Quick onboarding and transition

After a short discovery and analysis phase, we take responsibility for the end to end certificate life cycle management and as a customer you can quickly free your resources to other important tasks.

Onboarding process

Discovery

We have the tools, methodology and knowledge to rapidly discover and document 95-100% of keys/certificates. Discovery is initially done by scanning public interfaces. Based on initial findings, the tools suggest locations that need deeper internal scanning, e.g. key stores of OS, applications, configuration files, middleware, appliances and other infrastructure components.

Analysis

Using automated tools combined with professional services, we quickly analyze certificate usage, installation locations, application configuration options, and dependencies from partners to public key, security and policy issues.

Ongoing certificate life cycle management

Once a certificate is managed, we manage the entire life cycle from acquisition to installation. After successful installation, we continuously monitor health and remediate if needed.

Certificate life cycle process

Acquire

Regardless of the source of the renewed key, Managed Keys document and securely automates the entire process and tracks it end-to-end. When a key is due for renewal, the system automatically acquires the new key in one of the five ways, i.e. via external order, internal order, internal generator, secure upload or external dependency:

  • Generate a request, order/procure from best external CA (such as GeoTrust, Symantec, Comodo, Rapid SSL etc.) that meets policies and pricing requirement and track order approval workflow. External cost of certificate is charged to quarterly bill.
  • Generate a request according to requirements and policies, submit to internal CA (such as AD CS) that issues internal certificates and track order approval workflow.  These keys have no acquisition cost.
  • Generate a self-signed certificate or generate a PGP/SSH key. These keys have no acquisition cost.
  • Request partner or customer to securely upload the certificate via a double-encrypted upload on the portal that requires two-factor authentication.
  • Automatically retrieve the new certificate from a documented system dependency or from public sources that the system monitors.

Distribute

Once a certificate is available (generated, received from partner, purchased from external CA, retrieved from internal CA or retrieved from system dependency), Managed Keys securely and automatically distributes it to installation locations well ahead of the time it should be activated. An example of internal distribution is to distribute to multiple servers in a farm and to a SSL appliance in front of the farm. An example of external distribution is to automatically distribute a public key to customers/partners all relevant customers, partners and other service consumers.

Install

At the installation location a small "agent" is installed and automatically manages all technical details of the key store. The installation agent is available for Windows, Linux and network appliances and it has specific knowledge of the underlying key store and application configuration. So instead of just throwing the new certificate into the key store, it knows exactly what key format/name is required, how to configure/notify the application(s) that use the certificate, what key permissions to set etc. This ensures that the applications, matter if it’s a simple web site or a complex B2B integration with asynchronous messaging, continues to operate without any down time or service disruption.

Monitor

After a certificate a has successfully been installed, other changes in the system may cause it to stop working: for example revocations, changes to permissions, changes to configuration files and accidental deletion. Therefore, the system automatically and continuously monitors certificate health, and reports via the dashboards any deviations and abnormalities.

Remediate

If required, the system can automatically repair or re-install a key from archive if the monitors detect issues.

Our staff have many years of experience with designing and operating secure infrastructure platforms, custom applications and -services. So, when problems occur, we can provide solutions instead of just pointing to the vendors of the application/platform that is making use of the keys.