Managing Digital Certs: Making the Essential Less Annoying

F5 Miniatur
Published November 17, 2017

A couple of years ago, I asked a customer about central management and about what features they were looking for. High on their list – much higher than I expected – was the management of traffic certificates. The customer was planning on rolling out a new security policy, which included upgrading their certs. Between you and me, this customer had a hard time telling me exactly how many BIG-IPs they had (hence the central management discussion), never mind how many hundreds of certs they used or where they were located. Someone had a spreadsheet, of course, but they weren’t sure if they could rely on it. Not surprisingly, no one wanted the task of manually finding and upgrading all these certs.

And this wasn’t a onetime ask. The customer went on to explain that cert management was regular annoyance – one of those tedious tasks that advance nothing, generate no revenues, don’t get mentioned as part of anyone’s professional goals – but nevertheless are critical. The truth is that digital certificates are the backbone of information security. And these certificates aren’t just used for public websites. Companies may have thousands of certificates to build trust in web transactions, email messages, application code, device communication, and more. And with the number of IoT devices in the market (and on the horizon), the numbers of certs to be managed will only grow.

So it’s certainly fair to say that certificate management is important. Certificates generally are set to expire after a couple of years – so a company may have to deal with hundreds or thousands of certificates reaching their expiration date each year. And expired certs are not only an annoyance, they can block critical transactions and lead to major revenue loss. A Ponemon Institute survey of Fortune 5000 companies showed that a certificate outage can result in a recovery cost of $15 million in lost business and potentially another $25 million for compliance violations.

At the time I suggested the customer explore F5’s partnerships with Venafi or Symantec – both offer certificate management solutions. Well, that was a fine answer at the time. And while F5’s relationships with Venafi and Symantec are still strong, and both offer comprehensive certificate management solutions, now F5’s own BIG-IQ includes SSL certificate management as part of a broader set of central management capabilities.

Watch a Quick Video on Managing SSL Certificates on F5 Devices

The Details

F5’s BIG-IQ Centralized Management provides a central point of control for F5 physical and virtual devices. It simplifies management, helps ensure compliance, and gives you the tools needed to deliver applications securely and effectively. BIG-IQ manages policies, licenses, images, configurations and SSL certificates for F5 devices. You can of course find more information about it on the BIG-IQ product page.

Introduced last July, certificate management is one of the unsung heroes of BIG-IQ v5.2. While BIG-IQ doesn’t yet offer the automation capabilities of some approaches, it does provide a straightforward way to see and manage all your SSL certificates on F5 devices from a single pane of glass. While BIG-IQ won’t manage device certificates or certificate bundles, it does go a long way to solving the certificate management conundrum.

What certificate management functions are provided by BIG-IQ, and what do they help you accomplish?

  • Discover and inventory certs
  • See cert status, state, expiration date, and more
  • Monitor certs with timely alerts
  • Create a cert signing request (CSR)
  • Issue certs – self-signed or from a cert authority
  • Import certs
  • Refresh certs
  • Retire certs
  • Maintain an audit trail
  • Centrally manage Certificate Revocation Lists (CRLs) – coming in version 5.4 (anticipated release later this year)

For these capabilities and others, download a trial version of BIG-IQ here and see how certificate management can make your life a little easier.