I have worked in a few places where PKI has been deployed and managed manually. We have had major issues in managing the keys issued and the nightmare we had as we updated our key management systems. (excel sheets)
At one of the organizations I worked for, the system used a internally generated PKI for managing a large set of devices. These devices were issued certificates and are needed to connect to the server. This being an important and critical system involving devices all across the United States and Canada was such a pain to maintain as the certificates expire at different times and it was difficult to keep of track of expiring certificates, equipment that are pulled off the network and those that needs to expired for some reason. The main certificate server based on OpenSSL had the root certificate and the copies of the client certificates were maintained in a USB FoB key and locked away. The process is so contorted and involved two FTEs to handle this job on a regular basis (Even though the actual work load was low, it needed the two FTEs to be involved as and when required). If you thought the process end here, you are wrong, the CRL needs to be published on a weekly basis on to a F5 load balancers to take the load of the servers, but this is a regular weekly job and this data is to be updated on a regular basis.
The problem is mainly as a consequence of the CA being internal and not not being trusted on to the OSes that the devices run. To add to all these issues, every time a new build for the devices are issued, the certificates have to be reissued. This is because of the fact that the security policy of the organization mandates that all certificates should not be exportable!!!! Now don't we have a management nightmare here.
Would like to hear if some one has a similar system that needs to be managed and how they do it. Do drop in an email at blog at sridharkrish.com
For some one interested this is one great product to manage keys
http://www.venafi.com/
At one of the organizations I worked for, the system used a internally generated PKI for managing a large set of devices. These devices were issued certificates and are needed to connect to the server. This being an important and critical system involving devices all across the United States and Canada was such a pain to maintain as the certificates expire at different times and it was difficult to keep of track of expiring certificates, equipment that are pulled off the network and those that needs to expired for some reason. The main certificate server based on OpenSSL had the root certificate and the copies of the client certificates were maintained in a USB FoB key and locked away. The process is so contorted and involved two FTEs to handle this job on a regular basis (Even though the actual work load was low, it needed the two FTEs to be involved as and when required). If you thought the process end here, you are wrong, the CRL needs to be published on a weekly basis on to a F5 load balancers to take the load of the servers, but this is a regular weekly job and this data is to be updated on a regular basis.
The problem is mainly as a consequence of the CA being internal and not not being trusted on to the OSes that the devices run. To add to all these issues, every time a new build for the devices are issued, the certificates have to be reissued. This is because of the fact that the security policy of the organization mandates that all certificates should not be exportable!!!! Now don't we have a management nightmare here.
Would like to hear if some one has a similar system that needs to be managed and how they do it. Do drop in an email at blog at sridharkrish.com
For some one interested this is one great product to manage keys
http://www.venafi.com/
Comments