArk, BeyondTrust and Xton Tech are examples of the vendors building session management solutions on top of their identity vaults. Session managers used to be complex and hard to implement. They often require agent software on client computers as well on servers. However, these days look for the affordable agentless solution with simple implementation and licensing options.

Mark Klinchin