In a digital landscape fraught with security threats, ensuring the authenticity of a website is paramount. SSL/TLS certificates serve as a digital passport, allowing websites to establish trusted connections with users. However, as organizations increasingly expand their digital infrastructures, many organizations struggle with certificate management.
As cyber threats evolve, organizations should consider how using DNS records for domain validation enables them to automate certificate management processes.
Understanding the Four types of SSL/TLS Certificates
SSL certificates come in four main types, each providing a different level of authentication and security.
1. Domain Validated (DV)
A Domain Validated (DV) SSL certificate is issued after providing proof of the domain’s ownership, typically through email verification with the Certificate Authority (CA). A DV certificate uses an HTTPS connection to encrypt data transmitted between a web browser and server so the organization’s website can display trust symbols like HTTPS URLs and padlock icons. As the baseline level of trust, small or medium-sized businesses often use these for websites that do not handle sensitive customer information.
2. Organization Validated (OV)
An organization-validated (OV) SSL certificate offers additional assurance by requiring domain ownership proof and verification of the business’s legitimacy. The CA checks essential business details like the business:
- Name
- Location
- Address
- Incorporation information
Since OV certificates confirm the business associated with the domain, many organizations use them for their public-facing websites to demonstrate credibility and reliability.
3. Extended Validation (EV)
Extended Validation (EV) SSL certificates offer the highest level of trust because the CA engages in a vetting process across 18 validation checks to authenticate the business. To obtain the certificate, the business must verify, often through a phone call, the following:
- Operational existence
- Physical address
- Requestor’s employment status
Since the CA only issues EV certificates to businesses and registered organizations, not individuals, the process ensures higher accountability and assurance.
4. Subject Alternative Names (SAN)
A Subject Alternative Name (SAN) certificate consolidates multiple domain names within a single certificate, so organizations operating multiple websites or services under different domain names can simplify management and reduce costs. Aligned with SSL/TLS security, these certificates follow a rigorous vetting process to ensure each domain’s authenticity and legitimacy. A SAN certificate can manage up to 500 names and support fully qualified domain names (FQDNs,) enabling flexibility across a complex digital infrastructure.
Organizations use SAN certificates for managing:
- External and internal domains
- Mail servers with multiple domains
- Load balanced web servers
- Multiple internal hostnames and IP addresses
What is the Overlap Between DNS and Certificate Management?
Before a CA can issue a certificate, the organization must prove that it has control over the domains and any SAN, a process called Domain Control Validation (DCV).
Many organizations choose to demonstrate control over their domains by creating a DNS TXT record that contains the unique, randomly generated token that the CA provides. When updating the DNS TXT Value, organizations need to consider the Host field to ensure that they validate the appropriate base domain and/or subdomains.
Why is managing certificates challenging?
As organizations expand their digital infrastructures, the number of TLS server certificates increases exponentially. Some enterprises may be managing thousands of certificates, creating challenges around:
- Monitoring and managing certificates from a central location
- Coordinating certificate installation and management across lines of business and local system network administrators
- Creating and disseminating awareness for certificate management risks and best practices
- Providing system access to the appropriate certificate services teams
- Defining clear policies, processes, roles, and responsibilities
Why Should Organizations Re-evaluate Their Certificate Management Workflows?
Without the ability to coordinate activities and manage certificates effectively, organizations face significant security and business operational risks. Many organizations use manual, time-consuming, error-prone processes for certificate management, which can lead to the following risks.
Application outages
TLS server certificates create a trust relationship that enhances security for the applications that a server supports. Application outages related to TLS certificates can arise from:
- Expired certificates
- Mismanagement of CA certificate chain that links the server’s end-entity certificate with the root CA certificate
Outages arising from certificate issues are often difficult to trace, leading to business disruption and lost revenue.
Server Impersonation
Often, organizations store the TLS server private keys in files where system administrators directly manage and handle them, like making copies. Further, organizations often use the same certificates and private keys for all servers in the cluster used for load balancing. These manual processes increase the likelihood that attackers can compromise the key which can lead to server impersonation.
Lack of Crypto-agility
Many organizations have no comprehensive TLS server certificate inventory. Problematically, when a large-scale cryptographic failure occurs, the organization lack the followings:
- Updated information about certificate owners responsible for each certificate
- Ability to contact certificate owners
- Processes for tracking progress when replacing large numbers of certificates
- Documentation for and visibility into the number of updated systems
These issues mean that replacing affected certificates can take weeks or months, leaving applications unavailable or vulnerable to a security incident.
Best Practices for DNS and Certificate Management
As organizations seek to overcome the challenges and risks that manual certificate management creates, they should consider the following best practices.
Validate domains with DNS Records
Although organizations can use email to verify their domain ownership, leveraging DNS records provides a more authoritative and secure approach. You can validate a domain and prove ownership by:
- Creating a DNS CNAME record that includes the verification token and then points that value and domain to the CA
- Using DNS TXT records to add domains, authorize them for certificates, and act as the validation method
Using DNS records for DCV enables you to have more control over the validation process, especially as email can be easily compromised or spoofed. Additionally, by leveraging DNS records, you natively connect your certificates to the domains rather than having to track them separately.
Establish Policies and Processes
Implementing certificate management policies and processes enables you to create a formal structure around these activities. Your policies and processes should include, at a minimum:
- A certificate inventory
- Ownership that assigns responsibility for management tasks
- Approved CAs
- Validity periods
The policies and processes enable you to build certificate management into your overarching security and enterprise risk management programs.
Leverage Automation
Connecting your DNS data with your TLS data enables you to automate 100% of the certification management process.
Using a Certificate Service that includes automation and supports certificate owners enables you to enforce your certificate management policies and processes for:
- Certificate discovery
- Inventory management
- Reporting
- Monitoring
- Enrollment
- Installation
- Renewal
- Revocation
Vercara: Robust DNS to Support Certificate Management Automation
With over 25 years of proven experience, Vercara’s authoritative DNS ensures continued uptime while protecting against online internet threats. With our user-friendly, web-based portal and REST API capabilities, customers can easily manage changes, like updating DNS records, to save time and streamline processes.
