A simple guide to Digital Certificates
Norman Newell - Securing Ireland's Enterprise
Cyber Security | Security Distributor | Vendor Management | Cyber Expo Ireland
Delivering secure services over the Internet relies on the use of TLS (Transport Layer Security) based digital certificates. TLS has replaced SSL (Secure Sockets Layer) as the protocol of choice for digital security. Whenever you see the term SSL note that it should be TLS 1.3, or later, that should be in use. The SSL acronym is embedded in most IT professional’s heads, and it will be a long time before TLS replaces it as the default term. You will often see the name SSL/TLS used as well. In any event, it should be TLS certificates that are implemented to provide the foundation for security and trust.
The Certificate Chain
TLS security is based on a chain of trust that runs from digital certificates deployed on end nodes using a particular domain name, such as entrust.com. The chain links through one or more intermediate digital certificates and then ultimately to a root certificate that is controlled and secured by a Root Authority. This is called the chain of trust. The screenshot below shows the three levels of digital certificates in the chain of trust when browsing using HTTPS to the Entrust website:
The three levels of trust in this certificate chain are:
? Root Certificate - this is the certificate shown with a yellow icon in the picture above and named Entrust Root Certification Authority - G2. This is the originating root certificate that is globally signed by Entrust, and that comes preloaded with web browser installations and is stored in a local trusted store. The credentials and security information in this Root Certificate are maintained, guarded and protected from change by Entrust.
? Intermediate certificate - this is the middle certificate shown in the picture above and named Entrust Certificate Authority - L1M. Intermediate certificates are required to support all the major browsers in use. They take their authority and trust from the Root Certificate and act as a security and trust conduit between the protected Root Certificate and Server Certificates that are associated with specific domain names. Intermediate Certificates are installed on servers such as web servers. Then they create the chain of trust from the end-users accessing specific websites back to the trusted Root Certificate. In the picture above, there is only one intermediate, but other deployments may have more.
? Server Certificate - this is the certificate that matches the specific domain name for the server being used. In the picture above, this is the entrust.com domain. It is installed on the web servers, a cluster of servers, or on the load balancers, that deliver the web site.
Entrust Digital Certificates
Not all digital certificates are created equal. Some provide greater levels of trust since the issuer has to do varying levels of checking on the organisation requesting it. Entrust are a global leader in the provision and management of digital certificates, including high trust Extended Validation (EV) certificates. Before an EV certificate can be issued several additional checks are needed. These are:
? Confirm the legal identity of the website owner.
? Confirm the address provided exists and is operational.
? Ensure the applicant owns the domain name in question or has the legal right to control the domain.
? Confirm the identity of any individuals acting as agents of the website.
? Ensure that an authorised officer of the organisation signs documents confirming identity.
? Inspect and verify all fully qualified domain names to be secured with the EV certificate (wildcards are not allowed to prevent additional subdomains being added after issuance).
Entrust can also provide different tiers of TLS/SSL digital certificates depending on the requirements. Like in most areas, a one size fits all approach is often counterproductive. Other types of digital certificate that Entrust can supply are:
? Standard Organisation Validated (OV) certificates
? Advanced OV certificates
? Wildcard OV certificates
? Subject Alternate Name (SAN) Multi-Domain certificates
? Extended Validation (EV) Multi-Domain certificates (as discussed above)
? Private certificates for bespoke internal use and to protect against brand impersonation attacks
Entrust are also a Qualified Trust Service Provider (QTSP) recognised under eIDAS. This is an EU regulation to protect electronic identification and trust services within the EU Single Market. Qualified certificates with the security features required to fulfil the requirements set out under PSD2 and eIDAS, build on the core security of TLS certificates.
The certificate type used will depend on the application it is securing. For the majority of enterprise deployments on the public Internet, an EV certificate would be the recommended solution, with Qualified certificates deployed if PSD2 or eIDAS regulations are in force.
Entrust Certificate Services
In addition to providing the full range of certificate options, Entrust also offer services to streamline the management of digital certificates. The offerings include web-based certificate management portals, as well as service offerings that deliver detailed technical support from Entrust experts:
? Entrust Certificate Services - a web-based certificate lifecycle management platform that helps you manage all of your digital certificates, from Entrust and other certification authorities. It provides access to a host of tools for generating detailed reports that help improve uptime, avoid security lapses, and preserve brand reputation. It also provides web-based access to technical insights, status updates, and website scanning for end-to-end lifecycle management of all of your digital certificates. Silver Service support is included with Entrust Certificate Services. This provides technical support within office hours for all certificate related issues.
? Entrust Platinum Support - builds on the Silver Services offering to deliver 24/7 365 days per year access to Entrust support teams, with expedited responses and reduced SLA times. It also includes automated TLS/SSL server certificate testing to ensure that any potential issues are highlighted.
? TLS Subscription Plan - reuse certificates easily. Decommissioned licenses for certificates that are still valid can be used on a short-term basis for DevOps testing or load-balancing. Deploy and redeploy without wasting money on new certificates to secure domains, even on a short-term basis. The subscription plan saves costs over time and makes short term management of certificates easy.
Conclusion
TLS certificates are an essential part of the modern Internet-based infrastructure stack. It is vital that the certificates in use protect the chain of trust from the server certificates, through any intermediate certificates, and then to the Root Certificate. Entrust certificates do this and are available in whatever configuration suits your needs.
Entrust will be in virtual attendance at the upcoming Renaissance Cyber Expo & Conference on the 24th of November and will feature in the I Am Who I Say I Am stream. This stream will be led by industry expert and founder of the VMGroup Vivienne Mee, who will be bringing her cybersecurity expertise along with industry experts Entrust, and nCipher. They will be discussing all things related to ensuring that the digital identities being used to access IT systems are who they say they are. Register for the I Am Who I Say I Am stream here.
If you have any questions before then contact Renaissance to start a conversation about how implementing or switching to Entrust digital certificates can improve your security and deliver a better application experience for end-users.