If you’re in the process of migrating from SHA-1 to SHA-2 certificates, you may be realizing what a massive undertaking it is to discover and replace all the certificates your organization uses and relies upon.
To state the obvious, you can’t manage certificates if you don’t know that they exist, where they’re deployed and when they expire. You must create a comprehensive certificate inventory before a replacement process can be implemented.
Many organizations don’t realize how many certificates they have deployed and often find significantly more certificates than expected when they conduct an inventory. This difference often is caused by a lack of centralization that doesn’t account for multiple business lines and functions (e.g., development, operations or network administration) and individuals issuing certificates from multiple internal and external certification authorities (CA).
To migrate from SHA-1 to SHA-2 effectively, an organization will need to identify all SSL certificates, whether they are SHA-1- or SHA-2-based, and when they expire. Unfortunately, manually collecting this sort of detailed information — especially via spreadsheets or other static tools is — is likely to be boring, time-consuming and error-prone.
The worst part of this tedious process? Your organization has individuals or departments that may have deployed certificates for department-specific applications without going through your IT organization.
For an in-depth breakdown of how to develop a successful transition to SHA-2, download, “A Migration Guide to SHA-2 SSL Certificates: Avoiding pitfalls, meeting critical deadlines and eliminating service disruptions during SHA-1 certificate deprecation.”
To successfully migrate from SHA-1 to SHA-2 SSL certificates, organizations will need to discover, replace and monitor the use of certificates. Fortunately, there are advanced monitoring tools that help discover old certificates and prevent new ones from being deployed with SHA-1.
These tools will allow an administrator to monitor the types of certificates being issued to ensure that SHA-1 or SHA-2 certificates are being deployed, as necessary.
A discovery system will allow organizations to monitor the deployment of rogue certificates and take quick action on non-compliant certificates. If you are not procuring and managing certificates via a central system, consider a management service to gain control of your complete certificate environment.
It’s also worth noting that even if you’re using an automated management tool, many current certificate management systems may not be able to recognize if your organization deployed certificates on multiple servers.
The points above highlight how certificate management plays a significant role in migration planning and execution. However, technology on its own won’t ensure a successful migration unless other critical elements are taken into account.