Certificates

For a guide on how to request a certificate visit Issue your first certificate.

Digital certificates are the foundation of secure communications and identity verification in modern IT infrastructures. They establish trust between systems, secure data transmission, and verify the authenticity of digital entities. Effective certificate management is essential for maintaining your organization’s security posture and ensuring uninterrupted service availability.

Certificate management within MTG-CLM helps you control the entire certificate lifecycle, from issuance through renewal and eventual retirement, preventing costly outages and security vulnerabilities stemming from expired or compromised certificates.

Certificate Lifecycle Overview

Effective certificate management involves several key stages:

Lifecycle Stage	Description
Inventory	Maintaining a comprehensive inventory of all certificates in your environment.
Issuance	Requesting and provisioning new certificates based on defined policies.
Monitoring	Tracking certificate status, expiration dates, and compliance with policies.
Renewal	Ensuring timely renewal of certificates before expiration.
Revocation	Properly handling compromised or outdated certificates.

Lifecycle Stage

Description

Inventory

Maintaining a comprehensive inventory of all certificates in your environment.

Issuance

Requesting and provisioning new certificates based on defined policies.

Monitoring

Tracking certificate status, expiration dates, and compliance with policies.

Renewal

Ensuring timely renewal of certificates before expiration.

Revocation

Properly handling compromised or outdated certificates.

MTG-CLM provides the tools and capabilities to manage each of these stages effectively, helping you prevent unwanted security incidents and service disruptions.

Certificate Inventory Management

Complete and accurate certificate inventory is the foundation of effective certificate management. MTG-CLM provides comprehensive visibility into your certificate environment.

Viewing Certificates

The Certificates menu displays all certificates in your environment, allowing you to quickly assess your certificate inventory. You can:

View certificates across all realms or filter by specific realm
Sort certificates by various attributes including expiration date
Identify certificates requiring attention through status indicators

Searching Certificates

The search functionality helps you locate specific certificates based on various criteria:

Search by subject, issuer, serial number, or other certificate attributes
Filter by status (active, expired, revoked)
Identify certificates with specific cryptographic properties

Importing External Certificates

Organizations often have existing certificates that need to be brought under management. The import function allows you to:

Add externally-issued certificates to your inventory
Associate imported certificates with appropriate end entities
Begin monitoring and managing these certificates alongside those issued through MTG-CLM

When importing certificates, ensure they are associated with the correct end entity to maintain proper ownership relationships and enable effective lifecycle management.

Certificate Operations

Once certificates are in your inventory, MTG-CLM provides several operations to manage them throughout their lifecycle.

Certificate Details

Viewing certificate details provides comprehensive information about a specific certificate:

Certificate metadata (subject, issuer, validity period)
Cryptographic details (algorithm, key size)
Current status and lifecycle information
Associated end entity and realm

Certificate Download Options

MTG-CLM offers multiple download options to support various use cases:

Download Single: Downloads just the certificate in PEM format, suitable for most server configurations.
Download Chain: Downloads the complete certificate chain including the issuing CA certificates, necessary for proper certificate validation.
Download CRL: Download the Certificate Revocation List. A CRL is an up-to-date list of certificates that should no longer be trusted and can be useful for offline validation or for configuring other systems that need to verify certificate status.

Private keys should be handled securely. Once downloaded, they should be transmitted securely to the target system and then deleted from any intermediate storage.

Certificate Distribution

Certificates often need to be distributed to system administrators or end users for installation:

Email Certificate: Sends the certificate via email to the specified recipient, facilitating distribution to the appropriate personnel.

You need to have a valid e-mail address attached to the certificate’s connected end entity, in order to be able to send it.

Certificate Renewal

Timely certificate renewal is critical to preventing service outages. MTG-CLM simplifies this process:

Easily identify certificates approaching expiration
Initiate renewal with preserved certificate attributes
Maintain the association with the same end entity for continuity

Certificate Revocation

When a certificate needs to be invalidated before its expiration date:

Revoke Certificate: Marks the certificate as revoked in the issuing CA, preventing its further use. This is essential when private keys are compromised or when a certificate should no longer be trusted.
Mark as Revoked: Updates the certificate status in MTG CLM without performing actual revocation at the CA. This is useful for tracking certificates that were revoked through other means.

Certificate Status Management

Maintaining awareness of certificate status is essential for security and compliance.

OCSP Status Check

The Online Certificate Status Protocol (OCSP) provides real-time certificate validation:

Verify the current revocation status of a certificate
Confirm that revocation actions have been properly processed
Validate the operational status of your OCSP infrastructure

In order for the OCSP check to work, a network access to the OCSP Responder is required. If a network error hinders the request, the depicted status is shown as Unavailable.

Best Practices for Certificate Management

Leveraging all above-mentioned MTG Certificate Lifecycle Manager’s capabilities can be enhanced by adhering to the following practices:

Establish clear ownership: Associate all certificates with appropriate end entities to maintain clear ownership and responsibility.
Implement consistent naming conventions: Use consistent naming patterns for end entities and certificates to simplify management and searching.
Set appropriate validity periods: Balance security (shorter periods) with management overhead (renewal frequency) when establishing certificate policies.
Monitor expiration proactively: Regularly review the dashboard to identify certificates approaching expiration.
Document certificate usage: Use the description fields to document where and how certificates are used to facilitate troubleshooting and renewal.
Perform regular inventory reviews: Periodically review your certificate inventory to identify unused or redundant certificates.

Those important steps will help you significantly reduce the risk of certificate-related outages and security incidents, while maintaining compliance with your organization’s security policies.