Automating To A More Secure Connection

Automation, Automation, Automation. That is the key to secure Transport Layer Security (TLS) connections like an e-commerce website. One of the top reasons TLS connections fail is because of an expired certificate. Automating the renewal and deployment of certificates is a best practice to avoid disrupting your application. Oracle Cloud Infrastructure Certificates (OCI Certificates) is a new cloud X.509 certificate service designed to help solve the issue of certificate management for Transport Layer Security (TLS) connections. OCI Certificates service enables you to create private Certificate Authority (CA) hierarchies and TLS certificates. At the same time, OCI Certificates gives you the flexibility to create as many CA branches as you need, up to ten layers deep. 

Automation enables you to reduce the validity period of your certificates. A best practice is to give certificates shorter validity periods, such as 90 days, and renew the certificate after 60 days. This will not only give you a 30-day buffer in case there is a problem but will also reduce the scope of attack vectors if your private key is ever compromised. If your private key is compromised, you must revoke the certificate, which will add the certificate to the Certificate Revocation List (CRL). When a client downloads a certificate, the client then references the CRL to see if the certificate is still valid. However, there are a number of disadvantages to the CRL. The biggest issue is if some clients can’t download the CRL, the client will trust the certificate by default. In addition, CRLs are updated periodically (e.g., every 5-14 days) leaving the attack surface open until the next update. Shortening the validity periods of your certificates won’t solve the problem, but it may reduce the duration of the exposure if you are ever compromised. Renewing certificates used to be a painful, expensive, manual process. Automation and free services such as OCI Certificates have changed that. Let’s take a closer look.

To create a CA, OCI Certificates requires the use of a Hardware Security Module (HSM) key; you can use OCI Vault, which provides up to 20 HSM keys for free. Using HSM keys for your CAs is a best practice. If your CA private key is compromised, then all the subordinate CAs and certificates need to be revoked and replaced. And as you can imagine, that process can be costly and tedious. OCI Certificates avoids this by managing the private key in one location, the HSM, and having very limited availability to the key. Software keys can be copied and distributed anywhere, which is not an issue when using an HSM. The HSM can help ensure that your keys are safe. Do not use the same HSM key for multiple CAs. It is a strong tactic to create CAs for isolation in case of a compromise so the compromise can be contained to one segment of your CA hierarchy. If you use the same key for multiple CAs, you lose this benefit.

CAs created in OCI Certificates can automatically manage the CRL list for you. You create an OCI object bucket, and the list will be created automatically. Any time a certificate or CA is revoked, it is instantly added to the CRL.

Managing Your Certificates

There are three ways you can manage your certificates with the new OCI Certificates service. The first method is issued by internal CA as the fully automated path. Your private CA creates the certificate and deploys it to the integrated services, such as the OCI Load Balancers automatically. In this path, your certificates are monitored and automatically renewed and deployed.

The second method is issued by internal CA, managed externally if you have a policy that requires the private key to be kept on-premises. If this is the case, you can create a Certificate Signing Request (CSR) and upload it to the certificate service so your CA can create the certificate. 

Finally, use imported certificates if your certificates come from a particular vendor. Similar to the managed externally method above, once the certificate has been uploaded, it will be deployed to the load balancer automatically and you will get alerted when it’s time to renew the certificate.

OCI Certificates will keep track of up to ten versions of your certificates. You can easily tell which certificate is in use by the stage column in the versions field. The active certificate will be in the current stage. Older versions will be in the previous stage. If you just manually renewed the certificate, but the certificate has not be deployed to a resource automatically, then the certificate will be in the pending stage. 

Another tool to help you keep track of which certificate is deployed on what OCI resource is associations. Associations show you what resource is using the certificate. In addition, as long as an association exists for the certificate, you will not be able to delete the certificate. This helps avoid human error while managing the certificates. 

An extensive API also exists to automate use cases beyond the console. You can automate the process to other non-integrated services, or download the certificate to use on-premise. If you have a third-party management company, you can upload your certificates upon renewal and assign them to your resources. Whatever your use case, OCI Certificates gives you the flexibility to manage your CAs and certificates in the cloud.

OCI Certificates will also launch with three Cloud Guard detectors. If a CA is deleted or revoked, notifications will display in Cloud Guard. In addition, if a CA bundle is updated, a Cloud Guard notification will trigger so that you can ensure your chain of trust is correct for your cloud resources. More Cloud Guard detectors will be integrated with Certificates in the future.

Conclusion

OCI Certificates has taken a long, and sometimes confusing process of creating CAs and certificates, and made it simple. With just a few minutes, you can build your CA hierarchy, create certificates, and deploy them automatically to integrated resources such as the load balancer. With automatic renewals, you won’t have to worry about outages due to expired certificates. Shorter validity periods also help reduce the exposure when compromised. OCI Certificates is a free service that you can use today. Set up your TLS connections using OCI Certificates and leave the management tasks to us.

Learn more about OCI Certificates on our website and try out OCI Certificates in the OCI Free Tier.

Lastly, don’t miss to join our announcement webcast for all the new Oracle security services, sign up for either the North America event on November 9^th or the Europe and Middle East event on November 10th.