Digital certificate problems are much in the news, owing to the scandal over compromised certificate authority DigiNotar, but the more common certificate problems are much simpler and more confined. Large, complex organizations often have trouble keeping track of all their certificates.
It's surprisingly common to find management of external CA-issued digital certificates to be decentralized and unorganized. Different groups buy them for different sites and some guy keeps track of them, including minor details like the private keys and expiration dates, in an Excel sheet. One day when he falls through a manhole or leaves for another job, what's going to happen? You may not even remember about it until one of the certificates expires and users start getting errors. "I think that file was somewhere here in his network folder..."
This stuff really does happen a lot. And yet there aren't a lot of professional solutions for certificate management. Many certificate management products are designed only for a particular CA, or an internal CA.
The best-known general solution is Director Certificate Manager from Venafi. It's not just a management system and it's not just for SSL certificates; it has tools for seeking out and inventorying your existing encryption assets. It allows you to use high-protection technologies like hardware security modules to guard the inventory.
I haven't tested this product; I've heard it's as complex as it is comprehensive, and help from Venafi Professional Services is often necessary, but I'm sure you get what you pay for.
Now Symantec has their own solution in this space. Symantec Certificate Intelligence Center is a cloud-based solution. Even though Symantec now owns VeriSign, the biggest certificate in the business, CIC will work with certificates from any certificate authority.
[Note: I have, in the past, done paid consulting work and writing for VeriSign, before and after their acquisition by Symantec.]
CIC appears to have many of the same features of Venafi, such as discovery and inventory of certificates, but the cloud approach may be advantageous for many, in terms of distribution and access across a large enterprise, not to mention robustness against downtime and other errors in your own infrastructure.
It's too early to evaluate CIC, especially as compared to the competition, but one thing's for sure: It sure beats a post-it note on the side of your monitor. The DigiNotar scandal shows that enterprises need to be able to move quickly with their certificates if there is a failure in trust of the CA. If you don't use an organized management system for your encryption assets then you're leaving yourself potentially helpless against severe attack.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.