Certificate Management 201
How to manage certificates and automate certificate fulfillment with a single platform
How to install Certificate Inventory & Management
Before digging into this article, I also highly remommend to go through the SN documentation. The doc covers this topic pretty good.
Achieve service operations excellence with ITOM Visibility
Certificate Inventory and Management is part of ITOM Visibility product line. So, you must have ITOM Visibility installed to install Certificate Inventory and Management module.
Certificate Management Workspace
The Certificate Management Workspace offers a good overview of the org certificates. You can see and track the unique certificates, certificate expirations, certificates by fingerprint algorithm, etc.
Certificate Management Dashboard
Alternatively, the certificate management dashboard comes in handy for those who are responsible for managing/renewal of certificates. You get all the necessary info to track the org certificates as effectively as possible.
Open Certificate Taks
As you can see, there’re 31 tasks for renewals for expired certificates; 1 priority task; 36 open renewal tasks and 0 open new request tasks. Below you can see the graph of upcoming expirations (which are broken down by critical and moderate upcoming expirations).
Certificate Inventory
There are 236 unique certificates; 236 certificates with renewal tracking; 2 certificates with priority 1; 75 certificates discovered (last 30 days). You can also see who the root issuers are.
Certificate Task (Automation Flow)
Here you can see how many automated open requests you have. With automation you should have 0 open requests. Certificates should be automatically processed.
Setting up certificate discovery and running discoveries
Port-based
Discovery Port Probes
The path for setting up the certificate management tool starts with activating a port probe/switch to start discovering your certificates. The method for port-based discovery:
Table: discovery_port_probe
Once you install the Certificate Management app, you will have the option to activate port probe tls_ssl_certs by selecting active:
This will enable the system to start discovering TLS/SSL Certificates.
Here you have the option to select which IP services or ports you want to be discovered:
The common/standard ones are selected OOTB. You can add more if you want. So, any certificates listed on those ports the discovery scan will pick them up. The IP services/ports need to be triggered to discover TLS/SSL Certs.
Discovery Schedule
Next, you need to set up a Discovery Schedule:
Table: discovery_schedule
Discovery Schedules grouped by Discovery:
There're many types of discovery schedules - discovery schedules for Certificates, CIs, Cloud Resources, etc.
For example, the CI discovery schedule scans a subnet or multiple subnets (depending on the IP range) for devices that are in there.
By turning on the port probe (see above) the discovery schedule will look for certificates. So, there're no additional configs needed to discover certificates via a discovery schedule.
Example of a CI discovery schedule:
In the log of the discovery status (of the discovery schedule) you can see the results of the captured certificate information:
So, download the certificate management app in your instance. Turn up the port probe and start discovering certificates inside PROD. You will start to see the value of it.
This is a straightforward example for setting up the port-based discovery.
CA-based
Discovery CA Credentials
For CA discovery, you need to create credentials to connect to the CA stores/providers.
Connections & Credentials > Credentials
The credentials type should be Certificate Management Credentials
Example of a CA credential:
Discovery Schedule
Example of a discovery schedule for CA-based certificates:
This is a discovery schedule that discovers certificates based on the CA Trust Discovery (Certificate Discovery Type).
Serverless Execution Patterns
SN uses patterns for discovering things in your env. Patterns are instructions to query for additional info to gather the configurations of those devices. So, in this case the DigiCert Pattern is being used to gather info.
Depending on which serverless execution pattern you need, you can go and import them:
Within the DigiCert Pattern config you can specify the credentials alias to be used:
Note:
The MID Server needs to access the following endpoints depending on your use case:
- Entrust: Discover Certificate URL: https://api.entrust.net/enterprise/
- Entrust Download root Certificate URL: https://web.entrust.com/root-certificates -
- DigiCert: https://www.digicert.com/services/
- Sectigo: https://cert-manager.com/api/ssl/
- GoDaddy: https://api.godaddy.com/
Result of CA discovery:
CI vs CA discovery
CI discovery will pull in every certificate that you have on your CI so that you can track live-cycle info. However, CI discovery doesn’t tell us where the certificate is installed. That’s why you want to run Port-based discovery to understand where it’s installed. Because certain certificates are installed across multiple systems.
URL-based
Discovery Certificate URLs
For URL-based discovery we need to create a record in the certificate source URL table:
Table: sn_disco_certmgmt_cert_url
To create a new certificate URL record you need to put the URL of the website:
This will enable you to discover the certificate of that website with SN.
Discovery Schedules
Next, you need to create a discovery schedule to scan the website:
Note: this does not require credentials. You can discover any public or internal websites that you want. You do not need credentials for that.
In the Certificate URL tab, you can add the URLs which you want to include in the scan:
You can also create multiple discovery schedules to discover different URLs at various times.
Once the discovery schedule is ready, click on Discovery run to run the scan.
Result of a URL certificate discovery:
This means that for every website in the URL tab (see above) you can discover its certificate.